Whenever we create entities, such as users or roles, we attach policies to them. The policies dictate which resources of AWS the particular entity is authorized to access. There are different kinds of policies, such as user policies, resource policies, and policy boundaries. (We will look at each of them in detail in the Policy section, later on.)

IAM authorizes access to a resource based on the policy. Generally, for all users (except the root user), access is denied to all resources. So, the policy attached to a user has to explicitly allow the user to access a resource. The policy can also explicitly deny access to a resource, in which case the user will not be allowed access to the said resource.