As we stated earlier, identity-based policies are those that are attached to a Principal, such as a user, a group, or a role. The policy is written as a JSON document and is attached to the Principal. Policies state which permissions the Principal has, and for which resources.

You can use either managed policies or inline policies. In the case of managed policies, you can use the policy to attach it to multiple users, groups, or roles in the account. For our ease, AWS has created some standard managed policies. These are available to us, and we can attach them to any Principal that we want. These are called AWS managed policies.

We can write and manage our own policies. We call this a customer-managed policy. While the AWS managed policies are very generic, the customer-managed policies can be very specific. For example, the AWS managed policy would give us full permission for S3 access or read-only permission for S3 access. In some cases, this may be what we require, but in many cases, we would need to control it at the bucket level. In such cases, we can use our own policies (customer-managed policies) for this purpose. As a customer, we can also create and manage a policy that is directly embedded into a single user, role, or group. We call this an inline policy.