You already know that policies are the documents that define permissions in AWS. But there are two ways to apply them, depending on where you attach them: to an identity or to a resource. Understanding the difference will help you read and write permissions correctly, and solve the classic mystery of “why isn’t this permission working?”
Anatomy of a Policy (Quick Review)
An IAM policy is a JSON document. Its central piece is the statement, which answers:
- Effect:
Allow(permit) orDeny(deny). - Action: what can be done (
s3:GetObject= read S3 objects). - Resource: on which resource (identified by its ARN, the unique identifier of any resource in AWS).
This policy says: “Allow the action read objects on the objects in the informes-2026 bucket.” Don’t worry about memorizing the syntax; the important thing is to understand the concept.
The Two Ways to Apply Permissions
Identity-based Policies
They are attached to an identity: a user, a group, or a role. They answer the question:
“What can THIS identity do?”
Example: You attach a policy to the user María that says “she can read from the
informes-2026bucket.” The permission travels with María: wherever she acts, she can read that bucket.
This is the most common way. When you grant permissions to your users and roles, you normally use identity-based policies.
Resource-based Policies
They are attached to the resource itself: an S3 bucket, an SQS queue, a Lambda function… They answer the question:
“Who can access THIS resource?”
Example: You attach a policy to the
informes-2026bucket that says “the partner company’s account can read my objects.” The permission travels with the bucket: it defines who can enter it.
You already saw an example in Chapter 5: S3 bucket policies are resource-based policies.
The Analogy That Makes It Clear
Building Analogy:
- An identity-based policy is like what your employee card can open. You carry it with you; it defines which doors you can enter.
- A resource-based policy is like the list of authorized people posted on the door of a specific room. It defines who can enter that particular room.
Sometimes, to enter a room, both must match: your card must allow you to open that door and your name must be on the room’s list.
When Is Each Used?
| Situation | Type of Policy |
|---|---|
| Granting permissions to your own users/roles | Identity-based (the usual) |
| Allowing another AWS account to access your resource | Resource-based |
| Controlling who accesses an S3 bucket, SQS queue, Lambda | Resource-based |
| General permissions for a development team | Identity-based (via groups) |
The star case for resource-based policies is cross-account access: when someone from another AWS account needs to access something of yours, the resource-based policy is what allows it, because it applies to the resource regardless of which account the accessor comes from.
How They Combine: The Evaluation Logic
When someone tries to do something, AWS evaluates all applicable policies (identity and resource-based) with these rules, in this order:
- By default, everything is denied. If nothing allows it, it’s denied.
- An explicit
Allowgrants the permission (it can come from the identity or resource policy). - An explicit
DenyALWAYS wins. If any policy says “deny,” it’s denied, even if another says “allow.”
Is there an explicit Deny? ──Yes──► DENIED (always wins)
│ No
▼
Is there an explicit Allow? ──Yes──► ALLOWED
│ No
▼
DENIED (default denial)Mental rule: “Deny beats Allow, and without Allow there is no permission.” This rule solves almost all AWS permission mysteries.
Typical mystery example: “I gave María permission to read the bucket, but she can’t.” Possible causes: there’s an explicit
Denysomewhere (which wins), or the resource policy (bucket) doesn’t include her, or theAllowis missing from her identity. Knowing the evaluation logic, you know where to look.
A Note: Managed vs Inline Policies
To finish, two ways to organize policies (not to be confused with identity/resource):
- Managed: reusable policies you attach to multiple identities. AWS offers many predefined ones (like
AmazonS3ReadOnlyAccess), and you can create your own. Recommended because they’re reusable and easy to maintain. - Inline: policies written directly inside a single identity. Useful for very specific permissions for a single user or role.
What You Should Remember
- A policy defines permissions with Effect (allow/deny), Action (what), and Resource (on what, via ARN).
- Identity-based: attached to a user/group/role → “what can this identity do?” It’s the most common.
- Resource-based: attached to the resource (bucket, queue…) → “who can access this resource?” Key for cross-account access.
- Evaluation logic: everything denied by default, an Allow grants, and an explicit Deny always wins.
- “Deny beats Allow, and without Allow there is no permission” solves most doubts.
In the next subchapter we’ll look at two pillars of access security: multi-factor authentication (MFA) and temporary credentials (STS).
Cloud, AWS & Terraform — From Zero to Expert
Chapter 1 · What is cloud computing
- 1.1 The traditional client-server model
- 1.2 Problems the cloud came to solve
- 1.3 On-premise vs cloud vs hybrid
- 1.4 The three service models: IaaS, PaaS, SaaS
- 1.5 The five pillars of cloud (according to NIST)
- 1.6 Real advantages: elasticity, pay-as-you-go, global availability
Chapter 2 · The cloud market and major providers
- 2.1 AWS, Azure and GCP: differences and market share
- 2.2 Why learn AWS first
- 2.3 Concepts that are universal among providers
Chapter 3 · Regions, availability zones and edge
- 3.1 What is an AWS region and how to choose it
- 3.2 Availability Zones: high availability by design
- 3.3 Edge locations and CloudFront
- 3.4 Latency, resilience and data sovereignty
Chapter 4 · Compute: EC2
- 4.1 Instances: types, families and when to choose each
- 4.2 AMIs, key pairs and Security Groups
- 4.3 Instance lifecycle
- 4.4 Elastic IPs and Placement Groups
- 4.5 Savings Plans vs Reserved vs On-Demand vs Spot
Chapter 5 · Storage: S3
- 5.1 Buckets, objects and keys
- 5.2 Storage classes (Standard, IA, Glacier…)
- 5.3 Versioning and object lifecycle
- 5.4 Bucket policies and ACLs
- 5.5 Static website hosting
Chapter 6 · Networking: VPC
- 6.1 What is a VPC and why you need it
- 6.2 Public and private subnets
- 6.3 Internet Gateway and NAT Gateway
- 6.4 Route Tables and Network ACLs
- 6.5 VPC Peering and endpoints
Chapter 7 · Identity and access: IAM
- 7.1 Users, groups, roles and policies
- 7.2 The principle of least privilege
- 7.3 Identity-based vs resource-based policies
- 7.4 MFA and temporary credentials (STS)
- 7.5 IAM security best practices
Chapter 8 · Managed databases
- 8.1 RDS: engines, Multi-AZ and read replicas
- 8.2 Aurora and its advantages over vanilla RDS
- 8.3 DynamoDB: key-value / document model
- 8.4 ElastiCache for in-memory cache
- 8.5 When to use each type of database
Chapter 9 · Why Infrastructure as Code
- 9.1 Problems with manual provisioning
- 9.2 Declarative vs imperative IaC
- 9.3 Terraform vs CloudFormation vs Pulumi vs CDK
- 9.4 The plan → apply → destroy cycle
Chapter 10 · HCL: the Terraform language
- 10.1 Resource, variable, output, locals blocks
- 10.2 Data types: string, number, bool, list, map, object
- 10.3 Expressions, references and built-in functions
- 10.4 Conditionals and loops (count, for_each, for)
Chapter 11 · Providers and state
- 11.1 How the AWS provider works
- 11.2 The terraform.tfstate file and its importance
- 11.3 Local state vs remote state (S3 + DynamoDB)
- 11.4 Essential commands: init, plan, apply, destroy, fmt, validate
Chapter 12 · Your first real infrastructure in Terraform
- 12.1 Create a VPC with subnets from scratch
- 12.2 Launch a public EC2 instance
- 12.3 Associate a Security Group and an Elastic IP
- 12.4 Outputs and references between resources
- 12.5 Team workflow: PR review of plans
Chapter 13 · Load balancing and auto scaling
- 13.1 Application Load Balancer vs Network Load Balancer
- 13.2 Target Groups, listeners and rules
- 13.3 Auto Scaling Groups: policies and metrics
- 13.4 Warm pools and lifecycle hooks
Chapter 14 · Serverless with Lambda
- 14.1 The Lambda execution model
- 14.2 Triggers: API Gateway, S3, DynamoDB Streams, SQS
- 14.3 Dependency management and layers
- 14.4 Cold starts and strategies to reduce them
- 14.5 Limits and anti-patterns
Chapter 15 · Messaging and events
- 15.1 SQS: standard vs FIFO queues, DLQ
- 15.2 SNS: topics, subscriptions, fan-out
- 15.3 EventBridge: event buses and rules
- 15.4 Patterns: pub/sub, decoupling, saga
Chapter 16 · Content delivery and DNS
- 16.1 Route 53: record types and routing policies
- 16.2 CloudFront: distributions, caches and origins
- 16.3 ACM: free SSL/TLS certificates
- 16.4 WAF integrated with CloudFront
Chapter 17 · Containers on AWS
- 17.1 Docker: quick review of key concepts
- 17.2 ECR: private image registry
- 17.3 ECS: task definitions, services, Fargate vs EC2
- 17.4 EKS: when Kubernetes and when not
Chapter 18 · Modules: reuse and composition
- 18.1 Anatomy of a Terraform module
- 18.2 Input variables, outputs and dependencies
- 18.3 Local modules vs Terraform Registry modules
- 18.4 Module versioning with Git tags
- 18.5 Design of generic vs domain-specific modules
Chapter 19 · Workspaces and environment management
- 19.1 Terraform workspaces: use cases and limitations
- 19.2 Directory strategy per environment (dev/stg/prod)
- 19.3 Terragrunt: DRY for environment configurations
- 19.4 Environment variables and .tfvars files
Chapter 20 · Remote backends and locking
- 20.1 Configure S3 + DynamoDB as backend
- 20.2 State locking: avoiding team corruption
- 20.3 State migration between backends
- 20.4 terraform import: bring existing resources into state
Chapter 21 · Infrastructure testing
- 21.1 Terraform validate and fmt in CI
- 21.2 Checkov and tfsec: static security analysis
- 21.3 Terratest: integration tests in Go
- 21.4 Contract testing between modules
Chapter 22 · Terraform in CI/CD
- 22.1 Basic pipeline: lint → plan → apply in GitHub Actions
- 22.2 Atlantis: GitOps for Terraform
- 22.3 Terraform Cloud / HCP Terraform
- 22.4 Drift detection and automatic reconciliation
Chapter 23 · Defense in depth
- 23.1 AWS Organizations and Service Control Policies
- 23.2 AWS Config: continuous compliance
- 23.3 GuardDuty: threat detection
- 23.4 Security Hub: centralized view
- 23.5 KMS: key management and rotation
- 23.6 Secrets Manager vs Parameter Store
Chapter 24 · Observability: logs, metrics and traces
- 24.1 CloudWatch Logs, metrics and alarms
- 24.2 CloudWatch Dashboards and Contributor Insights
- 24.3 X-Ray: distributed tracing
- 24.4 OpenTelemetry on AWS
- 24.5 Managed Grafana and Managed Prometheus
Chapter 25 · Cost optimization
- 25.1 AWS Cost Explorer and budgets with alerts
- 25.2 Trusted Advisor and Compute Optimizer
- 25.3 Rightsizing: how to detect overprovisioning
- 25.4 Savings Plans vs Reserved Instances: strategic decision
- 25.5 FinOps: culture and processes to control spending
Chapter 26 · High availability and disaster recovery
- 26.1 RTO and RPO: defining objectives
- 26.2 Strategies: backup/restore, pilot light, warm standby, multi-site
- 26.3 Route 53 health checks and automatic failover
- 26.4 AWS Backup: centralized backup policy
Chapter 27 · AWS Well-Architected Framework
- 27.1 The six pillars: operational excellence, security, reliability, performance efficiency, cost optimization, sustainability
- 27.2 Well-Architected Tool: formal reviews
- 27.3 How to apply the framework in design decisions
Chapter 28 · Serverless architectures at scale
- 28.1 Event-driven architecture with Lambda + EventBridge
- 28.2 Saga pattern for distributed transactions
- 28.3 Step Functions: orchestration of complex workflows
- 28.4 Lambda@Edge and CloudFront Functions
Chapter 29 · Data platforms on AWS
- 29.1 Data Lake with S3, Glue and Athena
- 29.2 Kinesis Data Streams and Firehose for streaming
- 29.3 Redshift: data warehousing at scale
- 29.4 Lake Formation: data governance
Chapter 30 · Multi-account and landing zones
- 30.1 Why separate workloads into different accounts
- 30.2 AWS Control Tower and Account Factory
- 30.3 Centralized log and security management
- 30.4 Terraform at multi-account scale with shared modules
Chapter 31 · Platform Engineering and Internal Developer Platform
- 31.1 Golden paths and abstractions over Terraform
- 31.2 AWS Service Catalog
- 31.3 Backstage as a developer portal
- 31.4 Terraform modules as internal product
Chapter 32 · Relevant AWS certifications
- 32.1 Cloud Practitioner: is it worth it?
- 32.2 Solutions Architect Associate → Professional
- 32.3 DevOps Engineer Professional
- 32.4 Specialty: Security, Database, Networking
- 32.5 HashiCorp Terraform Associate
Chapter 33 · Projects to consolidate what you've learned
- 33.1 Project 1: serverless blog (S3 + CloudFront + Lambda + DynamoDB)
- 33.2 Project 2: REST API with ECS Fargate + RDS + ALB
- 33.3 Project 3: data platform with Glue + Athena + Redshift
- 33.4 Project 4: multi-account landing zone with Terraform and Control Tower