53. IAM Policies

Amazon Resource Name (ARN).
ARNs begin with
arn:partition:service:region:account_id

arn partition service region account_id
aws|aws-in S3|EC2|RDS us-east-1|eu-central-1 12 digit account id
ARNs end with
resource
resource_type/resource
resource_type/resource/qualifier
resource_type/resource:qualifier
resource_type:resource
resource_type:resource:qualifier

Examples:
arn:aws:iam::123456789012:user/mark
arn:aws:s3:::my_bucket/image.png
arn:aws:dynamodb:us-east-1:123456789012:table/orders
arn:aws:ec2:us-east-1:123456789012:instance/*

IAM Policies:
A JSON document that defines permissions.

Identity Policy Resource Policy
Attached to an IAM user, group or role Attached to a resource
These policies let you specify what an identity can do We can specify who has access to the resource and what actions they can perform
i. No effect until attached
ii. Simply structured as a list of statements. A policy document is a list of statements. Each statement matches an API request.
iii. Not explicitly allowed, means implicitly denied
iv. Explicit deny is greater than everything else
v. Used to delegate administration to other users
vi. Prevent privilege escalation or unnecessarily broad permissions.