AWS IAM Glossary: Core Concepts Explained

The core building blocks of AWS IAM, defined in plain English. Each term has a short page with an example and the most common mistake to avoid. New to IAM risk? See the IAM privilege escalation reference for how these concepts go wrong in practice.

Terms

IAM Trust Policy

A trust policy is the resource-based policy attached to an IAM role that defines which principals are allowed to assume it.

IAM Permissions Boundary

A permissions boundary is an advanced policy that sets the maximum permissions an IAM user or role can ever have, regardless of its attached policies.

Service Control Policy (SCP)

A Service Control Policy is an AWS Organizations policy that sets the maximum available permissions for the accounts it is applied to.

Resource-Based Policy

A resource-based policy is a policy attached directly to a resource (such as an S3 bucket or KMS key) that specifies who can access it and how.

IAM Condition Keys

Condition keys let you add requirements to a policy statement so it only applies when specific context values match — source IP, MFA, account, encryption, and more.

sts:AssumeRole

sts:AssumeRole is the STS action that returns temporary security credentials for an IAM role, letting a principal operate with that role’s permissions.

Least Privilege

Least privilege is the principle of granting an identity only the permissions it needs to do its job — nothing more.

IAM Policy Evaluation Logic

IAM policy evaluation is the order in which AWS decides whether a request is allowed: an explicit deny always wins, then an explicit allow, otherwise the default is deny.

Put it into practice — free

Paste an IAM policy into Shieldly's AI-Powered analyzer and see the risks and fixes in seconds. No signup, no AWS credentials.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.