AWS IAM glossary

What is Resource-Based Policy?

A resource-based policy is a policy attached directly to a resource (such as an S3 bucket or KMS key) that specifies who can access it and how.

Identity-based policies are attached to users, groups, and roles and travel with the principal. Resource-based policies are attached to the resource itself and include a Principal element naming who is allowed. S3 bucket policies, KMS key policies, SQS queue policies, and Lambda resource policies are all examples.

Resource-based policies enable cross-account access without assuming a role: account A can grant account B access to a bucket directly in the bucket policy. When both an identity-based and a resource-based policy apply, access is the union within an account, but cross-account access requires both sides to allow it.

Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::123456789012:root" },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}

Common mistake

A resource-based policy with Principal "*" and no condition makes the resource public. This is the most common cause of exposed S3 buckets.

Related terms

Analyze a real policy free

Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.