Sometimes writing AWS IAM policies gets confusing. Especially if our policy authoring is reactive in nature instead of following a proactive permissions strategy.

The fact that IAM policies contain some restrictions doesn’t really help either.

To start off, let’s take a look at what the IAM policy evaluation order looks like:

Image courtesy Amazon Web Services IAM User Guide