Access controls map to objects (like files or systems), authorizations map to actions (like AWS API calls), and entitlements are when you assign either to an identity.
Role-Based Access Control (RBAC): Assigns roles to identities, which define permissions.
Attribute-Based Access Control (ABAC): Uses attributes like tags and IP addresses to control access.
Policy-Based Access Control (PBAC): Encodes both RBAC and ABAC rules within policies.
Actions: Specific API operations permitted or denied.
Resources: AWS resources the policy applies to.
Conditions: Additional rules based on attributes.
Conditionals in IAM policies have two main components:
1. Condition Keys apply across anything (e.g., aws:SourceIp) or apply to particular services (e.g., s3:ResourceTag).
a. AWS Documentation
2. Condition operators are logical conditions like StringEquals, IpAddress, Booleans.
a. AWS Documentation
