Restricted resources

Learn about some restricted resources in which IAM role’s trust policy is required to allow actions explicitly.

In the S3 bucket example, either the identity- or the resource-based policy is enough to give access. This is the case for most resource types, but there are exceptions. An IAM role’s trust policy needs to allow the action explicitly, it’s not enough that the identity policy allows it.

How can resource policy allow an operation?

The resource policy can allow an operation in two ways. It can allow the user explicitly, such as "Principal": "<iam>/user". In this case, the operation is allowed and there is no need for an identity policy. This is how it works for less strict resources.

The other way is to allow the account in the form of "Principal": "arn:aws:iam::<accountid>:root". This delegates access control to the identity policies to decide. If a trust policy does not allow either the requesting identity or the account then the request is denied.

This is how the policy evaluation flow looks like for these resources:

Get hands-on with 1200+ tech skills courses.