Policy evaluation logic
When a principal tries to use the Amazon Web Services Management Console, the Amazon API, or the Amazon CLI, that principal sends a request to Amazon. When an Amazon service receives the request, Amazon completes several steps to determine whether to allow or deny the request.
-
Authentication – Amazon first authenticates the principal that makes the request, if necessary. This step is not necessary for a few services, such as Amazon S3, that allow some requests from anonymous users.
-
Processing the request context – Amazon processes the information gathered in the request to determine which policies apply to the request.
-
Policy evaluation for requests within a single account and Cross-account policy evaluation logic – Amazon evaluates all of the policy types and the order of the policies affects how they are evaluated.
-
How Amazon enforcement code logic evaluates requests to allow or deny access – Amazon processes the policies against the request context to determine whether the request is allowed or denied.