Policy evaluation logic - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Policy evaluation logic

When a principal tries to use the Amazon Web Services Management Console, the Amazon API, or the Amazon CLI, that principal sends a request to Amazon. When an Amazon service receives the request, Amazon completes several steps to determine whether to allow or deny the request.

  1. Authentication – Amazon first authenticates the principal that makes the request, if necessary. This step is not necessary for a few services, such as Amazon S3, that allow some requests from anonymous users.

  2. Processing the request context – Amazon processes the information gathered in the request to determine which policies apply to the request.

  3. Policy evaluation for requests within a single account and Cross-account policy evaluation logic – Amazon evaluates all of the policy types and the order of the policies affects how they are evaluated.

  4. How Amazon enforcement code logic evaluates requests to allow or deny access – Amazon processes the policies against the request context to determine whether the request is allowed or denied.