IAM Roles vs. Resource-Based Policies
When you assume a role, you give up your original permissions. When you use a resource-based policy (e.g., S3 bucket policy, SNS topic policy, SQS queue policy), the principal keeps their original permissions.
Use case: User in Account A needs to scan DynamoDB in Account A and dump to S3 in Account B → use resource-based policy so the user keeps DynamoDB permissions.
aws:PrincipalOrgID — use in resource policies to restrict access to accounts within your AWS Organization.
