VISI

IAM Roles vs. Resource-Based Policies

When you assume a role, you give up your original permissions. When you use a resource-based policy (e.g., S3 bucket policy, SNS topic policy, SQS queue policy), the principal keeps their original permissions.

Use case: User in Account A needs to scan DynamoDB in Account A and dump to S3 in Account B → use resource-based policy so the user keeps DynamoDB permissions.

aws:PrincipalOrgID — use in resource policies to restrict access to accounts within your AWS Organization.

References

Quiz

A few quick questions based on this unit. Mark it complete when you are done.

Question 1 / 3

What is aws:PrincipalOrgID?