Policy evaluation logic

When a principal tries to use the AWS Management Console, the AWS API, or the AWS CLI, that principal sends a request to AWS. When an AWS service receives the request, AWS completes several steps to determine whether to allow or deny the request.

Authentication – AWS first authenticates the principal that makes the request, if necessary. This step is not necessary for a few services, such as Amazon S3, that allow some requests from anonymous users.
Processing the request context – AWS processes the information gathered in the request to determine which policies apply to the request.
Policy evaluation for requests within a single account and Cross-account policy evaluation logic – AWS evaluates all of the policy types, which affect the order in which the policies are evaluated.
How AWS enforcement code logic evaluates requests to allow or deny access – AWS processes the policies against the request context to determine whether the request is allowed or denied.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Supported data types

Request context