Status: IN
A user's effective permissions are cumulative across identity-based policies (user/group/role) AND resource-based policies (S3, SQS, SNS, KMS) — both must be reviewed for a complete permission picture.
Source: entries/2026/03/11/IAM-latest-UserGuide-security-audit-guidehtml.md