What does IAM policy evaluation in AWS primarily follow?

IAM policy evaluation in AWS primarily follows a deny-by-default model. This model means that, unless explicitly allowed through a policy, all actions are denied by default. The design of this framework enhances security by ensuring that no permissions are granted unless specified, reducing the risk of inadvertent exposure or access.

When an IAM policy is evaluated, AWS examines both the relevant allow and deny statements applied to the user and the resource they are trying to access. If there is any explicit deny in place, it takes precedence and overrides an allow, ensuring that security restrictions are tightly enforced. The decision-making process involves evaluating all relevant policies and applying this deny-by-default principle to determine the final set of permissions.

The other options do not accurately reflect how IAM policy evaluation works. The allow-all model suggests granting permissions without restriction unless specified otherwise, which is not how IAM operates. Explicit allow override suggests a scenario where permissions would be granted despite a deny policy, but in reality, denies take precedence. Manifest policy approval is not a recognized term in the context of IAM policy evaluation. Thus, the deny-by-default model accurately captures the essence of IAM's approach to security and permission management.