What does the term "deny-by-default" in IAM policies imply?

The term "deny-by-default" in IAM policies indicates that access is denied unless explicitly allowed by a policy. This fundamental principle ensures a security posture that protects resources by preventing unauthorized access. When a resource is created in AWS, by default, there are no permissions granted to users or roles. This means that unless a specific policy allows an action, the action is automatically denied.

By following this principle, administrators can create a minimum access model, granting permissions only to users who need them. This way, it reduces the risk of accidental exposure or unauthorized access to sensitive resources. It encourages the principle of least privilege, which is a best practice in security management.

The other options represent misconceptions about how IAM policies function. Allowing access by default or granting all permissions would expose resources to a higher risk, as they would be accessible to any authenticated user without proper oversight. Thus, understanding that access is explicitly denied unless stated otherwise is crucial for effectively managing security within AWS environments.