Some elements of an AWS policy include:

• SID (optional): Statement ID used to identify the purpose of the policy statement, especially with a policy with multiple statements.
• Version: There are only two versions, 2008-10-17 and 2012-10-17, and you should always use the newest.
• Statement: This is the core of the policy and defines who can do what to which resources and when.
• Effect: This can be either Allow or Deny.
• Principal: This specifies the "Who". (see below)
• Action: This specifies the "What".
• Resource: This specifies the "Which" resource they can do "What" to.

In AWS, a principal field is required in resource-based policies.

Resource-based policies: These JSON policy documents are attached to a resource and control access to it. A principal is required in a resource-based policy to specify the entity that can perform actions on the resource. Principals can be accounts, users, roles, federated users, or AWS services.

Identity-based policies: Policies attached to IAM identities, such as users, groups, and roles. Identity-based policies grant permissions to make API calls and don't have a Principal element.

Groups are a collection of policies. Policies are a collection of permissions.

Links:

• 6000 page PDF of all actions, conditions, etc. Wow.
• Youtube video about reading policies