- Policies can be attached at group level, and all users in the group inherit those permissions.
- A user can belong to multiple groups and accumulate permissions from all of them.
- Users can also have directly attached policies (inline or managed) that are evaluated along with inherited ones.
- Evaluation logic: AWS evaluates all applicable policies (group, user, role) together, and explicit denies always override allows.