For what resources an explicit allow for the principal in a resource-based policy isn't enough to grant access

Question

From AWS docs

For most resources, you only need an explicit allow for the principal in either an identity-based policy or a resource-based policy to grant access. IAM role trust policies and KMS key policies are exceptions to this logic, because they must explicitly allow access for principals.

it's clear that for most resources (that support resource-based policies), a resource-based policy is enough to grant access to an IAM principal (meaning, without the need to add an explicit Allow to an identity-based policy of the principal). Trust policies and KMS policies are notable exceptions, since a resource-based policy must be attached to the resource.

Are there any other resources, where a standalone resource-based policy is not enough to grant access to an IAM principal? Or equivalently, are there any services where both an identity-based & resource-based policy at the same time is required to allow access?

The services I tried so far worked fine (S3, SQS, Lambda), but there are more than 20 services that support resource-based policies, so I can't check all of them.

I expect to be no service which supports resource-based policy and requires an identity-based changes to grant access to the particular resource.

Answer 1

In absence of an explicit Deny, one valid^* explicit Allow is sufficient:

If either the identity-based policy or the resource-based policy within the same acccount allows the request and the other doesn't, the request is still allowed. source

---

* Identity policies are valid for KMS only if the key (resource) policy explicitly permits them: Unlike other AWS resource policies, an AWS KMS key policy does not automatically give permission to the account or any of its principals.