Which AWS service implements policies and role-based access control?

The correct choice is AWS IAM (Identity and Access Management) because it is specifically designed to manage access to AWS services and resources securely. IAM allows you to create and manage AWS users and groups, as well as define permissions to allow or deny access to resources. Through IAM, you can implement fine-grained access control using policies that specify who can access which resources under what conditions.

Policies in IAM are JSON documents that provide a detailed specification of permissions for actions on resources, ensuring a robust security posture. Furthermore, IAM supports role-based access control (RBAC) by allowing you to define roles that have certain permissions, which can then be assumed by users, groups, or AWS services. This makes it an essential service for managing access in AWS environments, aligning with best practices in security and governance.

The other options represent different services with other functionalities. For instance, AWS CloudTrail is primarily focused on logging account activity, Amazon Cognito is aimed at user authentication and access for web and mobile apps, and AWS Config provides monitoring and assessment of AWS resource configurations but does not manage access permissions. Thus, these services do not provide the same capabilities for implementing policies and managing role-based access control as IAM does.