You can restrict the scope of a user's permissions by specifying which two items in an IAM policy?