We have both out of necessity. IAM policies on roles/users/groups are a given, but here are some concrete examples of what we're using resource policies for:

- Granting cross-account access to resources without requiring an explicit sts:AssumeRole on the other side (in some cases for things like CloudTrail and billing reports this is the only option)

- Enforcing SSE on S3 buckets (implemented as a DENY in the bucket policy with conditions to check for missing SSE headers)