I have explained in bigger detail the different policies in the Policy Section of my previous Exam Preparation Post about IAM but just a recap:

Identity-based policies: associated to a user, group or role, specifying actions, conditions

Resource Policies: attached directly to a resource (in this case to the S3 Bucket)

Due to their nature, usage and being independent from IAM Bucket policy could become more complex and are therefore allowed a bigger size ( up to 20 Kb, compared to just 2 Kb for user policies, 5 Kb for groups and 10 Kb for roles)

-ACLs: they allow setting different permissions per object, they don't have the same JSON format, and cannot apply implicit deny, nor conditions

ACLS are the legacy access control mechanism that predates IAM and is therefore not recommended.