CloudGuild · Blog · Cheat sheets · Lessons · Certifications

How IAM Policy Evaluation Works

Understand the order AWS evaluates identity, resource, and organization policies.

AWS evaluates access as: explicit deny > SCP boundary > explicit allow > default deny.

Exam tip: if a user has an IAM allow but an SCP does not permit the action, the request is denied.

Take a free mock exam →