CloudGuild · Blog · Cheat sheets · Lessons · Certifications
How IAM Policy Evaluation Works
Understand the order AWS evaluates identity, resource, and organization policies.
AWS evaluates access as: explicit deny > SCP boundary > explicit allow > default deny.
- An explicit Deny anywhere always wins.
- SCPs cap the maximum permissions for accounts in an Organization.
- Without an explicit allow, the default is deny.
Exam tip: if a user has an IAM allow but an SCP does not permit the action, the request is denied.