How AWS Organization SCPs and IAM policy work together?

  • User and roles must still be granted permissions with appropriate IAM permission policies. Without any IAM permission policies, a user has no access, even if the application SCPs allow all services and all actions.
  • If a user or role has an IAM permission policy that grants access to an action that is also allowed by the application SCPs, the user or role can perform that action.
  • If a user or role has an IAM permission policy that grants access to an action that is either not allowed or explicitly denied by the applicable SCPs, the user or role can’t perform that action.