


 Resolution
-----------


###  AWS Organizations SCPs



AWS Organizations SCPs don't replace associating IAM policies within an AWS account.


You can use SCPs to allow or deny access to AWS services for individual AWS accounts with AWS Organizations [member accounts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#account), or for groups of accounts within an [organizational unit (OU)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html). The specified actions from an attached SCP affect all IAM identities including the [root user](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html) of the member account.


AWS services that aren't explicitly allowed by the SCPs associated with an AWS account or its parent OUs are denied access to the AWS accounts or OUs associated with the SCP. SCPs associated to an OU are inherited by all AWS accounts in that OU.


For more information, see [Example service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html).



###  IAM policies



IAM policies allow or deny access to AWS services or API actions [that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html). An IAM policy can be applied only to [IAM identities (users, groups, or roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html). IAM policies can't restrict the [AWS account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html).


For more information, see [Example IAM identity-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html).


For more information on how you can use IAM to secure access to your organization, see [AWS Identity and Access Management and AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_iam.html).





---




 Related information
--------------------



[Tutorial: Creating and configuring an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tutorials_basic.html)


[AWS Organizations terminology and concepts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html)







What's the difference between an AWS Organizations service control policy (SCPs) and an AWS Identity and Access Management (IAM) policy? How can I use them together?

Understand how IAM policies and Organizations SCPs interact

What's the difference between an AWS Organizations service control policy and an IAM policy?

Gestión y gobierno

¿Cómo puedo aumentar el límite de tamaño de caracteres de la SCP o la cantidad de SCP para una organización de AWS?

¿Cómo puedo utilizar las SCP y las políticas de etiquetas para evitar que los usuarios de mis cuentas de miembros de AWS Organizations creen recursos?

¿Cómo puedo resolver el error “You have exceeded the allowed number of AWS accounts” (Ha superado el número permitido de cuentas de AWS) en AWS Organizations?

¿Cómo puedo resolver el error “An error occurred (TargetNotConnectedException) when calling the ExecuteCommand operation” (Se produjo un error (TargetNotConnectedException) al llamar a la operación ExecuteCommand) en Amazon Elastic Container Service (Amazon ECS)?

What's the difference between an AWS Organizations service control policy and an IAM policy?

Resolution

AWS Organizations SCPs

IAM policies

Related information

Contenido relevante