


 Resolution
-----------


###  AWS Organizations SCPs



AWS Organizations SCPs don't replace associating IAM policies within an AWS account.


You can use SCPs to allow or deny access to AWS services for individual AWS accounts with AWS Organizations [member accounts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#account), or for groups of accounts within an [organizational unit (OU)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html). The specified actions from an attached SCP affect all IAM identities including the [root user](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html) of the member account.


AWS services that aren't explicitly allowed by the SCPs associated with an AWS account or its parent OUs are denied access to the AWS accounts or OUs associated with the SCP. SCPs associated to an OU are inherited by all AWS accounts in that OU.


For more information, see [Example service control policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html).



###  IAM policies



IAM policies allow or deny access to AWS services or API actions [that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html). An IAM policy can be applied only to [IAM identities (users, groups, or roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html). IAM policies can't restrict the [AWS account root user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html).


For more information, see [Example IAM identity-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html).


For more information on how you can use IAM to secure access to your organization, see [AWS Identity and Access Management and AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_iam.html).





---




 Related information
--------------------



[Tutorial: Creating and configuring an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tutorials_basic.html)


[AWS Organizations terminology and concepts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html)







What's the difference between an AWS Organizations service control policy (SCPs) and an AWS Identity and Access Management (IAM) policy? How can I use them together?

Understand how IAM policies and Organizations SCPs interact

What's the difference between an AWS Organizations service control policy and an IAM policy?

Management & Governance

Migrating AWS accounts between organizations

How do I use SCPs and tag policies so that users in my organization's member accounts in Organizations can't create resources?

How do I move an account from an existing organization to another organization in AWS Organizations?

How do I manage the SCP character size limit or number of SCPs for an AWS Organization?

Why can't I join an organization in AWS Organizations?

AWS Organizations SCP policies and member root accounts

AWS organization create policy hangs - bug

Creating an organization to setup Control Tower

AWS Organization policy to limit the AcceptDataGrant action only among aws org members accounts

AWS organization

What's the difference between an AWS Organizations service control policy and an IAM policy?

Resolution

AWS Organizations SCPs

IAM policies

Related information

Relevant content