AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

What is the difference between an AWS Organizations service control policy and an IAM policy?

2 minute read

What is the difference between an AWS Organizations service control policy and an AWS Identity and Access Management (IAM) policy?

Resolution

AWS Organizations service control policies (SCPs) and IAM policies serve different purposes in access management. Use the following sections to understand the difference and how SCPs and IAM policies work together.

Understand how AWS Organizations SCPs work

AWS Organizations SCPs don't replace IAM policies within an AWS account. Use SCPs to allow or deny access to AWS services for individual AWS accounts or groups of accounts within an organizational unit (OU).

The specified actions from an attached SCP affect all IAM identities, including the root user of the member account. SCPs deny access to AWS services that aren't explicitly allowed by the SCPs associated with an AWS account or its parent OUs. All AWS accounts in an OU inherit SCPs associated with that OU.

For more information, see Service control policy examples.

Understand how IAM policies work

IAM policies allow or deny access to AWS services or API operations. Apply IAM policies only to IAM identities (users, groups, or roles). IAM policies can't restrict the AWS account root user.

For more information, see Example IAM identity-based policies.

Understand how SCPs and IAM policies work together

When a user in an AWS Organizations member account requests access to a resource, AWS evaluates both SCPs and IAM policies together. The user receives only the permissions that both policy types allow.

For an action to be permitted, both the IAM policy and the SCP must explicitly allow it. An explicit deny in either the IAM policy or the SCP overrides any allow statement. SCPs define the maximum permissions available to accounts and OUs. IAM policies can only grant permissions within those boundaries.

Example scenario:

An IAM user has an IAM policy that allows full Amazon Simple Storage Service (Amazon S3) access. However, an SCP attached to the user's account denies all Amazon S3 actions. The user can't access Amazon S3 because the SCP denial overrides the IAM policy permission.

Related information

Identity and Access Management for AWS Organizations

Tutorial: Creating and configuring an organization

Terminology and concepts for AWS Organizations

Topics: Management & Governance
Tags: AWS Organizations
Language: English

AWS OFFICIALUpdated 17 days ago

1 Comment

This article was reviewed and updated on 2026-04-03.

MODERATOR

AWS Official

replied 10 days ago

Relevant content

How to enforce tags while creating any kind of resource in AWS?
rePost-User-3418417
asked 4 years ago
AWS Organizations SCP policies and member root accounts
Accepted Answer
Anesu M
asked 2 years ago
Service Control Policy for restricting certain write actions to specific regions only
mike-lm
asked 4 years ago
Do any permission policy types apply to service-linked roles?
Emwow
asked 6 months ago
How to Reduce SCP Character Count for Tagging Enforcement
GaurangJoshi
asked a year ago
How do I manage the SCP character size limit or number of SCPs for an AWS Organization?
AWS OFFICIALUpdated 17 days ago
How do I use SCPs and tag policies so that users in my organization's member accounts in Organizations can't create resources?
AWS OFFICIALUpdated a year ago
How do I troubleshoot SCP explicit deny errors in AWS Organizations?
AWS OFFICIALUpdated 18 days ago
How do I troubleshoot explicit deny in a service control policy errors?
AWS OFFICIALUpdated 2 months ago
Preventing Direct IAM User Policy Attachments Across Your Organization
EXPERT
Purnaresa Y
published 7 months ago