IAM Policy Evaluation Logic

  • The following is a high-level summary of the AWS evaluation logic on those policies within a single account:

    • By default, all requests are implicitly denied. (Alternatively, by default, the AWS account root user has full access.)

    • An explicit allow in an identity-based or resource-based policy overrides this default.

    • If a permissions boundary, Organizations SCP, or session policy is present, it might override the allow with an implicit deny.

    • An explicit deny in any policy overrides any allows.

PreviousOrganizationsNextUnderstanding IAM Policies

Last updated

Was this helpful?