What's the difference between an AWS Organizations service control policy and an IAM policy?

Last updated: 2020-08-13

What's the difference between an AWS Organizations service control policy (SCPs) and an AWS Identity and Access Management (IAM) policy, and how can I use them together?  

Resolution

AWS Organizations SCPs don't replace associating IAM policies within an AWS account.

IAM policies allow or deny access to AWS services or API actions that work with IAM. An IAM policy can be applied only to IAM identities (users, groups, or roles). IAM policies can't restrict the AWS account root user.

You can use SCPs to allow or deny access to AWS services for individual AWS accounts with AWS Organizations member accounts, or for groups of accounts within an organizational unit (OU). The specified actions from an attached SCP affect all IAM identities including the root user of the member account.

AWS services that aren't explicitly allowed by the SCPs associated with an AWS account or its parent OUs are denied access to the AWS accounts or OUs associated with the SCP. SCPs associated to an OU are inherited by all AWS accounts in that OU. For more information, see How SCPs work.

For more information on how you can use IAM to secure access to your organization, see AWS Identity and Access Management in AWS Organizations.