What's the difference between a service control policy and an IAM policy, and how can I use them together?

AWS Organizations does not replace associating IAM policies with users, groups, and roles within an AWS account.

IAM policies let you allow or deny access to AWS services (such as Amazon S3), individual AWS resources (such as a specific S3 bucket), or individual API actions (such as s3:CreateBucket). An IAM policy can be applied only to IAM users, groups, or roles, and it can never restrict the root identity of the AWS account.

By contrast, AWS Organizations lets you use service control policies (SCPs) to allow or deny access to particular AWS services for individual AWS accounts, or for groups of accounts within an organizational unit (OU). The specified actions from an attached SCP affect all IAM users, groups, and roles for an account, including the root account identity.

When you apply an SCP to an OU or an individual AWS account, you choose to either enable (whitelist), or disable (blacklist) the specified AWS service. Access to any service that isn’t explicitly allowed by the SCPs associated with an account, its parent OUs, or the master account is denied to the AWS accounts or OUs associated with the SCP.

When an SCP is applied to an OU, it is inherited by all of the AWS accounts in that OU.

To illustrate the way that SCPs and IAM policies can interact, assume that you have a grouping of AWS accounts in an organization similar to the following:


Services whitelisted (allowed) for each group by the organization's SCP are circled in orange, and IAM policies allowing access to particular services are circled in gray.

The IAM user Bob is part of the Dev OU, and the IAM policy associated with Bob allows full access to the Amazon S3 and Amazon EC2 services. Because the SCP associated with the Dev OU allows the use of the S3 service, and Bob has an IAM policy that grants him full access to S3, Bob can use S3. However, even though the IAM policy also grants Bob admin access to EC2, since the SCP only allows the use of S3, Bob cannot use EC2.

For the IAM user David, even though the S3 service is whitelisted for the users, groups, and roles in the Sales OU (by the SCP), David's IAM policy doesn't allow access to any AWS services. David will not be able to access any AWS services until he has an IAM policy that grants permissions to services.

Assume a similar grouping of accounts, but one in which the IAM service is explicitly blacklisted (denied) by the SCP associated with the Dev OU, while all other services are whitelisted (allowed):


A Deny operates like a traditional blacklist, blocking only the specified AWS services. This means that none of the identities in the Dev OU can ever access the IAM service, but Bob will still be able to access S3, because the SCP is only blacklisting the IAM service.

Organizations, IAM, SCP

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-03-01