What's the difference between an AWS Organizations service control policy and an IAM policy?

2 minute read
0

What's the difference between an AWS Organizations service control policy (SCPs) and an AWS Identity and Access Management (IAM) policy? How can I use them together?

Resolution

AWS Organizations SCPs

AWS Organizations SCPs don't replace associating IAM policies within an AWS account.

You can use SCPs to allow or deny access to AWS services for individual AWS accounts with AWS Organizations member accounts, or for groups of accounts within an organizational unit (OU). The specified actions from an attached SCP affect all IAM identities including the root user of the member account.

AWS services that aren't explicitly allowed by the SCPs associated with an AWS account or its parent OUs are denied access to the AWS accounts or OUs associated with the SCP. SCPs associated to an OU are inherited by all AWS accounts in that OU.

For more information, see Example service control policies.

IAM policies

IAM policies allow or deny access to AWS services or API actions that work with IAM. An IAM policy can be applied only to IAM identities (users, groups, or roles). IAM policies can't restrict the AWS account root user.

For more information, see Example IAM identity-based policies.

For more information on how you can use IAM to secure access to your organization, see AWS Identity and Access Management and AWS Organizations.


Related information

Tutorial: Creating and configuring an organization

AWS Organizations terminology and concepts

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago