Policy evaluation logic - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Policy evaluation logic

When a principal tries to use the Amazon Web Services Management Console, the Amazon API, or the Amazon CLI, that principal sends a request to Amazon. When an Amazon service receives the request, Amazon completes several steps to determine whether to allow or deny the request.

  1. Authentication – Amazon first authenticates the principal that makes the request, if necessary. This step is not necessary for a few services, such as Amazon S3, that allow some requests from anonymous users.

  2. Processing the request context – Amazon processes the information gathered in the request to determine which policies apply to the request.

  3. How Amazon enforcement code logic evaluates requests to allow or deny access – Amazon evaluates all of the policy types and the order of the policies affects how they are evaluated. Amazon then processes the policies against the request context to determine whether the request is allowed or denied.

Evaluating identity-based policies with resource-based policies

Identity-based policies and resource-based policies grant permissions to the identities or resources to which they are attached. When an IAM entity (user or role) requests access to a resource within the same account, Amazon evaluates all the permissions granted by the identity-based and resource-based policies. The resulting permissions are the union of the permissions of the two types. If an action is allowed by an identity-based policy, a resource-based policy, or both, then Amazon allows the action. An explicit deny in either of these policies overrides the allow.

Evaluation of identity-based policies and resource-based policies

Evaluating identity-based policies with permissions boundaries

When Amazon evaluates the identity-based policies and permissions boundary for a user, the resulting permissions are the intersection of the two categories. That means that when you add a permissions boundary to a user with existing identity-based policies, you might reduce the actions that the user can perform. Alternatively, when you remove a permissions boundary from a user, you might increase the actions they can perform. An explicit deny in either of these policies overrides the allow. To view information about how other policy types are evaluated with permissions boundaries, see Evaluating effective permissions with boundaries.

Evaluation of identity-based policies and permissions boundaries

Evaluating identity-based policies with Amazon Organizations SCPs or RCPs

When a user belongs to an account that is a member of an organization and accesses a resource that doesn't have a resource-based policy configured, the resulting permissions are the intersection of the user's policies, service control policies (SCPs), and resource control policy (RCP). This means that an action must be allowed by all three policy types. An explicit deny in the identity-based policy, an SCP, or an RCP overrides the allow.

Evaluation of identity-based policies and SCPs or RCPs

You can learn whether your account is a member of an organization in Amazon Organizations. Organization members might be affected by an SCP or RCP. To view this data using the Amazon CLI command or Amazon API operation, you must have permissions for the organizations:DescribeOrganization action for your Amazon Organizations entity. You must have additional permissions to perform the operation in the Amazon Organizations console. To learn whether an SCP or RCP is denying access to a specific request, or to change your effective permissions, contact your Amazon Organizations administrator.