AWSGlossary

IAM Policy Evaluation Logic: What It Is and When to Use It

Definition

AWS Identity and Access Management (IAM) Policy Evaluation Logic is the process AWS uses to determine whether a request made by a principal (a user, role, or service) to access a resource is allowed or denied. This logic synthesizes all applicable policies—including identity-based policies, resource-based policies, and organizational guardrails—to arrive at a final authorization decision, with an explicit deny statement always overriding any allows.

How It Works

The IAM policy evaluation logic is a systematic, multi-step process that begins the moment a principal makes a request to an AWS service. All requests are denied by default (an "implicit deny") and must be explicitly allowed by a policy to succeed.

The evaluation flow proceeds in a specific order, checking various policy types. If at any point an explicit "Effect": "Deny" statement is found in any applicable policy, the request is immediately denied and the evaluation stops.

Here is the canonical order of evaluation for a request:

  1. Explicit Deny Check: AWS first evaluates all applicable policies—identity-based, resource-based, permissions boundaries, session policies, and Service Control Policies (SCPs)—for any statement with "Effect": "Deny" that matches the request's action, resource, and conditions. If a match is found, the request is immediately denied, and this decision is final.

  2. Service Control Policies (SCPs): If your account is part of an AWS Organization, AWS checks the SCPs applied to the account. SCPs act as guardrails, defining the maximum permissions available for an account. An action must be allowed by the relevant SCPs to proceed. SCPs do not grant permissions; they only filter or restrict them.

  3. Resource-based Policies: If the request involves a resource that has a policy attached (e.g., an Amazon S3 bucket policy or an AWS KMS key policy), that policy is evaluated. An "Effect": "Allow" in a resource-based policy can be sufficient to grant access, which is particularly important for cross-account access scenarios.

  4. Identity-based Policies: AWS evaluates the IAM policies attached to the principal (the user, group, or role) making the request. These policies define what actions the identity is allowed to perform.

  5. IAM Permissions Boundary: If a permissions boundary is attached to the IAM user or role, it sets the maximum permissions that the identity-based policies can grant. The effective permissions are the intersection of the identity-based policies and the permissions boundary. A permissions boundary does not grant permissions; it only limits them.

  6. Session Policies: If the principal is using temporary credentials from assuming a role, any session policies passed during the AssumeRole API call are evaluated. These policies further restrict the permissions for that specific session. The effective permissions are the intersection of the role's policies and the session policy.

  7. Final Decision: If the evaluation process has not encountered an explicit deny, and at least one of the evaluated policy types (resource-based, identity-based, etc., within the constraints of SCPs and boundaries) contains an "Effect": "Allow" for the request, the request is allowed. If no Allow statement is found, the initial implicit deny takes effect, and the request is denied.

For cross-account access, permissions must generally be granted in both accounts: the calling principal's identity-based policy must allow the action, and the target resource's resource-based policy (or the assumed role's trust policy) must allow access from the calling principal's account.

Key Features and Limits

  • Explicit Deny Precedence: An explicit deny in any policy type always overrides any allow statements.
  • Default Implicit Deny: By default, any action that is not explicitly allowed is denied. This enforces the principle of least privilege.
  • Multiple Policy Types: AWS supports various policy types for layered security, including identity-based, resource-based, SCPs, permissions boundaries, and session policies.
  • Centralized Governance: SCPs enable organizations to enforce broad security guardrails across all accounts from a central management account.
  • Policy Size Limits: IAM policy documents have size limits. For example, a role's trust policy can be up to 8,192 characters.
  • Policy Attachment Limits: There are quotas on the number of policies that can be attached to an IAM entity. For instance, a role can have up to 25 managed policies attached.
  • Account-Level Quotas: AWS accounts have quotas for the total number of roles, users, and customer-managed policies. As of early 2026, accounts can have up to 10,000 roles and 10,000 customer-managed policies.

Common Use Cases

  • Enforcing Least Privilege: Granting an AWS Lambda function a narrow identity-based policy that only allows it to write logs to a specific Amazon CloudWatch Log Group and read from a specific Amazon DynamoDB table.
  • Establishing Organizational Guardrails: Using an SCP to deny all IAM users and roles in a member account from disabling or modifying critical security services like AWS CloudTrail, AWS Config, or IAM Access Analyzer.
  • Securely Sharing Resources Across Accounts: An S3 bucket in a data analytics account (Account B) uses a resource-based policy to grant read-only access to a specific IAM role in an application account (Account A), which has a corresponding identity-based policy allowing it to perform s3:GetObject.
  • Delegating Permissions Safely: An administrator attaches a permissions boundary to an IAM role intended for a junior developer. This boundary limits the role's maximum permissions to only EC2 and RDS actions, preventing the developer from accidentally or intentionally accessing other services, even if they can modify their own identity-based policies.
  • Restricting Privileged Sessions: A security engineer assumes a role to perform database maintenance, passing a session policy that temporarily restricts their permissions to only the necessary rds-db:* actions on a specific database instance for the duration of their session.

Pricing Model

AWS Identity and Access Management (IAM), including its policy evaluation logic, is a foundational feature of an AWS account and is offered at no additional charge. You do not pay for creating IAM users, roles, policies, or for the evaluation of those policies.

However, some advanced features within the IAM ecosystem, such as IAM Access Analyzer for unused access analysis or custom policy checks, may have associated costs based on the number of resources analyzed or API calls made. You are responsible for the costs of other AWS services used by the principals you manage with IAM.

Pros and Cons

Pros:

  • Granular Control: The multi-layered logic allows for extremely precise and fine-grained permission settings.
  • Robust Security: The explicit deny override provides a powerful tool to secure resources and prevent unintended access.
  • Flexibility: The model supports a wide range of access control scenarios, from simple user permissions to complex cross-organization federations.
  • Scalable Governance: SCPs and permissions boundaries enable security management at scale, from individual identities to entire organizations.

Cons:

  • Complexity: The interaction between multiple policy types can be complex and difficult to reason about, potentially leading to misconfigurations.
  • Troubleshooting Difficulty: Diagnosing "access denied" errors requires a thorough understanding of the entire evaluation chain, which can be challenging. Tools like the IAM Policy Simulator and AWS CloudTrail logs are essential for debugging.
  • Steep Learning Curve: Mastering the nuances of policy syntax, condition keys, and the evaluation order requires significant effort.
  • Management Overhead: Managing thousands of policies across a large organization without a clear strategy and automation (e.g., Infrastructure as Code) can become unmanageable.

Comparison with Alternatives

IAM policy evaluation is a fundamental AWS process rather than a standalone service with direct alternatives. However, it's useful to compare the different policy types and their roles within the logic:

  • Identity-based Policies vs. Resource-based Policies: Identity-based policies are attached to the principal (who) and define what they can do. Resource-based policies are attached to the resource (what) and define who can access it. Resource-based policies are essential for granting direct cross-account access and for making resources public.
  • Service Control Policies (SCPs) vs. Permissions Boundaries: Both act as permission limiters, not grantors. Use an SCP for broad, account-level guardrails that apply to all principals within an account or OU (e.g., "No one in this account can leave the organization"). Use a Permissions Boundary to delegate administrative tasks safely by setting maximum permissions for a specific user or role (e.g., "This role can create other roles, but those new roles can never have more permissions than this boundary allows").

Exam Relevance

IAM Policy Evaluation Logic is a critical topic across nearly all AWS certification exams, especially:

  • AWS Certified Solutions Architect - Associate (SAA-C03)
  • AWS Certified Security - Specialty (SCS-C02)
  • AWS Certified SysOps Administrator - Associate (SOA-C02)
  • AWS Certified Developer - Associate (DVA-C02)

Examinees must know the precise order of policy evaluation. Key topics include understanding that an explicit deny always wins, the difference between an implicit and explicit deny, how SCPs and permissions boundaries function as guardrails, and the requirements for cross-account access using IAM roles and resource-based policies. Scenario-based questions often require troubleshooting an access denied error by identifying which policy in the chain is causing the block.

Frequently Asked Questions

Q: What is the difference between an implicit deny and an explicit deny?

A: An implicit deny is the default state in AWS IAM; if no policy explicitly allows an action, it is denied. An explicit deny is a statement in a policy with "Effect": "Deny". An explicit deny always overrides any Allow statements from other policies and is the most powerful decision in the evaluation logic.

Q: My request is being denied, but I have an identity-based policy that allows the action. What could be the cause?

A: An Allow in an identity-based policy can be overridden by several other policies in the evaluation chain. You should check for an explicit Deny statement in any applicable policy, a Service Control Policy (SCP) that does not permit the action, a permissions boundary that restricts it, or a session policy that doesn't include the permission. If it's a cross-account request, you must also ensure the resource-based policy in the target account allows the action.

Q: When should I use a permissions boundary instead of a Service Control Policy (SCP)?

A: Use an SCP to set broad, mandatory guardrails for an entire AWS account or Organizational Unit (OU), such as preventing any user from deleting critical logging resources. Use a permissions boundary on a specific IAM user or role to delegate permission management safely; it defines the maximum permissions that identity can ever have, even if its identity-based policies grant more.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/27/2026 / Updated: 5/27/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Security

AWS Firewall Manager: Simplify Security Policy Management

AWS Firewall Manager centrally manages firewall rules and security policies across your AWS Organization. Ensure consistent enforcement and compliance. Learn how it works.

KMS Envelope Encryption: How It Works & When to Use It

KMS Envelope Encryption encrypts data with a DEK, then encrypts the DEK with a KMS key. Learn its two-tiered approach for secure, efficient data protection.

IAM Condition Keys: Fine-Grained Access Control Explained

IAM Condition Keys are key-value pairs in IAM policies for context-aware access control. Learn how they restrict permissions and when to use them.

Resource-Based vs Identity-Based Policies: How to Use Them

Understand AWS IAM identity-based vs resource-based policies. Learn what they are, how they differ, and when to use each for effective AWS security. See examples.

IAM Permissions Boundary: Control Max Permissions

An IAM Permissions Boundary sets the maximum permissions an IAM policy can grant. Learn how it prevents privilege escalation and when to use it.

View all Security terms →