How SCPs Combine with IAM Permissions

Access in an organization is governed by two layers: the SCP ceiling set by AWS Organizations and the IAM permissions granted within the account. Understanding how they combine is one of the most testable ideas in the governance domain, because the outcome depends on both agreeing.

The rule is simple but strict: an action is allowed only if it is permitted by both the applicable SCPs and the account's IAM policies. The effective permission is the intersection. An SCP without a matching IAM allow grants nothing; an IAM allow blocked by an SCP grants nothing.