IAM Policy Evaluation Overview

When an AWS service receives a request, the request is first authenticated and then checks if the requester is authorized to perform that action. A few services, like Amazon S3, also allow requests from anonymous users.

If the request is made by an IAM user, or if the request is signed using temporary credentials that are granted by AWS STS, AWS uses IAM policies to determine whether the user's request is authorized.  

Requests that are made by the AWS account root user are allowed for resources in that account.

Service control policies (SCPs) can be attached to accounts to put additional restrictions and is mostly done for orgaization accounts. If an SCP attached to an account denies access to a service, administrator or even root user is denied access.


Policy Evaluation

AWS authorizes a request based on information from several sources:

  • Principal (the requester) and associated aggregate permissions is determined based on the secret access key. E.g.  the root user, an IAM user, a federated user (via STS), or an assumed role.

  • Environment data, such as the IP address, user agent, SSL enabled, the time of day, etc.

  • Resource data that is part of the resource being requested, such as a DynamoDB table name, a tag on an Amazon EC2 instance, etc.


When a request is made, the AWS service decides whether a given request should be allowed or denied as follows:

  1. By default, all requests are denied.

  2. An explicit allow (Effect=allow) overrides this default.

  3. An explicit deny (Effect=deny) overrides any allows.


Important Notes (Exam Tips)

  • The order in which the policies are evaluated has no effect. All policies are evaluated, and the result is always that the request is either allowed or denied.

  • If the code encounters an error at any point during the evaluation, then it will generate an exception and close.

  • By default, a request is denied, but this can be overridden by an allow. In contrast, if a policy explicitly denies a request, that deny can't be overridden.


Also, see example scenarios in the reference link.


lijo's picture


Learn Serverless from Serverless Programming Cookbook


Please first use the contact form or facebook page messaging to connect.

Offline Contact
We currently connect locally for discussions and sessions at Bangalore, India. Please follow us on our facebook page for details.
WhatsApp (Primary): (+91) 7411174113
Phone (Escalations): (+91) 7411174114

Business newsletter

Complete the form below, and we'll send you an e-mail every now and again with all the latest news.


Cloudericks.com is my blog to share notes and learning materials on Cloud and Data Analytics. My current focus is on Amazon Web Services.

I like to write. I try to document what I learn and share with others. I believe that knowledge is useless unless you share it; the more you share, the more you learn.

Recent comments

Photo Stream