Understanding management policy inheritance

Note

The information in this section does not apply to SCPs because SCPs manage both allowing and denying IAM actions. Although SCPs are attached to root, OUs, and accounts, allowing actions require an explicit allow statement in SCPs at every level from the root through each OU in the direct path to the account (including the target account itself). For more information about how SCPs work in an AWS Organizations hierarchy, see SCP evaluation.

You can attach management policies to organization entities (organization root, organizational unit (OU), or account) in your organization:

When you attach a management policy to the organization root, all OUs and accounts in the organization inherit that policy.
When you attach a management policy to a specific OU, accounts that are directly under that OU or any child OU inherit the policy.
When you attach a management policy to a specific account, it affects only that account.

Because you can attach management policies to multiple levels in the organization, accounts can inherit multiple policies.

This section explains how parent policies and child policies are processed into the effective policy for an account.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Management policies

Terminology