Understanding management policy inheritance
Important
The information in this section does not apply to service control policies (SCPs) because SCPs manage both allowing and
denying IAM actions. Although SCPs are attached to root, OUs, and accounts, allowing
actions require an explicit allow
statement in SCPs at every level from the
root through each OU in the direct path to the account (including the target account
itself). For more information about how SCPs work in an AWS Organizations hierarchy, see SCP evaluation.
You can attach management policies to organization entities (organization root, organizational unit (OU), or account) in your organization:
-
When you attach a management policy to the organization root, all OUs and accounts in the organization inherit that policy.
-
When you attach a management policy to a specific OU, accounts that are directly under that OU or any child OU inherit the policy.
-
When you attach a management policy to a specific account, it affects only that account.
Because you can attach management policies to multiple levels in the organization, accounts can inherit multiple policies.
This following topics explain how parent policies and child policies are processed into the effective policy for an account.