What is IAM Policy Evaluation Logic?
IAM policy evaluation is the order in which AWS decides whether a request is allowed: an explicit deny always wins, then an explicit allow, otherwise the default is deny.
When a request is made, AWS gathers every applicable policy — identity-based, resource-based, permissions boundaries, SCPs, and session policies — and evaluates them together. The rules are simple but strict: by default everything is denied; a single explicit Deny anywhere overrides any Allow; and an Allow only takes effect if nothing denies it and all applicable boundaries permit it.
Understanding this order explains many surprises. A permissions boundary or SCP that does not explicitly allow an action effectively denies it, even if an attached policy says Allow, because the effective permission is the intersection.
Common mistake
Expecting an Allow to override a Deny. It never does — an explicit Deny always wins, which is why broad Deny guardrails are a reliable safety net.
Related terms
Analyze a real policy free
Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.