AWS Policy Evaluation

1. Check for explicit deny
2. If SCP and no allow then deny
3. If resource policy allows then allow
4. If boundary policy exists and no allow then deny
5. If session policy exists and no allow then deny
6. If identity policy allows then allow

Cross Account Policy Evaluation

Consider identity in Account A wants to access resource in Account B

Account A with the identity must be allowed access out of the account to Account B, and Account B must allow access into the account from Account A.