- Check for explicit deny
- If SCP and no allow then deny
- If resource policy allows then allow
- If boundary policy exists and no allow then deny
- If session policy exists and no allow then deny
- If identity policy allows then allow
Cross Account Policy Evaluation
Consider identity in Account A wants to access resource in Account B
Account A with the identity must be allowed access out of the account to Account B, and Account B must allow access into the account from Account A.
