A large steel company is using AWS Organization to manage multiple accounts across various regions. OU’s are created based upon verticals as Production, Sales, HR & IT. Using SCP, you have assigned the following permissions:
Production OU: EC2
Sales OU: EC2
HR OU: S3, EC2
IT OU: all
IAM Policies are applied as follows:
User A belonging to Production OU has full access to EC2 & denying access to other services.
User B belonging to Sales OU has full access to EC2 & denying access to other services.
User C belonging to HR OU has full access to EC2, S3 services & denying access to other services.
User D belonging to IT OU has full access to S3, DynamoDB, RDS services & denying access to other services.
Which of the following will be effective access permission to users A, B, C & D respectively?

Answer options:

A.User A & User B will only be able to access EC2. User C will be able to access EC2 & S3. User D will be able to access all AWS resources.
B.User A & User B will only be able to access EC2. User C will be able to access EC2, S3 & not any other services. User D will be able to access only S3, DynamoDB & RDS and not any other services
C.User A will be able to access S3. User B will be able to access EC2 only. User C will be able to access EC2, S3 & ELB. User D will be able to access all services.
D.User A will be able to access EC2. User B will be able to access EC2 only. User C will be able to access EC2, S3. User D will be able to access all services.

Correct Answer: B
While accessing an AWS resource, a combination of SCP & IAM policies can be used. For the user to access any service, it should have permission granted in IAM policy at the user level. SCP policy should allow resources to be accessible from the account in which the user is part of.
SCPs are similar to IAM permission policies and use almost the same syntax. However, an SCP never grants permissions. Instead, SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU). 
Users and roles must still be granted permissions with appropriate IAM permission policies. A user without any IAM permission policies has no access at all, even if the applicable SCPs allow all services and all actions.
If a user or role has an IAM permission policy that grants access to an action that is also allowed by the applicable SCPs, the user or role can perform that action.
Option A is incorrect as User D will be able to access S3, DynamoDB and RDS services as allowed by IAM policy & not full access.
Option C is incorrect as User A belongs to production OU, which SCP policy allowing only EC2 & not S3. Also, User C belongs to HR OU, which can access EC2 & S3 & not to ELB. User D will be able to access only S3, DynamoDB and RDS services as granted by IAM policy.
Option D is incorrect as User D will be able to access only S3, DynamoDB and RDS services as granted by IAM policy even though he is part of OU with SCP allowing full access to all AWS resources.
For more information on applying SCP & IAM policy, refer to the following URL-
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
https://aws.amazon.com/premiumsupport/knowledge-center/iam-policy-service-control-policy/