一图足矣:(https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html)

- 显式Deny最大
- Organization SCP > Resource-Based Policy > IAM > Session > ID-based
- 特别注意:If the requested resource has a resource-based policy that allows the principal to perform the requested action, then the code returns a final decision of Allow。
- 【补充】尽管Org SCP是非常“大”的,基本算个“小王”,但是它不能够限制“service-linked role”!service-lined role的范围仅限自己这个服务,可以理解为“自治”,别人管不着。(SCPs do not affect any service-linked role. Service-linked roles enable other AWS services to integrate with AWS Organizations and can’t be restricted by SCPs.)
