| Scope | Applied to individual IAM users/roles | Applied to all IAM users/roles within an AWS account or organization |
| Function | Defines maximum allowable permissions for a user or role | Restricts permissions for all IAM users/roles in an account or organizational unit |
| Granularity | Granular, tied to individual roles or users | Organizational-wide or account-wide control |
| Effect | Limits permissions within the user or role’s own policies | Limits all IAM roles and users within an account or organization, regardless of their individual policies |
| Use case | Restrict what users/roles can do, even if they have permissions granted elsewhere | Control the broad permission levels for multiple accounts in an organization |
