Applying an IAM Policy to a Cloud Rule
When an IAM policy is attached to a cloud rule, that cloud rule can be attached to either an OU or a project. When the cloud rule is attached to a project, the IAM policy will be applied to all cloud access roles in the project. If there are three cloud access role on the project, Kion will create three IAM roles in the AWS accounts attached to the project and then will attach the IAM policy to each of those roles.
When the cloud rule is attached to an OU, the same behavior will apply, but instead of just affecting a single project, it will affect all projects below the OU in the organization chart. This allows you to define policies at a top-level OU and have them apply to all cloud access roles below. It's a best practice to limit permissions applied at high levels to ensure you don't give out more access than necessary.
Once the IAM policy is attached, the user will have the permissions assigned to the IAM role when they use the Cloud Access menu to log into an AWS account.
To learn how to apply an IAM policy to a cloud rule, see the Add a Cloud Rule article. You'll select your IAM policy in step 7.