Certified Security - Specialty
  1. Rooms
  2. Certified Security - Specialty

Sign Up Free or Log In to participate!

Bucket policy express deny not overriding IAM policy express allow?

One concept that is repeated frequently is that an express deny will always trump an express allow. I have created a custom IAM policy that allows all principles the listbucket permission and attached it to a new user I have created(s3user). I have also created a bucket policy that expressly denies all S3 actions for all principles. I am not understanding why then I can list bucket contents with the s3user using the CLI? Why doesn’t the bucket policy with express deny prevent the s3user from listing bucket contents from the CLI? Thanks

Bucket policy:

{  
"Version": "2012-10-17",  
"Id": "Policy1538502186374",  
"Statement": [  
{  
"Sid": "Stmt1538502184969",  
"Effect": "Deny",  
"Principal": "*",  
"Action": "s3:*",  
"Resource": "arn:aws:s3:::XXX/*"  
}  
]  
}  
IAM policy assigned to s3user:  
{  
"Version": "2012-10-17",  
"Statement": [  
{  
"Sid": "VisualEditor0",  
"Effect": "Allow",  
"Action": "s3:ListBucket",  
"Resource": "*"  
}  
]  
}
Steven Moran

From where are you connecting via CLI? From an EC2 instance, or from the real world?

Steven Moran

I’m finding the same thing. Researching.

Russell

Good question ! I like.

2 Answers

Facepalm.  It was staring me in the face.

In your bucket policy, you are applying your permissions to all of the contents of the bucket, not the bucket itself. I know that might not make sense, but if you remove the "/*" from the end of the Resource key in your policy, you should see the expected result.

Michael Hainey

Thank you Steven. I will confirm your findings. Any idea why I would receive a down vote for asking this questions? Makes one not want to ask questions if they should expect negative feedback.

What is confusing about this is that in the S3 bucket policy lesson, Ryan specifically demonstrates that you cannot simply use the bucket name in the resource section that in fact it will error if you try and save it that way. He states it is an exam topic and that you will be expected to know that you must add the /* for it to work correctly. Please refer to 9:12 in the bucket policies lesson.

Michael Hainey

Further experimentation has shown that the requirement for the trailing /* is only required when the action is related to bucket objects and not the bucket itself. Hopefully, the lesson can be updated to indicate this nuance. Thanks

Russell

I agree. I will take it up with Ryan to see if the lesson can be clearer about when either or both should be used.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization