Certified Security - Specialty
  1. Rooms
  2. Certified Security - Specialty

Sign Up Free or Log In to participate!

Confusion on Explicit Deny and Explicit Allow

Hi,

Ryan states to always go with an explicit Deny and then an explicity Allow on top with a condition = true. This in fact will not work, i think he didn’t meant it that way either.

Because if there is an explicit deny without a condition it will always take precedence over the explicit allow with a condition. So an explicit deny must in this case always be used with a condition and an unconditioned allow, else the action will always be denied.

And I think thats what Ryan meant nevertheless, just wanted to make it clear.

2 Answers

I think you are referring to the policy described: 

{"Version": "2012-10-17",  
"Statement": [  
        {  
            "Sid": "PublicReadGetObject",  
            "Effect": "Allow",  
            "Principal": {  
                "AWS": "*"  
            },  
            "Action": "s3:GetObject",  
            "Resource": "arn:aws:s3:::yourbucketnamehere/*"  
        },  
        {  
            "Sid": "PublicReadGetObject",  
            "Effect": "Deny",  
            "Principal": {  
                "AWS": "*"  
            },  
            "Action": "s3:GetObject",  
            "Resource": "arn:aws:s3:::yourbucketnamehere/*",  
            "Condition":{  
                "Bool":  
                { "aws:SecureTransport": false }   
            }   
        }   
    ]  
}

What the bucket policy is doing, with the first allow, is permitting GetObject on the bucket, allowing the user to fetch from the bucket arn:aws:s3:::yourbucketnamehere/*

The second statement, then Denies the GetObject on the same bucket. However, the CONDITION makes the statement read: Deny access to the bucket IF the condition aws:SecureTransport is false.   

So, if you try to fetch from the bucket using HTTP, then the condition  aws:SecureTransport evaluates to TRUE an and the DENY is enforced – as the condition was satisfied.  Access is then denied

If on the other hand, the connection is HTTPS, then the aws:SercureTransport condition is FALSE and the DENY is not applied. In this case, the first Allow Statement is then checked and if satisfied, access is granted. 

You are correct if there is an explicit DENY without any condition – then it would always be in force, and override any allows

Well what I heard in the lecture was Ryan describing a policy like this:

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "PublicReadGetObject",

      "Effect": "Allow",

      "Principal": {

        "AWS": "*"

      },

      "Action": "s3:GetObject",

      "Resource": "arn:aws:s3:::yourbucketnamehere/*",

      "Condition": {

        "Bool": {

          "aws:SecureTransport": True

        }

      }

    },

    {

      "Sid": "PublicReadGetObject",

      "Effect": "Deny",

      "Principal": {

        "AWS": "*"

      },

      "Action": "s3:GetObject",

      "Resource": "arn:aws:s3:::yourbucketnamehere/*"

    }

  ]

}

This would lead to a policy which allways denies the GetObject action without the option to allow it in the future.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization