Certified Security - Specialty

Sign Up Free or Log In to participate!

Explicit deny on s3 bucket

In the example provided in this video, how can we resolve the requirement to have a "deny all" S3 bucket policy, but still have a specific user(s) access to the bucket.   Since explicit "deny all" trumps other rules, is their still any way to achieve it?  That was not addressed in the video

2 Answers

Use an "explicit deny" with a "NotPrincipal" in bucket policy. The policy will ensure no other user can access the buckets other than the users listed in the "NotPrincipal".
sample policy:

"Action": "s3:*",

"Effect": "Deny",

"Resource": "arn:aws:s3:::examplebucket/*",

"NotPrincipal": {

"AWS": [


This policy will allow "alloweduser" to have full access to S3 examplebucket and ensure no other user can access this bucket

Alex Senkevitch

Slight point of clarification: Actually, the negation listed here (NotPrincipal) won’t explicitly grant "full access", it just punches a hole in the explicit DENY rule around that user (i.e., it simply says "DENY * FOR ALL PRINCIPALS EXCEPT (alloweduser…)". At that point, any other rules/policies apply.


Why I am getting a policy error { "Version": "2012-10-17", "Statement": [{ "Effect": "Deny", "NotPrincipal": {"AWS": [ "arn:aws:iam::000000000000:user/Ami_Ou", "arn:aws:iam::000000000000:root" ]}, "Action": "s3:", "Resource": [ "arn:aws:s3:::hyhyh/", "arn:aws:s3:::hyhyh/" ] }] }

With an Explicit Deny you could also use 

"Condition": {

"StringNotLike": {

"aws:userId": [






Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?