It is actually possible to allow an IAM user (Bob) to access an S3 Bucket, and deny all other users directly at the Bucket Policy level.
Here are 2 examples:
Example 1: This would work ONLY if the IAM user (Bob) has an Allow elsewhere than the S3 bucket resource policy (ex. In their IAM identity policy):
{
"Version": "2008-10-17",
"Statement": {
"Sid": "2",
"Effect": "Deny",
"Action": "s3:*",
"NotPrincipal": {
"AWS": "arn:aws:iam::111222333444:user/Bob"
},
"Resource": [
"arn:aws:s3:::some_s3_bucket",
"arn:aws:s3:::some_s3_bucket/*"
]}}
Reason: A deny with NotPrincipal, in itself, does not explicitly Allow access.
Example 2: This would work if the IAM user (bob) does NOT have any allow elsewhere (ex. in their IAM identity policy):
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111222333444:user/Bob" },
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::some_s3_bucket",
"arn:aws:s3:::some_s3_bucket/*"
] },
{
"Sid": "2",
"Effect": "Deny",
"NotPrincipal": {
"AWS": "arn:aws:iam::111222333444:user/Bob"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::some_s3_bucket",
"arn:aws:s3:::some_s3_bucket/*"
}
] }
In Example 2, we explicitly allow Access, and then, we deny it for everyone else except for Bob.
I think its important to cover that in the course. This is not an entry level course, and such details are important.