R Adams
Since it appears that S3 bucket polices are not top down first match like a firewall policy, does rule order matter at all?
It seems to be match all and then resolve conflicts using least privilege.
And depending on the answer is the same true for all JSON policies?
2 Answers
[ACG] Stephen Sennett
There’s a full article on Policy Evaluation Logic, which is worth understanding at the Specialty level. The general rules are "implicit deny", where anything that isn’t explicitly allowed in the policy will be denied, and "explicit deny overrides explicit allows", where even if you have multiple rules which would allow something to happen, a single explicit "deny" will override everything else.
Mattias Fjellström
The order of the statements in any IAM/resource-policy is irrelevant.
amazing explanation !!