I understand in S3 bucket explicitly deny will overrule allows, how about in the policy, we allow some specific users and than explicitly deny all, will it work?
1 Answers
If you explicitly DENY all, then it will apply to everyone and will also override the previous ALLOW action for those specific users. While evaluating the IAM and bucket policies, it does not stop on the first match (eg: allow for specific users), but checks all the statements/actions. If there is an explicit deny that is applicable for the user (eg: applies to everyone), then it will be denied regardless of the previously allowed statements.
What you can do, is just allow the actions to those specific users – everyone else will be implicitly denied, even without stating it, unless they get an allow from another policy. If you want to make it more strict, you could also create a policy and allow the action to those specific users, then deny all except these users by using the NotPrincipal policy element on the deny statement. This way even if they would be allowed somehow from an other policy, since it is explicitly denied here, they will be denied.
NotPrincipal: AWS doc: policy elements – NotPrincipal
This might also help to clarify it further: AWS doc: policies evaluation logic
It looks to me that it doesn’t matter where (IAM, BUCKET, ACLs) the explicit
denyexists, no further ALLOWs anywhere will not give the access.