Certified Security - Specialty

Sign Up Free or Log In to participate!

S3 bucket policy

I understand in S3 bucket explicitly deny will overrule allows, how about in the policy, we allow some specific users and than explicitly deny all, will it work?


It looks to me that it doesn’t matter where (IAM, BUCKET, ACLs) the explicit deny exists, no further ALLOWs anywhere will not give the access.

1 Answers

If you explicitly DENY all, then it will apply to everyone and will also override the previous ALLOW action for those specific users. While evaluating the IAM and bucket policies, it does not stop on the first match (eg: allow for specific users), but checks all the statements/actions. If there is an explicit deny that is applicable for the user (eg: applies to everyone), then it will be denied regardless of the previously allowed statements.

What you can do, is just allow the actions to those specific users – everyone else will be implicitly denied, even without stating it, unless they get an allow from another policy. If you want to make it more strict, you could also create a policy and allow the action to those specific users, then deny all except these users by using the NotPrincipal policy element on the deny statement. This way even if they would be allowed somehow from an other policy, since it is explicitly denied here, they will be denied.

NotPrincipal: AWS doc: policy elements – NotPrincipal

This might also help to clarify it further: AWS doc: policies evaluation logic

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?