Certified Security - Specialty

Sign Up Free or Log In to participate!

S3 – Deny all actions – Can still putobject – Chapter 3.4

If you use the policy generator to deny all s3 actions, you will get a JSON policy like below:


"Id": "Policy1601523169327",

"Version": "2012-10-17",

"Statement": [


"Sid": "Stmt1601523168462",

"Action": "s3:*",

"Effect": "Deny",

"Resource": "arn:aws:s3:::[bucketname]",

"Principal": "*"




This policy does not actually block all actions, you can still put objects into the bucket via the CLI because the PUTOBJECT Api requires an object as the resource (EG: arn:aws:s3:::[bucketname]/*). Since we are referencing the bucket as a resource, and not all objects in it, we can still put objects.

Can we update the course, or get more clarification on this as the policy generator will not create all the correct resource types for each of the denied actions.


0 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?