Hi Gurus, I have a group with below attached policies. But when the user assigned to that group puts an object in a specific s3 bucket, it allows the put when it should have denied the put object action. Please see below (1) managed policy of Read Only s3 object (2) Custom policy of PutObject in any s3 bucket and (3) Inline policy of DENY PutObject in a specific S3 bucket. So can you please advise why user was NOT denied access to upload a new object. since a specific Deny should have trumped over an Allow action. What am I missing here? Sorry if this has already been answered in some other threads.
Managed Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}
Custom Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "*"
}
]
}
Inline Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1601471245000",
"Effect": "Deny",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::mynewstaticwebsite90210"
]
}
]
}
1 Answers
I have figured it out. So this thread can be closed. What I have to do is after the specific s3 bucket ARN, I need to add "/*". So the inline policy will then become as below. Only then, IAM user under that group is denied PutObject in the s3 bucket specified by arn:aws:s3:::mynewstaticwebsite90210. So specific DENY trumps over ALLOW via the IAM policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1601471245000",
"Effect": "Deny",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::mynewstaticwebsite90210/*"
]
}
]
}