You have added the following two statements to the IAM policy attached to a user:
"Effect":"Deny",
"Action":"s3:*",
"Resource":[
"arn:aws:s3:::log/*"
"arn:aws:s3:::acgbucket/images/*"
]
"Effect":"Allow",
"Action":"s3:*",
"Resource":[
"arn:aws:s3:::acgbucket/*"
]
What is effect of this combination of statements?
a. The user will get full access to everything in acgbucket
b. The user will get full access to everything in acgbucket apart from objects in the logs and images folders
c. The user will get full access to everything in the images folder
d. The user will get full access to everything in acgbucket apart from the logs
e. The user will get full access to everything in the images and logs folders
The closest answer is b but look carefully there is no restriction for access to images folder in acgbucket.
1 Answers
You are right, the answer should be "The user will get full access to everything in acgbucket apart from objects in the images folders.". The first resource in the deny statement targets the log bucket not the log folder in the acgbucket.
No the user will not get access of anything. I tried it.