The S3 resource access security policy diagram, presented at 3:30 in the "S3" lecture looks wrong to me.
The diagram shows, that if there’s no IAM policy allowing access to an S3 resource for a user, that user is immediately denied access.
But my understanding is different.
In the Re:Invent video linked in this lesson’s pro-tips "AWS re:Invent 2018: [REPEAT 1] Become an IAM Policy Master in 60 Minutes or Less" https://www.youtube.com/watch?v=YQsK4MtsELU
At 12:30 she says "If you are within an account, you need either IAM policies to say yes or resource-based policy to say yes".
So – and I think this is the trick – as long as there is not an explicit deny in the IAM policy to deny access to the S3 resource, even if in the first box of the diagram showed in the lesson, the user is not explicitly allowed access to the resource, the access is not denied at this stage of the permission evaluation.
The way it is presented it really looks like you need both an allow policy in the IAM policy and the resource policy.
I think a more accurate diagram would show a first box saying something like "is your user explicitly denied to access me?" and inverse the "yes" and "no" arrows.
It feels like a subtle but yet very important nuance.
Not sure I completely follow but do remember that every IAM user in an account has implicit deny to start with, so if there isn’t an explicit IAM policy granting access, you don’t get in.
You can read about all this here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow