Dasmowenator
Reputation: 5428
Why Doesn't My AWS S3 Bucket Policy Override My IAM Policy?
I have a user in my IAM account called "testuser" who has administrator privileges, like so:
{
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
And then I have a policy on my S3 bucket that denies this user access, like so:
{
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "my-account-id:user/testuser"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket-name/*"
}
]
}
So, the explicit deny in the S3 bucket policy should override the allow from the IAM policy right? But when I log in as testuser, I still have access to everything in that bucket - I even have access to change or remove the bucket policy for that bucket (and every other bucket too). Why isn't my explicit deny doing anything?
Upvotes: 11
Views: 6045
Answers (1)
Ian Roberts
Reputation: 122364
Try using the full ARN form for the user ID in the bucket policy:
"Principal": {
"AWS":["arn:aws:iam::accountid:user/testuser"]
}
Upvotes: 10
Related Questions
- IAM Policy: Users cannot access S3 bucket
- Amazon S3 bucket policy deny to a iam user
- Why is this s3 Bucket policy invalid?
- S3 IAM policy for one bucket not granting access
- Can S3 bucket-policy override IAM policy?
- IAM user policy returning 403 Forbidden on Amazon S3 bucket
- Why can S3 permissions be managed by both IAM Policies and Bucket Policies, instead of just one or the other?
- S3 Principal Bucket Policy Permissions
- aws s3 Bucket policy not working as expected
- S3 Bucket Policy and IAM Role Conflicting