Reputation: 110123
Evaluation logic in IAM policy across multiple json policies
For an IAM policy, let's say there are two policies:
- A policy with a single statement to allow access.
- A second policy with a single statement to deny access.
For example:
// first document
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3ListRead",
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets"],
"Resource": "*",
"Principal": { "AWS": "arn:aws:iam::12345:group/davidsgroup" }
}
]
}
// second document
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyS3ListRead",
"Effect": "Deny",
"Action": ["s3:ListAllMyBuckets"],
"Resource": "*",
"Principal": { "AWS": "arn:aws:iam::12345:user/david" }
}
]
}
How is it determined whether the resource will ultimately be denied to the user if it has conflicting statements? For example, is it by document order? Granularity of principle? Or how is this usually determined when there are multiple policy documents that may apply to a given user.
Upvotes: 5
Views: 677
Answers (1)
Reputation: 78583
At the most basic level: explicit deny > explicit allow > implicit deny.
In your example, even though David's IAM group is explicitly allowed to invoke s3:ListAllMyBuckets, David's IAM user is explicitly denied that same action. In this case, the explicit deny trumps the explicit allow and David is denied.
For a deeper dive, see Policy evaluation logic.
Upvotes: 2
Related Questions
- AWS IAM policy: Multiple Actions and Multiple Resources
- AWS IAM multiple policies with conflicting conditions
- how to combine two IAM policies together
- AWS IAM Conditional Policies
- AWS IAM Policy to Enforce Tagging
- IAM: How to structure Policies and Groups
- Applying same IAM policy on multiple IAM roles
- IAM Policy for subgroups in AWS
- AWS policy evaluation
- IAM Custom policies use cases in context to ec2.