I have a user in my IAM account called "testuser" who has administrator privileges, like so:
{
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
And then I have a policy on my S3 bucket that denies this user access, like so:
{
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "my-account-id:user/testuser"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket-name/*"
}
]
}
So, the explicit deny in the S3 bucket policy should override the allow from the IAM policy right? But when I log in as testuser, I still have access to everything in that bucket - I even have access to change or remove the bucket policy for that bucket (and every other bucket too). Why isn't my explicit deny doing anything?
Try using the full ARN form for the user ID in the bucket policy:
"Principal": {
"AWS":["arn:aws:iam::accountid:user/testuser"]
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With