Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why Doesn't My AWS S3 Bucket Policy Override My IAM Policy?

I have a user in my IAM account called "testuser" who has administrator privileges, like so:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

And then I have a policy on my S3 bucket that denies this user access, like so:

{
  "Statement": [
    {
  "Effect": "Deny",
  "Principal": {
    "AWS": "my-account-id:user/testuser"
  },
  "Action": "s3:*",
  "Resource": "arn:aws:s3:::my-bucket-name/*"
    }
  ]
}

So, the explicit deny in the S3 bucket policy should override the allow from the IAM policy right? But when I log in as testuser, I still have access to everything in that bucket - I even have access to change or remove the bucket policy for that bucket (and every other bucket too). Why isn't my explicit deny doing anything?

like image 907
Dasmowenator Avatar asked Jul 21 '12 21:07

Dasmowenator


1 Answers

Try using the full ARN form for the user ID in the bucket policy:

"Principal": {
  "AWS":["arn:aws:iam::accountid:user/testuser"]
}
like image 115
Ian Roberts Avatar answered Oct 01 '22 15:10

Ian Roberts