Home > Enterprise >  Does AWS policy block all operations not specified in the policy?
Does AWS policy block all operations not specified in the policy?

Time:10-30

For example,

{
    "Version": "2012-10-17",
    "Id": "ExamplePolicy01",
    "Statement": [
        {
            "Sid": "ExampleStatement01",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/Dave"
            },
            "Action": [
                "s3:GetObject",
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::awsexamplebucket1/*",
                "arn:aws:s3:::awsexamplebucket1"
            ]
        }
    ]
}

This policy allows Dave to execute 3 operations to awsexamplebucket1 in S3. Then how about another operations like creating objects in awsexamplebucket1? Are those operations blocked or not?

CodePudding user response:

You need to read the Policy Evaluation Logic. All other actions are implicitly denied. This means that are denied, unless there is another policy that allows them.

Copying from the link above:

The following is a summary of the AWS evaluation logic for policies within a single account.

  • By default, all requests are implicitly denied with the exception of the AWS account root user, which has full access.
  • An explicit allow in an identity-based or resource-based policy overrides this default.
  • If a permissions boundary, Organizations SCP, or session policy is present, it might override the allow with an implicit deny.
  • An explicit deny in any policy overrides any allows.

CodePudding user response:

Typically you would assign the listed permissions on this bucket to Dave directly (via policies attached to the Dave IAM User or one of his IAM Groups). You would not do this in the S3 bucket policy.

In answer to your question, no this bucket policy doesn't block other, non-listed operations on the bucket. But, by default, no other permissions exist.

If, however, Dave had additional S3 permissions related to this bucket from his IAM User or IAM Group policies then those would supplement the permissions listed in the bucket policy.

  • Related