For an IAM policy, let’s say there are two policies:
- A policy with a single statement to allow access.
- A second policy with a single statement to deny access.
For example:
// first document
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3ListRead",
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets"],
"Resource": "*",
"Principal": { "AWS": "arn:aws:iam::12345:group/davidsgroup" }
}
]
}
// second document
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyS3ListRead",
"Effect": "Deny",
"Action": ["s3:ListAllMyBuckets"],
"Resource": "*",
"Principal": { "AWS": "arn:aws:iam::12345:user/david" }
}
]
}
How is it determined whether the resource will ultimately be denied to the user if it has conflicting statements? For example, is it by document order? Granularity of principle? Or how is this usually determined when there are multiple policy documents that may apply to a given user.
>Solution :
At the most basic level: explicit deny > explicit allow > implicit deny.
In your example, even though David’s IAM group is explicitly allowed to invoke s3:ListAllMyBuckets, David’s IAM user is explicitly denied that same action. In this case, the explicit deny trumps the explicit allow and David is denied.
For a deeper dive, see Policy evaluation logic.