Can S3 bucket-policy override IAM policy?

0
votes
  1. I have created an S3 bucket and an EC2 instance.
  2. I have attached a role to the EC2 instance that contains AmazonS3ReadOnlyAccess policy.
  3. Used AWS CLI from EC2 instance to list all the content of my S3 bucket
  4. I created a bucket policy that prevents any operation from any principal on that bucket:
"Action": "s3:*",
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::ananda-demo-bucket-1/",
      "Principal": "*"

However, from my EC2 instance I can still list the content of my bucket. Does this mean that I can not override AWS IAM policy with custom bucket policy or the bucket policy which I have created is wrong?

2
amazon-web-servicesamazon-s3
Your Principal is empty. Can you show actually policy, and the instance role? - Marcin
Simple rule: If anything amongst IAM & Bucket Policy denies, then it is denied. Otherwise, if any of them allows, then it is allowed. - John Rotenstein

2 Answers

1
votes

Yes it can indeed override the policy, but only where it uses a Deny. If it includes an Allow but the IAM policy includes a Deny this will not evaluate as Allow.

For your policy to deny all actions inside the S3 bucket the resource in the bucket policy should include the following:

  • arn:aws:s3:::ananda-demo-bucket-1
  • arn:aws:s3:::ananda-demo-bucket-1/*

By doing this with a principal of * you would be denying access to everything, so you would no longer be able to interact with this S3 bucket from any resource (including the console), you should be aware of this before making such a large change. Try limiting the actions that you are denying so that management of the S3 bucket can still be used in the console.

To generalise policy evaluation logic in any permissions evaluation if there is any deny from one of the following the action will be deny:

  • Service Control Policy
  • IAM Boundary
  • Resource Policy
  • IAM Policy

The full evaluation flow looks like the below

enter image description here

For more information take a look at the Policy Evaluation Logic page in the AWS documentation.

0
votes

Some commands operate at the bucket-level, while others operate at the object-level.

Try this:

      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": [
         "arn:aws:s3:::ananda-demo-bucket-1",
         "arn:aws:s3:::ananda-demo-bucket-1/*",
      ]
      "Principal": "*"