Jira ticket on S3 contradicting policies .

This Artciles explains in detail how S3 contraducting plolices work when we have allow and deny permisions on a resource .
Write a S3 bucket ploicy for a bucket name mybucket with the fallowing conditions :

Part1 :

1. Deny IAM user or role within the AWS account to access the resources with following actions on objects of the bucket and bucket itself .
2. Deny the following permisions :
   s3:PutObjectAcl”, “s3:PutEncryptionConfiguration”, “s3:PutBucketPolicy”, “s3:PutBucketAcl”, “s3:DeleteBucketPolicy”
3. Condition is If the request doesn’t use secure transport (aws:SecureTransport is false), the deny effect will be applied.

Part2 :
Deny all S3 actions .
Allow SSLRequests Only if requests without secure transport are denied.

Part3 :

All S3 actions are allowed.allows access only if the aws:userId matches one of the specified values: "my-custom-role-1", "my-custom-role-2", "my-custom-role-3".

Part4:

give full access on s3 bucket . allows access only if the aws:userId matches "AWSReservedSSO_IAC-Developer".

Key observations part1 :

Although the aws:userId=”AWSReservedSSO_IAC-Developer has full access on s3 this userid cant perform below actions :

1. s3:PutObjectAcl”, “s3:PutEncryptionConfiguration”, “s3:PutBucketPolicy”, “s3:PutBucketAcl”, “s3:DeleteBucketPolicy”
   why this user cant perform above actions , because we have denied in Part1 .
2. Any thing that is denied will have high priority than that allowed hence the user can perform all s3 actions other than “s3:PutObjectAcl”, “s3:PutEncryptionConfiguration”, “s3:PutBucketPolicy”, “s3:PutBucketAcl”, “s3:DeleteBucketPolicy”.
3. aws:userId matches one of the specified values: "my-custom-role-1", "my-custom-role-2", "my-custom-role-3" have full access on s3 they can perform all s3 actions other than “s3:PutObjectAcl”, “s3:PutEncryptionConfiguration”, “s3:PutBucketPolicy”, “s3:PutBucketAcl”, “s3:DeleteBucketPolicy”.
4. even though aws:userId have full access on s3 “my-custom-role-1”, “my-custom-role-2”, “my-custom-role-3 cant perfotm “s3:PutObjectAcl”, “s3:PutEncryptionConfiguration”, “s3:PutBucketPolicy”, “s3:PutBucketAcl”, “s3:DeleteBucketPolicy” these actions because because we have denied in Part1 .

If you’re experiencing contradictory policies in AWS S3 that both allow and deny access, it’s important to understand how S3 evaluates permissions.

No manner how many policies are there Deny overrides anything.

1. Explicit Deny: If there’s an explicit deny in any policy, it overrides any allow. This means if there’s a statement explicitly denying access to a particular action or resource, that denial takes precedence over any allow statements.

2. Explicit Allow: If there’s no explicit deny, but there is an explicit allow, access is granted.

3. Implicit Deny: If there’s neither an explicit allow nor deny, access is denied by default.

Case1:

Explicit Deny: Let’s say you have a policy that explicitly denies access to a particular S3 bucket for a certain IAM user:

In this case, even if there are other policies or statements that allow access to the example-bucket, this explicit deny statement overrides them, and access is denied for the user example-user.

Case2:


Explicit Allow:

Here’s an example of a policy that explicitly allows access to a specific S3 bucket for a certain IAM user:

Here’s an example of a policy that explicitly allows access to a specific S3 bucket for a certain IAM user:

In this case, since there’s an explicit allow statement granting access to example-bucket for example-user, access is granted regardless of any other policies.