Why doesn't my AWS S3 strategy cancel my IAM policy?

Question

Why doesn't my AWS S3 strategy cancel my IAM policy?

I have a user in my IAM account called "testuser" that has administrator privileges, for example:

{ "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }

And then I have a policy in my S3 statement that denies this user access, for example:

 { "Statement": [ { "Effect": "Deny", "Principal": { "AWS": "my-account-id:user/testuser" }, "Action": "s3:*", "Resource": "arn:aws:s3:::my-bucket-name/*" } ] }

So, an explicit ban on S3 byte policy is to override permission from IAM policy policy? But when I log in as testuser, I still have access to everything in this bucket - I even have access to change or delete the bucket policy for this bucket (and for every other bucket). Why is my explicit refusal to do anything?

+6

amazon-web-services amazon-iam permissions policy bucket

Dasmowenator Jul 21 '12 at 21:18

source share

1 answer

Ian roberts · Accepted Answer · 2012-07-21T23:03:34+0000

Try using the full ARN form for the user ID in the bucket policy:

 "Principal": { "AWS":["arn:aws:iam::accountid:user/testuser"] }

Why doesn't my AWS S3 strategy cancel my IAM policy?

More articles: