s3 bucket/IAM user policy "Deny takes priority above all other access"?

Question

Two policies, got one "Deny", I should not be able to do any operations to bucket, but I can still list and view bucket objects. Why? Thanks

S3 bucket policy

{
    "Sid": "S3DenyAccess",
    "Effect": "Deny",
    "Principal": "*",
    "Action": "*",
    "Resource": "arn:aws:s3:::<YOURBUCKETHERE>/*"
}

IAM user policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowConsoleAccess",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

Answer 1

Try changing the Resource in the Bucket policy to include both the bucket alone and the bucket with objects:

"Resource": [
    "arn:aws:s3:::<YOURBUCKETHERE>",
    "arn:aws:s3:::<YOURBUCKETHERE>/*"
]

Hope that helps :)

Answer 2

AWS Policy Evaluation Logic would be a useful read. In short, an explicit deny wins. It's not relevant here though.

IAM

Your IAM user policy is saying "this user can list all buckets a get bucket locations".

Bucket Policy

Your bucket policy for one specific bucket is saying "explicitly deny permissions for anyone to do anything to object inside the bucket". The "/*" at the end of the resource means the policy applies "inside the bucket", whereas if you omit those it means the policy applies to the bucket itself.

Combined

So your combined policies say all the user can list buckets and get bucket locations but cannot do anything with objects inside the bucket. I'm surprised you can list objects in the bucket and view the bucket objects. I suspect another policy is in play here, because the AWS default deny says it shouldn't be showing you anything.

Other Opinions

If anyone can spot something I've missed please point it out :)