11

I have a user in my IAM account called "testuser" who has administrator privileges, like so:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

And then I have a policy on my S3 bucket that denies this user access, like so:

{
  "Statement": [
    {
  "Effect": "Deny",
  "Principal": {
    "AWS": "my-account-id:user/testuser"
  },
  "Action": "s3:*",
  "Resource": "arn:aws:s3:::my-bucket-name/*"
    }
  ]
}

So, the explicit deny in the S3 bucket policy should override the allow from the IAM policy right? But when I log in as testuser, I still have access to everything in that bucket - I even have access to change or remove the bucket policy for that bucket (and every other bucket too). Why isn't my explicit deny doing anything?

Dasmowenator
  • 5,505
  • 5
  • 36
  • 50

1 Answers1

10

Try using the full ARN form for the user ID in the bucket policy:

"Principal": {
  "AWS":["arn:aws:iam::accountid:user/testuser"]
}
Ian Roberts
  • 120,891
  • 16
  • 170
  • 183
  • thanks for the response - unfortunately this didn't have any effect – Dasmowenator Jul 22 '12 at 04:09
  • 11
    The policies you have specified should prevent `testuser` from getting/putting/deleting objects within the bucket but will _not_ prevent them from listing the bucket contents. For that you'd have to use `"Resource": ["arn:aws:s3:::my-bucket-name/*","arn:aws:s3:::my-bucket-name"]` in the deny rule (because actions like `ListBucket` are controlled by the bucket ARN rather than the bucket/* one). – Ian Roberts Jul 22 '12 at 09:16
  • @Ian, Your explanation in above comment stands good even after more than 1.5 years. It just helped me. – slayedbylucifer Feb 13 '14 at 07:40
  • How does one write a bucket policy to override the IAM policy for all users in that account? – Alexandre Thenorio Dec 05 '17 at 13:17