So I've 2 policies pretty much doing exactly the same thing but one works and one doesn't within the IAM policy simulator even though I'm setting the ARN and IpAddress as the same in both queries;
Working Policy;
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt",
"Effect": "Deny",
"Action": [
"kms:Decrypt"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt",
"Effect": "Allow",
"Action": "kms:Encrypt",
"Resource": [
"arn:aws:kms:us-east-1:11111111:key/bla-bla"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"12.12.12.12",
]
}
}
}
]
}
I then reverse the Allow on encrypt to Deny and switch the IpAddress to NotIpAddress;
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt",
"Effect": "Deny",
"Action": [
"kms:Decrypt"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt",
"Effect": "Deny",
"Action": "kms:Encrypt",
"Resource": [
"arn:aws:kms:us-east-1:11111111:key/bla-bla"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"12.12.12.12",
]
}
}
}
]
}
The latter one does not work, and I'm baffled as to why, any insights?!
The error message back is Implicitly denied (no matching statements) and I'm interpreting this as it saying 'you haven't specified an allow so you've no access to this' but I actually have the same implementation for another key I'm using and it works fine.
