I have a question let's assume I attached IAM policy "EC2FullAccess" to a user and then I added that specific user to a group but that group don't have "EC2FullAccess" Policy is he will still able to access to EC2?
Asked
Active
Viewed 89 times
1
-
1The standard guide for policy evaluation logic: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html – luk2302 Mar 11 '23 at 13:55
1 Answers
2
No, one doesn't take precedence over the other. They are "combined". The user would have all the permissions applied to the group, plus all the permissions applied to their individual account.
The exception is a Deny statement in a policy, which always takes precedence over any Allow statement.
Mark B
- 183,023
- 24
- 297
- 295