Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Resource policy vs IAM policy

0

If a user is blocked from accessing a specific resource (KMS key) by an IAM policy Is it possible to use the KMS key's resource policy to bypass the IAM policy? 45asdf67

Temas
Seguridad, identidad y cumplimiento
Etiquetas
Políticas de IAM
Idioma
English
rePost-User-0688488
preguntada hace un año393 visualizaciones
2 Respuestas
0
Respuesta aceptada

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

"Permissions are granted directly to the user. Other policy types do not affect the decision."

If the Resource Policy of an object allows access, the IAM policy that is applied to the user will be ignored.

rePost-User-0688488
respondido hace un año
0

if an IAM policy denies a user from accessing a specific KMS key, that denial cannot be overridden by the resource policy. In AWS, an explicit deny always takes precedence over any allow. If there is a policy that explicitly denies access to a resource, even if another policy allows access, the deny will win.

It's important to note that the evaluation process for deciding whether a request is allowed or denied is not a simple first-match-wins model. All permissions that apply to a request are evaluated together. If any permission results in a 'deny', the request is denied even if another policy grants access. This is the concept of "explicit deny" in AWS.

So, no, you can't bypass an IAM policy's denial with a resource policy's allow. The explicit deny in the IAM policy would still block access.

profile picture
EXPERTO
Sedat Salman
respondido hace un año
EXPERTO
skinsman
revisado hace un año

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante