- 新しい順
- 投票が多い順
- コメントが多い順
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
"Permissions are granted directly to the user. Other policy types do not affect the decision."
If the Resource Policy of an object allows access, the IAM policy that is applied to the user will be ignored.
if an IAM policy denies a user from accessing a specific KMS key, that denial cannot be overridden by the resource policy. In AWS, an explicit deny always takes precedence over any allow. If there is a policy that explicitly denies access to a resource, even if another policy allows access, the deny will win.
It's important to note that the evaluation process for deciding whether a request is allowed or denied is not a simple first-match-wins model. All permissions that apply to a request are evaluated together. If any permission results in a 'deny', the request is denied even if another policy grants access. This is the concept of "explicit deny" in AWS.
So, no, you can't bypass an IAM policy's denial with a resource policy's allow. The explicit deny in the IAM policy would still block access.
Also, see this flowchart in the documentaiton.