- Newest
- Most votes
- Most comments
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
"Permissions are granted directly to the user. Other policy types do not affect the decision."
If the Resource Policy of an object allows access, the IAM policy that is applied to the user will be ignored.
if an IAM policy denies a user from accessing a specific KMS key, that denial cannot be overridden by the resource policy. In AWS, an explicit deny always takes precedence over any allow. If there is a policy that explicitly denies access to a resource, even if another policy allows access, the deny will win.
It's important to note that the evaluation process for deciding whether a request is allowed or denied is not a simple first-match-wins model. All permissions that apply to a request are evaluated together. If any permission results in a 'deny', the request is denied even if another policy grants access. This is the concept of "explicit deny" in AWS.
So, no, you can't bypass an IAM policy's denial with a resource policy's allow. The explicit deny in the IAM policy would still block access.
Relevant content
- asked 3 months ago
- asked 2 years ago
- Accepted Answerasked a year ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
Also, see this flowchart in the documentaiton.