- Newest
- Most votes
- Most comments
Recognizing you may have only posted a snippet of the policy, but do you have a blanket 'deny' in your policy as well? That will deny any action not explicitly allowed.
Access Analyzer may help you troubleshoot your policy as well.
If I'm reading this correctly, you're creating IAM Role policies (no implicit deny), not resource policies (has an implicit deny). If the flow is Adopt IAM Role --> authorize into "Access Point" --> Bucket Policy, then what is happening is that Access point is allowing the folks in via the various role/Finance or role/HR. Would need to evaluate if AccessPoint adopts a specific role (finance only) or if it has all of the Identity Policies attached to it.
If AccessPoint has all of the identity policies attached to it, then I think this may be coming into play: "Identity-based policies are attached to an IAM identity (user, group of users, or role) and grant permissions to IAM entities (users and roles). If only identity-based policies apply to a request, then AWS checks all of those policies for at least one Allow."
Potentially, could also write Attribute Based Access where the role takes on a tag, and then you add that into the bucket policy as to what tags get you where.
For the Policy flow evaluation chart, look > here <
Relevant content
- asked 3 months ago
- Accepted Answerasked 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Hi, these are the complete policies. I don't have any explicit deny rule stated neither on access policy nor bucket policy nor the IAM policy as well.