AmazonS3ReadOnlyAccess
policy."Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::ananda-demo-bucket-1/",
"Principal": "*"
However, from my EC2 instance I can still list the content of my bucket. Does this mean that I can not override AWS IAM policy with custom bucket policy or the bucket policy which I have created is wrong?
Yes it can indeed override the policy, but only where it uses a Deny. If it includes an Allow but the IAM policy includes a Deny this will not evaluate as Allow.
For your policy to deny all actions inside the S3 bucket the resource in the bucket policy should include the following:
arn:aws:s3:::ananda-demo-bucket-1
arn:aws:s3:::ananda-demo-bucket-1/*
By doing this with a principal of *
you would be denying access to everything, so you would no longer be able to interact with this S3 bucket from any resource (including the console), you should be aware of this before making such a large change. Try limiting the actions that you are denying so that management of the S3 bucket can still be used in the console.
To generalise policy evaluation logic in any permissions evaluation if there is any deny from one of the following the action will be deny:
The full evaluation flow looks like the below
For more information take a look at the Policy Evaluation Logic page in the AWS documentation.
Some commands operate at the bucket-level , while others operate at the object-level .
Try this:
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::ananda-demo-bucket-1",
"arn:aws:s3:::ananda-demo-bucket-1/*",
]
"Principal": "*"
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.