How are these AWS bucket policy permissions working?

Question

I have the following bucket policy which is working, but it seems to me that the logic is reversed. Seems like 'ArnLike' should be 'ArnNotLike'.

The desired intent is that the user ids and the roles listed in the 'Condition' SHOULD be allowed access to the bucket. And that is what is happening. So it's working as desired, but since the 'Effect' is set to 'Deny' I don't understand why 'ArnLike' should not be 'ArnNotLike'.

Can someone help me understand why? Thanks.

The excerpt below is from my serverless.yml config file.

MyBucketPolicy:
  Type: 'AWS::S3::BucketPolicy'
  Properties:
    Bucket: !Ref MyBucket
    PolicyDocument:
      Statement:
        - Action:
            - 's3:*'
          Effect: Deny
          Resource: !Join
            - ''
            - - !GetAtt MyBucket.Arn
              - '/*'
          Principal: '*'
          Condition:
            StringNotLike:
              'aws:userId':
                - ${cf:external-stack.Role1}:*
                - ${cf:external-stack.Role2}:*
                - !Ref AWS::AccountId
            ArnLike:
              'aws:role':
                - arn:aws:iam::*:role/${self:service}-${self:custom.stage}-${self:custom.region}-lambdaRole
                - arn:aws:iam::*:role/another-lambda-${self:custom.stage}-${self:custom.region}-lambdaRole

Answer 1

So the logic is incorrect. The 'matchers' within a Condition are anded together. So this will let anything have access. :-) Argh.