For example,
{
"Version": "2012-10-17",
"Id": "ExamplePolicy01",
"Statement": [
{
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/Dave"
},
"Action": [
"s3:GetObject",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::awsexamplebucket1/*",
"arn:aws:s3:::awsexamplebucket1"
]
}
]
}
This policy allows Dave to execute 3 operations to awsexamplebucket1 in S3. Then how about another operations like creating objects in awsexamplebucket1? Are those operations blocked or not?
You need to read the Policy Evaluation Logic. All other actions are implicitly denied. This means that are denied, unless there is another policy that allows them.
Copying from the link above:
The following is a summary of the AWS evaluation logic for policies within a single account.
- By default, all requests are implicitly denied with the exception of the AWS account root user, which has full access.
- An explicit allow in an identity-based or resource-based policy overrides this default.
- If a permissions boundary, Organizations SCP, or session policy is present, it might override the allow with an implicit deny.
- An explicit deny in any policy overrides any allows.