How Bucket Deny Policies Interact With IAM Policies

Presently, unlike how bucket policies work in other cloud storage providers, bucket policies completely supercede IAM policies in the case of deny actions.

As a result, it is important for a bucket policy to list adequate access actions for a user to access the bucket.

Example:

The Bucket Policy Below, a deny policy, will result in an error.

{
"Version": "2012-10-17",
"Statement": [
{
  "Sid": "DenyDeleteVersion",
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:DeleteObjectVersion",
  "Resource": "arn:aws:s3:::BUCKETNAME/*"
}
]
}
 

While the policy below will be successful

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:CreateBucket",
        "s3:DeleteBucket",
        "s3:GetObject",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::BUCKETNAME",
      "Principal": "*"
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:DeleteObjectVersion",
      "Resource": "arn:aws:s3:::BUCKETNAME/*"
    }
  ]
}

 

Wasabi intends to make bucket policies more similar to other cloud storage providers in the future and will update this page accordingly. 

Have more questions? Submit a request