2.1.2.1. IAM Policy Evaluation Logic

First Principle: IAM policy evaluation logic determines ultimate access by evaluating all applicable Allow and Deny statements, with explicit denies overriding all allows, ensuring a precise and secure access decision.

Understanding how AWS evaluates IAM policies is crucial for a security specialist to design correct permissions and troubleshoot access issues. Multiple policies can apply to an IAM identity (via users, groups, roles, resource policies, etc.).

Key Rules of IAM Policy Evaluation Logic:
  1. Default Deny: By default, all requests are implicitly denied. An explicit Allow is required for any action to be permitted.
  2. Explicit Deny Overrides All: If any applicable policy (whether identity-based, resource-based, or an SCP) contains an explicit Deny for a specific action on a specific resource, that action is always denied, regardless of any Allow statements elsewhere.
  3. Explicit Allow (No Deny): If there is no explicit Deny statement, and at least one applicable policy has an explicit Allow statement, the action is permitted.
  4. Service Control Policies (SCPs): An SCP Deny overrides everything, including the root user and other IAM policies. They set the maximum permissions.
  5. Permissions Boundaries: The effective permissions are the intersection of the identity-based policy and the permissions boundary.

Scenario: An IAM user is part of a group that has a policy explicitly allowing s3:GetObject on all S3 buckets. However, a separate resource policy on a specific sensitive S3 bucket has an explicit Deny for s3:GetObject for all IAM users in the account.

Reflection Question: How does the IAM policy evaluation logic, particularly the rule that "explicit deny overrides all," fundamentally determine ultimate access when multiple policies (e.g., identity-based, resource-based) apply to a request, ensuring a precise and secure access decision?

💡 Tip: When troubleshooting "Access Denied" issues, always check for explicit Deny statements first, as they take precedence over all Allow statements.