Combination of S3 And IAM Policy

Do you know how S3 bucket policy and IAM policy work together. Today I was experimenting with S3 and IAM policy and find out different behaviors that I was not expected.

In this article, I will cover those two scenerio's and I am sure if you are new in DevOps then your confusions of S3 and IAM policy combination will end.

Scenario 1

What if you allow only GetObject permission in the S3 resource policy and only PutObject permission in an IAM role?

What do you think will happen in this scenario? Will this role be able to get an object from the S3 bucket?

The answer is yes. In this scenario, this role will be able to perform two operations: GetObject and PutObject. Yes, AWS combines both policies and then behaves accordingly.

Scenario 2

What if you allow GetObject permission only in the S3 bucket policy and do not allow it in the IAM role?

Will you be able to get objects from the S3 bucket or not?

The answer is yes. As I said before, AWS combines IAM and S3 resource policies (permissions), so if you allow the permission in either the S3 bucket policy or the IAM role, the action is allowed. That action you can perform.

Scenario 3 (Bonus)

What if you did not define the S3 bucket policy and currently it is empty, but you created an IAM role and allowed GetObject there? Then will you be able to get objects from the bucket?

The answer is yes. Again, as I said before, if you allow the permission in any one of these two, then you can perform the action.

Note: There is only one condition: if there is no explicit deny, then the action will be allowed; if there is, then that action will be denied.