Ends in
00
days
00
hrs
00
mins
00
secs
ENROLL NOW

🎁 Get 20% Off - Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

How AWS IAM Handles Conflicting IAM Policies

Last updated on May 3, 2023

Overview

When a user attempts an action in AWS, such as launching an EC2 instance or listing S3 buckets, AWS evaluates all involved IAM policies to determine whether to grant the request. Since IAM policies can be associated with various types of identities, the hierarchy of these identities influences the final permissions for a user.

AWS IAM Policy Evaluation Flow

Let’s break down the process of how AWS evaluates a request using the simplified version of the AWS flow chart below:

How AWS IAM Handles Conflicting IAM Policies

1. Default Deny

AWS denies a request by default. For example, if your IAM user has no policies attached and you attempt to read an S3 object, your request is implicitly denied.

2. Explicit Deny

If there’s an explicit DENY in any of the policies involved in the request, IAM denies the request.

Tutorials dojo strip

3. AWS Organizations’ Service control policies (SCPs)

When a request is made in an AWS account with Organizations’ SCPs in place, IAM first examines the SCPs to determine if the action is allowed. If the SCPs don’t allow the action, IAM denies the request.

4. Resource Policy Evaluation

If there’s no SCP to evaluate or there are no conflicts in the SCP, IAM proceeds to check the resource policy. Keep in mind that not all AWS services have a resource policy. Examples of services with resource policies include the S3 bucket policy, KMS key policy, Lambda function resource policy, and SQS queue policy. You may refer to this page to see which services support resource-based policies.

5. Identity-based Policy Evaluation

IAM then checks the policies attached to the IAM user or role making the request. If no policy matches the requested actions, the request is denied. IAM also implicitly denies the request if no identity-based policies are present.

6. Permissions Boundary

IAM checks whether any statements in the permissions boundary would prevent the requested action. If there is, the request is denied. Otherwise, the evaluation process continues.

7. Session Policy Evaluation

Finally, IAM checks if the request includes a session policy. A session policy is an inline permission assigned to a session principal. Session principals are users who obtain temporary access through AWS Security Token Service (STS), such as federated users, role session users, and web identity users. If the session policy permits the action, then IAM grants the request. On the other hand, when no session policies are involved, IAM determines whether the principal is a role session, and if so, allows the request.

Same-Account vs. Cross-Account Access

It’s important to understand that the policy evaluation for same-account access differs from cross-account access. The diagram above depicts the policy evaluation for cross-account access.

In the same-account access setting, permissions can be granted either through the resource policy or the identity policy. For instance, even if an IAM user has no policies assigned, they can still be granted access to an S3 bucket if authorized in the bucket policy. In a similar manner, an S3 bucket without a bucket policy can be accessed by an IAM user, provided their identity policy permits such access. Take note that this logic does not extend to the IAM role trust policy and KMS key policy. For these two resource policies, permissions must be explicitly granted within the identity policies of the principal.

Get 20% Off – Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Tutorials Dojo portal

Learn AWS with our PlayCloud Hands-On Labs

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

FREE AWS, Azure, GCP Practice Test Samplers

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Follow Us On Linkedin

Recent Posts

Written by: Carlo Acebedo

Carlo is a cloud engineer and a content creator at Tutorials Dojo. He's also a member of the AWS Community builder and holds 5 AWS Certifications. Carlo specializes in building and automating solutions in the Amazon Web Services Cloud.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?