Hi forum,
I've recently started to use organizations (in a test account).
I have a user, let's call them NotOwner, that has the following IAM policy, via group policy only (no boundaries), full S3 access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
The user is invited, and accepted, into an OU with the following policy attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"s3:PutBucketPolicy"
],
"Resource": [
"*"
]
}
]
}
However, I can still affect s3:PutBucketPolicy from that user (i.e. edit the bucket policy).
I'm I missing what SCP does? I thought if this policy intersected with the Not Owner IAM policy I would be denied s3:PutBucketPolicy ? I also deleted the user and created the user after setting up organizations. It also works if I set the policy as a boundary on the user directly.
Regards
--- Extra Info ---
The owner of the bucket is another account, let's call them Owner, and that account has explicitly given permissions to this account via these policies.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::111111111111:root",
"arn:aws:iam::111111111111:user/NotOwner",
"arn:aws:iam::111111111111:user/Owner"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucketname",
"arn:aws:s3:::bucketname/*"
]
}
]
}
Edited by: davporte on Jan 27, 2020 10:42 PM
Ah ok, I'm telling S3 ok, go for it so IAM don't matter !