Core Principles
- Implicit Deny by Default
All actions start denied unless an explicit allow is found.
- Explicit Allow
If a policy explicitly allows an action and no other policy denies it, the action is permitted.
- Explicit Deny Takes Precedence
An explicit deny in any applicable policy overrides any allows.
- Multiple Policy Types in Play
- Identity-based policies (user, group, or role)
- Resource-based policies (e.g., S3 bucket policy)
- Permission boundaries (limits on the max permissions for a user/role)
- Session policies (applied to temporary credentials)
- Service Control Policies (SCPs in AWS Organizations)
Effective permissions are the result of evaluating together:
Evaluation Flow
- Start: Request is implicitly denied.
- Check for Allows: Identity-based or resource-based policies must explicitly allow the action.
- Apply Boundaries: Permission boundaries and SCPs must also allow it.
- Look for Denies: If any applicable policy has an explicit deny that matches, the request is denied.
- Conditions: Even with an allow, all conditions (region restrictions, MFA requirements, tags) must be satisfied.
Example – How to Evaluate a Request
To determine if a user can run an action (e.g.,
sqs:CreateQueue):- Look in the identity-based policies for an allow.
- Check if a permission boundary limits it.
- Verify there’s no explicit deny from SCPs or resource policies.
- Confirm that conditions are met (e.g., correct region or MFA enabled).
You apply the same process for actions like
sqs:DeleteQueue or ec2:DescribeInstances — the final answer depends on the intersection of all policies and the absence of explicit denies.