AWS IAM Policy Evaluation Logic, ultra-simplified!
AWS policy evaluation logic is run everytime an IAM entity (user or role) requests access to a resource within the same account.
At this point, AWS evaluates all the permissions which are granted together by both the identity-based and resource-based policies. The resulting set of permissions are the combined permissions of the two types put together.
However, the way this final set is achieved is shown in the below flowchart with explanation followed.
First point to consider is ‘all requests are denied by default’ and this is referred to as default deny effect.
After evaluating all the policies and their associated permissions,
if there is an explicit deny in any of the policies the final decision is Deny. At this point no further evaluation is needed.
If there is no explicit deny then it checks if there is any explicit allow mentioned as part of the permissions. If there indeed is an allow then the final decision becomes Allow.
However when there is neither an explicit deny nor an explicit allow mentioned then the final decision becomes default ‘Deny’.
To sum it up,
- All requests are denied by default.
- An explicit allow will override an default deny.
- An explicit deny will override an explicit allow.