I have 3 AWS users each with their own policy (bucket name is different for each user):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowObjectAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::myBucketA/*"
},
{
"Sid": "AllowListing",
"Action": "s3:ListBucket",
"Effect": "Allow",
"Resource": "arn:aws:s3:::myBucketA"
}
]
}
These three users are in a group and the group has these permissions:
{
"Id": "LimitIPs",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LimitIPs",
"Action": "*",
"Effect": "Deny",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"1.2.3.1/32",
"1.2.3.2/32"
]
}
}
}
]
}
The goal is to allow each user access to their bucket but only from a specified pool of IPs.
My question is: are user and group policies combined before evaluation? In that case my scenario should work. Or are user and group policies intersected before evaluation?
It seems logical they should be combined, but with AWS IAM you'll never know and I haven't found any documentaion clarifying this issue one way or the other.
Tested it and AWS user and group policies are combined (and NOT intersected) before evaluation. Still looking for docs.