0
0
AWScloud~10 mins

Policy evaluation logic in AWS - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Policy evaluation logic
Start: Request Received
Check Explicit Deny?
YesDeny Access
No
Check Explicit Allow?
YesAllow Access
No
Default Deny
End: Access Decision
The policy evaluation checks for explicit deny first, then explicit allow, and defaults to deny if no rules match.
Execution Sample
AWS
Request: User wants to S3:GetObject
Policies:
- Deny S3:GetObject on bucket 'secret'
- Allow S3:GetObject on bucket 'public'
Evaluates if the user can get an object from S3 based on deny and allow policies.
Process Table
StepCheckConditionResultDecision
1Explicit DenyIs action S3:GetObject on bucket 'secret'?YesDeny Access
2Explicit AllowSkipped because deny foundN/ADeny Access
3Default DenyNot reachedN/ADeny Access
💡 Explicit deny found at step 1, so access is denied immediately.
Status Tracker
VariableStartAfter Step 1After Step 2Final
Access DecisionNoneDenyDenyDeny
Key Moments - 2 Insights
Why does the evaluation stop after finding an explicit deny?
Because explicit deny always overrides any allow, the evaluation stops immediately to deny access as shown in step 1 of the execution_table.
What happens if no explicit deny or allow matches?
The default deny rule applies, so access is denied by default, as indicated in step 3 which is reached only if no explicit rules match.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the access decision after step 1?
AAllow
BDeny
CUndecided
DError
💡 Hint
Check the 'Decision' column in row for step 1 in execution_table.
At which step does the evaluation skip checking explicit allow?
AStep 1
BStep 3
CStep 2
DNever
💡 Hint
Look at the 'Result' column for step 2 in execution_table.
If the explicit deny policy was removed, what would be the final decision for the same request?
AAllow
BDeny
CUndecided
DError
💡 Hint
Refer to variable_tracker and consider what happens if step 1 deny is not found.
Concept Snapshot
Policy evaluation logic:
1. Check explicit deny first - if yes, deny immediately.
2. If no deny, check explicit allow - if yes, allow.
3. If neither, default deny.
This ensures security by prioritizing deny rules.
Full Transcript
When a request is made, AWS policy evaluation starts by checking if any explicit deny matches the request. If yes, access is denied immediately. If no explicit deny is found, it checks for explicit allow. If an allow matches, access is granted. If neither deny nor allow matches, access is denied by default. This logic ensures that deny rules always override allow rules, providing a secure default. The execution table shows this step-by-step with a request to get an object from an S3 bucket. The variable tracker shows the access decision changing from none to deny after the explicit deny is found. Key moments clarify why evaluation stops on deny and what happens if no rules match. The visual quiz tests understanding of these steps.