Why Doesn't My AWS S3 Bucket Policy Override My IAM Policy?

Question

I have a user in my IAM account called "testuser" who has administrator privileges, like so:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

And then I have a policy on my S3 bucket that denies this user access, like so:

{
  "Statement": [
    {
  "Effect": "Deny",
  "Principal": {
    "AWS": "my-account-id:user/testuser"
  },
  "Action": "s3:*",
  "Resource": "arn:aws:s3:::my-bucket-name/*"
    }
  ]
}

So, the explicit deny in the S3 bucket policy should override the allow from the IAM policy right? But when I log in as testuser, I still have access to everything in that bucket - I even have access to change or remove the bucket policy for that bucket (and every other bucket too). Why isn't my explicit deny doing anything?

Answer 1

Try using the full ARN form for the user ID in the bucket policy:

"Principal": {
  "AWS":["arn:aws:iam::accountid:user/testuser"]
}