Simple Notification Service (SNS)
Kinesis + MQ
Databases & Analytics
Could not load image
  • This is the hierarchy for AWS effects:
    • Explicit deny is the most powerful and nothing can overrule this.
    • Explicit allow is the next most powerful effect but this will only be allowed if you don't have an explicit deny.
    • If you have none of these (no explicit deny and no explicit access), you have no access because by default, everything is denied (unless you are a root user).
  • If there are a lot of policies and a lot of statements, AWS will take them all into account and will just apply the same hierarchy as above, so if there is an explicit deny, you can't overrule that, if you have an explicit allow, you are allowed and if there is no effect, you are denied by default.
Copy link