Resource Based Policy evaluation logic unclear

[MikeCain21]

I'm going through the policy evaluation logic page (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html) and cannot seem to replicate the described behavior in the "Resource-based policies and implicit denies in other policy types (same account)" table. Specifically

Principal making the request	Resource-based policy	Identity-based policy	Permissions boundary	Session Policy	Result	Reason
IAM role session	Allows role ARN	Implicit deny	Implicit deny	Implicit deny	DENY	Permissions boundary and session policy are evaluated as part of the final decision. An implicit deny in either policy results in a DENY decision.

Using a brand new AWS account with a role 's3test' with no permissions attached or permissions boundaries.

Assuming the role via the cli with a specific sessionID and no session policies.

aws sts assume-role --role-arn "arn:aws:iam::000000000000:role/s3test" --role-session-name  test123 | jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\nexport AWS_SESSION_TOKEN=\(.SessionToken)\n"'

Checking who I am

aws sts sts get-caller-identity
{
    "UserId": "ARO******************:test123",
    "Account": "000000000000",
    "Arn": "arn:aws:sts::000000000000:assumed-role/s3test/test123"
}

Attempting to access a bucket with the following bucket policy attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::000000000000:role/s3test"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::testthedeny1234"
        }
    ]
}

Expected Behaviour The role is denied because everything is implicitly denied except the resource policy and the requesting principal is a role session ARN (arn:aws:sts::000000000000:assumed-role/s3test/test123). I expect the action to be denied. The resource policy uses a ROLE ARN but i am using ROLE SESSION. I can never use a Role ARN from the CLI?

Actual Behaviour Using the CLI I can list the objects in the bucket.

Principal making the request	Resource-based policy	Identity-based policy	Permissions boundary	Session Policy	Result	Reason
IAM role session	Allows role ARN	Implicit deny	Implicit deny	Implicit deny	DENY	Permissions boundary and session policy are evaluated as part of the final decision. An implicit deny in either policy results in a DENY decision.
YES	YES	YES	YES	YES	ALLOW	?????

There are no explicit denies. The role is not part of an organization with any scps. The role is assumed with no session policies.

Have I misunderstood the table in the documentation? Could this be updated to make it more clear when or how that situation would occur?

Any Help is Greatly appriciated.

[wushingmushine]

The only flaw in your logic is that while, say, the identity-based policy contains an implicit deny, by virtue of having 'additive' evaluation logic (e.g. if there's no identity-based policy, the user can't do anything, i.e. a total lack of identity-based policies is deny-by default), the permissions boundary may not contain the implicit deny because it's 'subtractive' (i.e. a total lack of permissions boundary is allow-by-default).

If you apply a permission boundary to the role that neither explicitly allows nor denies the S3 actions (e.g. a boundary allowing ec2:Describe* then you will no longer be able to list the objects.

Although I agree, this is not particularly clear in the documentation

[MikeCain21]

cheers @wushingmushine