Support explicit deny

[shinitiandrei]

Hi,

I've been reading your docs and tutorials, but I couldn't find anything around explicit deny, so I would like to see if you guys can implement it? As in: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policies_evaluation_example
For example in this policy:

{
            "Sid": "DenyS3Logs",
            "Effect": "Deny",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::*log*"
}

Thank you!

[kmcquade]

Hi @shinitiandrei! Thanks for opening an issue and digging through the documentation.

I would like to see if you guys can implement it

Just an obligatory disclaimer: I'm not working for Salesforce anymore and can't add new features to this project myself. If anyone wants to contribute, I am open to discussing it and happy to review any PRs/proposals.

I originally created Policy Sentry as an opinionated approach to writing least privilege policies. I specifically avoided conditions and Deny effects to keep it simple. This doesn't fit every use case and it's not intended to - but enough time has passed to where I think this does make sense if we can keep it simple, and if we have some contributors who would like to take it on!

With all that being said - I would be open to PRs that support:

• Deny effect for Action, as mentioned in this issue - I think that is simple enough.
• Conditions that force credentials to be used within a VPC - Contributors welcome for feature idea - support Conditions that force credentials to be used within a VPC #390