The big change this release was improving the logic for identifying which actions were allowed. Previously, if you had the following, it would not identify `s3:GetObject` as being allowed, because it saw an `Allow` and a `Deny` and did not take into consideration the `Condition`:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::secretbucket/*"
},
{
"Effect": "Deny",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::secretbucket/*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
Now the logic identifies `s3:GetObject` as being allowed, because it only counts a `Deny` against the `Allow` if the `Deny` has no `Condition`. This should better handle possible tricks someone might do to get around a custom auditor someone might write (for example, the sensitive bucket auditor in the docs would have been tricked by this previously).
The unit tests should also be more robust, and a bug was fixed with how Bool's are checked to ensure they are being matched against true and false values.