I have an IAM user with credentials which are being used to create objects in an S3 bucket. I want to prevent these credentials from removing objects from the bucket.
# Procedure
Attach this poilcy to a user which already has write access.
1{
2 "Version": "2012-10-17",
3 "Statement": [
4 {
5 "Sid": "DenyDeleteAccess",
6 "Effect": "Deny",
7 "Action": [
8 "s3:DeleteObject",
9 "s3:DeleteObjectVersion"
10 ],
11 "Resource": [
12 "arn:aws:s3:::mybucketname/*"
13 ]
14 }
15 ]
16}
# Comments
Multiple policies can be applied to user. The policy above denies delete actions for objects within the specified bucket. Explicit deny statements like this always supersede any other permission granted. Appending a policy to an existing policy set is a straightforward way to restrict access and can be applied to specific users.
An alternative is to have a more specific policy which only grants the permissions required to read and write objects. By default, additional access will be denied. Below is such a policy.
1{
2 "Version": "2012-10-17",
3 "Statement": [
4 {
5 "Sid": "ListObjectsInBucket",
6 "Effect": "Allow",
7 "Action": [
8 "s3:ListBucket"
9 ],
10 "Resource": [
11 "arn:aws:s3:::mybucketname"
12 ]
13 },
14 {
15 "Sid": "AllObjectActions",
16 "Effect": "Allow",
17 "Action": [
18 "s3:GetObject",
19 "s3:GetObjectAttributes",
20 "s3:PutObject"
21 ],
22 "Resource": [
23 "arn:aws:s3:::mybucketname/*"
24 ]
25 }
26 ]
27}
# References
- S3 API Reference: API Operations
- S3 User Guide: Amazon S3 actions