Deny deleted Glacier class storage files

Question

Hello,  
  
I have some S3 bucket that has a lifecycle, after 30 days they change the storage class to Glacier. Once they are in Glacier, I need to prevent them from being accidentally deleted by specific users, that is, only one user group (group A) could delete and another group not (group B).  
  
I was trying some policies: I can prevent group B from deleting files:  
  
{  
    "Version": "2012-10-17",  
    "Statement": \[  
        {  
            "Sid": "VisualEditor0",  
            "Effect": "Deny",  
            "Action": \[  
                "s3: DeleteObject"  
            ],  
            "Resource": "arn: aws: s3 ::: XXXXXXXXXXXXXXX / *"  
        }  
    ]  
}  
  
With this policy, they cannot delete any files regardless of what type of storage the data are in. I want to prevent them from deleting when lifecycle changes to GLACIER, but when storage is STANDARD, I want to allow users to delete.  
  
How can I make a user group allowed to delete or not according to the type of storage?

Answer

Thanks for your reply rtakeshi.  
  
So, I cannot apply a policy according to the storage class, I can only apply the policy to allow or deny the deletion of files. I am right?

Answer

AWS only supports policies (such as Group A can delete and Group B cannot delete) at the Glacier Vault level. And, unfortunately, S3 Lifecycle policies do not have access to the Glacier Vault.

Answer

Correct.

Answer

Thank you!

Deny deleted Glacier class storage files

Relevanter Inhalt