- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
Hi Jason, This isn't intended behaviour, so I tested, but I couldn't recreate your findings. Perhaps the S3 bucket in question has a bucket policy applied that denies DeleteObjectVersion?
My test user has the 'AdministratorAccess' policy, plus the following policy to prevent the use of BypassGovernanceRetention:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "s3:BypassGovernanceRetention",
"Resource": "arn:aws:s3:::*/*"
}
]
}
Here are my test steps, showing that delete-object-version works, but bypass-governance-retention does not.
[cloudshell-user@ip-10-2-13-113 ~]$ aws s3api put-object --bucket bucketname --body key --key test/key
{
"ETag": "\"0dbdc7f32553124593f0db8f4748aaf6\"",
"ServerSideEncryption": "AES256",
"VersionId": "O2DWbHNAjrf6qeLvgaHyt4TOw1e7l6qu"
}
[cloudshell-user@ip-10-2-13-113 ~]$ aws s3api list-object-versions --bucket bucketname --prefix test/
{
"Versions": [
{
"ETag": "\"0dbdc7f32553124593f0db8f4748aaf6\"",
"Size": 11,
"StorageClass": "STANDARD",
"Key": "test/key",
"VersionId": "O2DWbHNAjrf6qeLvgaHyt4TOw1e7l6qu",
"IsLatest": true,
"LastModified": "2023-06-28T12:56:58+00:00",
"Owner": {
"DisplayName": "accountname",
"ID": "9b3dbdc10a5fd5232b7e1eaf03d65fcfe240bbf3fc790ff64c035fbe5b954510"
}
}
],
"RequestCharged": null
}
[cloudshell-user@ip-10-2-13-113 ~]$ aws s3api delete-object --bucket bucketname --key test/key --version-id "O2DWbHNAjrf6qeLvgaHyt4TOw1e7l6qu"
{
"VersionId": "O2DWbHNAjrf6qeLvgaHyt4TOw1e7l6qu"
}
[cloudshell-user@ip-10-2-13-113 ~]$ aws s3api list-object-versions --bucket bucketname --prefix test/
{
"RequestCharged": null
[cloudshell-user@ip-10-2-13-113 ~]$ aws s3api put-object --bucket bucketname --body key --key test/key --object-lock-mode GOVERNANCE --object-lock-retain-until-date "$(date -d '+2 hour' '+%F %T')"
{
"ETag": "\"0dbdc7f32553124593f0db8f4748aaf6\"",
"ServerSideEncryption": "AES256",
"VersionId": "WU6HSr075VapPVwi3tQt2W8ROD.GYXiI"
}
[cloudshell-user@ip-10-2-13-113 ~]$
[cloudshell-user@ip-10-2-13-113 ~]$ aws s3api delete-object --bucket bucketname --key test/key --version-id "WU6HSr075VapPVwi3tQt2W8ROD.GYXiI"
An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied
[cloudshell-user@ip-10-2-13-113 ~]$ aws s3api delete-object --bucket bucketname --key test/key --version-id "WU6HSr075VapPVwi3tQt2W8ROD.GYXiI" --bypass-governance-retention
An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied
[cloudshell-user@ip-10-2-13-113 ~]$
Please refer "Enabling S3 Object Lock" under https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-bucket-config
- When you create a bucket with Object Lock enabled, Amazon S3 automatically enables versioning for the bucket.
- If you create a bucket with Object Lock enabled, you can't disable Object Lock or suspend versioning for the bucket.
When you turn on Object Lock for a bucket, the bucket can store protected objects. However, the setting doesn't automatically protect objects that you put into the bucket. If you want to automatically protect object versions that are placed in the bucket, you can configure a default retention period. Default settings apply to all new objects that are placed in the bucket, unless you explicitly specify a different retention mode and period for an object when you create it. Bucket default settings require both a mode and a period. A bucket default mode is either governance or compliance.
Reference : https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html
Contenuto pertinente
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata 8 mesi fa
Hi. Thanks for your response but I already read and understood the documentation. My question is specific. Let me ask in a more simplified way:
For a bucket with object lock configured
'BypassGovernanceRetention' is required to delete object versions, where object versions do not have 'governance retention' enabled
Why should this permission be required when objects do not have governance retention?
Thanks
This is the reason I asked the question