By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Is there any possibility to lock between policies ?

0

Let's say there is an S3 bucket, which was created by a User through Cloudformation. And the bucket policy is such that there is an explicit "Deny" to delete the Bucket by anyone, including the Root User.

So, is the bucket locked ? Will the bucket not be deleted by normal means , especially, when the Bucket policy or the IAM policy given to the user) cannot be changed by a developer (who is not an admin) ?

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementIAM Policies
Language
English
AB
asked 9 days ago385 views
1 Answer
0

So, is the bucket locked ? Will the bucket not be deleted by normal means , especially, when the Bucket policy or the IAM policy given to the user) cannot be changed by a developer (who is not an admin) ?

If deletion is explicitly prohibited by the bucket policy, the IAM user cannot delete it.
For example, unless you specify a user who can be deleted using the "Condition" key as shown below, you will not be able to delete it.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal":"*",
      "Action": [
        "s3:DeleteBucket",
        "s3:PutBucketPolicy"
      ],
      "Resource": "arn:aws:s3:::s3-bucket-name",
      "Condition": {
        "StringNotEquals": {"aws:username": "admin"}
      }
    }
  ]
}
profile picture
EXPERT
Riku_Kobayashi
answered 9 days ago
profile pictureAWS
EXPERT
ben-from-aws
reviewed 9 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content