S3 bucket policy preventing writes from FSx Lustre DRA

Question

Can I add an S3 bucket policy that prevents writing to the S3 bucket from an FSx Lustre DRA (data repository association)? I would still like to be able to read from the S3 bucket via the DRA.

Are there better ways to do this?

SHAJAM · Answer

You want to prevent FSx Lustre DRA to write to the linked S3 bucket. In that case, you can remove the link to the bucket.
https://docs.aws.amazon.com/fsx/latest/LustreGuide/delete-linked-dra.html

I won't suggest updating the bucket policy to prevent it. It will work but FSx will keep on trying to write to it which is unnecessary.

Also, based on your updated question, here's a [sample bucket policy](https://docs.aws.amazon.com/fsx/latest/LustreGuide/s3-validation-error.html) that you might create when setting up the FSx Lustre. You can remove the permissions that you do not need. In your case, you might remove s3:PutObject and s3:DeleteObject permissions.

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
               ~~ "s3:AbortMultipartUpload",~~
               ~~ "s3:DeleteObject",~~
                ~~"s3:PutObject",~~
                "s3:GetObject",
                "s3:GetBucketAcl",
                "s3:GetBucketNotification",
                "s3:ListBucket",
                ~~"s3:PutBucketNotification"~~
            ],
            "Resource": [
                "arn:aws:s3:::bucket_name",
                "arn:aws:s3:::bucket_name/*"
            ],
            "Condition": {
                "StringLike": {     
                    "aws:PrincipalArn": [
                        "arn:aws:iam::file_system_account_ID:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/AWSServiceRoleForFSxS3Access_fs-*"
                }
            }
        }
    ]
}
```

S3 bucket policy preventing writes from FSx Lustre DRA

Relevant content