S3 Bucket Object Lock - Deleting an object version with no retention settings requires 'BypassGovernanceRetention' permissions

0

Scenario:
An S3 Bucket has 'Object Lock' Enabled. Default retention is, and always has been - 'Disabled'
An S3 Object in the bucket has multiple versions. Object Lock (Legal Hold & Retention) are both 'Disabled' for all versions of the object.
Object Lock (Legal Hold & Retention) settings have never been enabled for the object or any of its previous versions

Issue:
An IAM User with 'DeleteObjectVersion' permission receives 'access denied' when attempting to perform 'version delete' on a version of the object.
The delete succeeds with the additional 'BypassGovernanceRetention' allowed for the same user

Question:
Is this the expected behavior? It seems like a bug to me!
I understood the purpose of the 'BypassGovernanceRetention' is to allow changes to objects where 'governance mode' retention is enabled for the object.
But it appears 'BypassGovernanceRetention' is required to delete a version in the bucket, even if the version does not have 'governance mode' enabled.

I can find no reference in documentation for this behavior

I have confirmed this behavior occurs only for objects in buckets where object lock is enabled. For objects in buckets with versioning only (object lock disabled) - the behavior is as expected. Only the 'DeleteObjectVersion' permission is required to delete object versions.

Please advise

Regards
Jason

2 Answers
0

Hi Jason, This isn't intended behaviour, so I tested, but I couldn't recreate your findings. Perhaps the S3 bucket in question has a bucket policy applied that denies DeleteObjectVersion?

My test user has the 'AdministratorAccess' policy, plus the following policy to prevent the use of BypassGovernanceRetention:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": "s3:BypassGovernanceRetention",
            "Resource": "arn:aws:s3:::*/*"
        }
    ]
}

Here are my test steps, showing that delete-object-version works, but bypass-governance-retention does not.


[cloudshell-user@ip-10-2-13-113 ~]$ aws s3api put-object --bucket bucketname --body key --key test/key                                                                                                                       
{
    "ETag": "\"0dbdc7f32553124593f0db8f4748aaf6\"",
    "ServerSideEncryption": "AES256",
    "VersionId": "O2DWbHNAjrf6qeLvgaHyt4TOw1e7l6qu"
}
[cloudshell-user@ip-10-2-13-113 ~]$ aws s3api list-object-versions --bucket bucketname --prefix test/                                                                                                                        
{
    "Versions": [
        {
            "ETag": "\"0dbdc7f32553124593f0db8f4748aaf6\"",
            "Size": 11,
            "StorageClass": "STANDARD",
            "Key": "test/key",
            "VersionId": "O2DWbHNAjrf6qeLvgaHyt4TOw1e7l6qu",
            "IsLatest": true,
            "LastModified": "2023-06-28T12:56:58+00:00",
            "Owner": {
                "DisplayName": "accountname",
                "ID": "9b3dbdc10a5fd5232b7e1eaf03d65fcfe240bbf3fc790ff64c035fbe5b954510"
            }
        }
    ],
    "RequestCharged": null
}
[cloudshell-user@ip-10-2-13-113 ~]$ aws s3api delete-object --bucket bucketname --key test/key --version-id "O2DWbHNAjrf6qeLvgaHyt4TOw1e7l6qu"
{
    "VersionId": "O2DWbHNAjrf6qeLvgaHyt4TOw1e7l6qu"
}
[cloudshell-user@ip-10-2-13-113 ~]$ aws s3api list-object-versions --bucket bucketname --prefix test/                                                                                                                        
{
    "RequestCharged": null
[cloudshell-user@ip-10-2-13-113 ~]$ aws s3api put-object --bucket bucketname --body key --key test/key --object-lock-mode GOVERNANCE --object-lock-retain-until-date "$(date -d '+2 hour' '+%F %T')"
{
    "ETag": "\"0dbdc7f32553124593f0db8f4748aaf6\"",
    "ServerSideEncryption": "AES256",
    "VersionId": "WU6HSr075VapPVwi3tQt2W8ROD.GYXiI"
}
[cloudshell-user@ip-10-2-13-113 ~]$ 
[cloudshell-user@ip-10-2-13-113 ~]$ aws s3api delete-object --bucket bucketname --key test/key --version-id "WU6HSr075VapPVwi3tQt2W8ROD.GYXiI"

An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied
[cloudshell-user@ip-10-2-13-113 ~]$ aws s3api delete-object --bucket bucketname --key test/key --version-id "WU6HSr075VapPVwi3tQt2W8ROD.GYXiI" --bypass-governance-retention

An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied
[cloudshell-user@ip-10-2-13-113 ~]$ 
AWS
Ed_G
answered 9 months ago
-1

Please refer "Enabling S3 Object Lock" under https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-bucket-config

  1. When you create a bucket with Object Lock enabled, Amazon S3 automatically enables versioning for the bucket.
  2. If you create a bucket with Object Lock enabled, you can't disable Object Lock or suspend versioning for the bucket.

When you turn on Object Lock for a bucket, the bucket can store protected objects. However, the setting doesn't automatically protect objects that you put into the bucket. If you want to automatically protect object versions that are placed in the bucket, you can configure a default retention period. Default settings apply to all new objects that are placed in the bucket, unless you explicitly specify a different retention mode and period for an object when you create it. Bucket default settings require both a mode and a period. A bucket default mode is either governance or compliance.

Reference : https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html

profile pictureAWS
EXPERT
answered a year ago
  • Hi. Thanks for your response but I already read and understood the documentation. My question is specific. Let me ask in a more simplified way:

    For a bucket with object lock configured
    'BypassGovernanceRetention' is required to delete object versions, where object versions do not have 'governance retention' enabled

    Why should this permission be required when objects do not have governance retention?

    Thanks

    This is the reason I asked the question

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions