- Newest
- Most votes
- Most comments
I don't think so.
The only way to deny download is by denying the s3:GetObject action either on IAM Policies or S3 Bucket Policies.
You can then deny for specific user, group or role through IAM Policies by simpling attaching the policy to the identity you want to or in S3 Bucket Policies using the "Principal" keyword. You can yet combine these with specific conditions and deny only for a principal under specific conditions, but there is not a condition which evaluates if the operation is performed through console or cli or sdk or the API.
Check here for all s3 available conditions.
You could deny every identity which has console access from downloading files and provide them with a role to for them to use to donwload through CLI or SDK.
Hope this helps you, let me me know if I can still help.
Relevant content
- asked 3 months ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago