By using AWS re:Post, you agree to the Terms of Use

Questions tagged with S3 Object Lock

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Access error when going to S3 console - 403 Forbidden error for all the s3 bucket

Hi, Today - without any specific operation which I have made - I got the following error when accessing to the S3 Console at: https://s3.console.aws.amazon.com/ > Thanks for signing up with Amazon Web Services. Your services may take up to 24 hours to fully activate. If you’re unable to access AWS services after that time, here are a few things you can do to expedite the process: > Make sure you provided all necessary information during signup. Complete your AWS registration. Check your email to see if you have received any requests for additional information. If you have, please respond to those emails with the information requested. > Verify your credit card information is correct. Also, check your credit card activity to see if there’s a $1 authorization (this is not a charge). You may need to contact your card issuer to approve the authorization. If the problem persists, please contact Support: Furthermore when trying to accessing to any S3 buckets which belong to the same organisation and they were public (Static web sites) we got: > 403 Forbidden >Code: AllAccessDisabled >Message: All access to this object has been disabled >RequestId: 4AWKPXHEKK4R23B4 >HostId: yP4BnTua4EXv2MjpPpSZip2gIrifx2xZ7ckCkMNGKjFjujJzuMMQUlgKxQi9GXMPEGdjnPrR6G0= At the moment I cannot see the S3 console, and all the public websites inside that S3 static folder are under 403 Forbidden error. Do you have any advice of what could have been done. Thanks
1
answers
0
votes
122
views
asked 6 months ago

How to build a mechanism to govern multiple AWS data locking features?

**Background** There is identified need to govern multiple data locking features that AWS Provides in a context of multi-account environment with independent teams. If there is no governance - data locking might be enabled in various AWS accounts (in various regions) causing potential compliance nightmare and related challenges to rollback if data is accidentally locked for multiple years. It seems the only way to exit from compliance mode data locking is to fully close the related AWS account ( data seems then to be deleted after 90 days, even when locked). Optimally the use of AWS locking features would be allowed only by exception (after human review of each use-case). Governance mode could be by default allowed for all accounts/resources, but it should be possible to prevent the use of compliance mode (in any AWS service that provide data locking) with SCPs in AWS Organization. It has been identified at least these three are related operations for data locking: * backup:PutBackupVaultLockConfiguration * glacier:CompleteVaultLock * s3:PutBucketObjectLockConfiguration **Questions** 1. To deny all AWS data locking features - what IAM actions need to be denied with SCP - in addition to to the ones above? 2. Is the only way to exit the Backup Vault lock is to close the related AWS account (with 90 days grace period)? 3. How can one confirm the deletion of data related to question above. The assumption is that data remains until grace period has passed (90 days). Does AWS emit some logs (when account is being closed) that prove that data has been actually wiped? 4. How one can list what various data locks are currently in use? Is Cloudtrail the only option? 5. Are there any other best practise to share - to centrally govern the various AWS data locking features?
0
answers
0
votes
78
views
asked 6 months ago