Questions tagged with S3 Object Lock

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

S3 Bucket Object Lock - Deleting an object version with no retention settings requires 'BypassGovernanceRetention' permissions

**Scenario:** An S3 Bucket has 'Object Lock' Enabled. Default retention is, and always has been - 'Disabled' An S3 Object in the bucket has multiple versions. Object Lock (Legal Hold & Retention) are both 'Disabled' for all versions of the object. Object Lock (Legal Hold & Retention) settings have never been enabled for the object or any of its previous versions **Issue:** An IAM User with 'DeleteObjectVersion' permission receives 'access denied' when attempting to perform 'version delete' on a version of the object. The delete succeeds with the additional 'BypassGovernanceRetention' allowed for the same user **Question:** Is this the expected behavior? It seems like a bug to me! I understood the purpose of the 'BypassGovernanceRetention' is to allow changes to objects where 'governance mode' retention is enabled for the object. But it appears 'BypassGovernanceRetention' is required to delete a version in the bucket, even if the version does not have 'governance mode' enabled. I can find no reference in documentation for this behavior I have confirmed this behavior occurs only for objects in buckets where object lock is enabled. For objects in buckets with versioning only (object lock disabled) - the behavior is as expected. Only the 'DeleteObjectVersion' permission is required to delete object versions. Please advise Regards Jason
1
answers
0
votes
33
views
asked 13 days ago

S3 Object Lock and incomplete uploads.

Say you want to upload a bunch of really large files. However somewhere in between the upload something goes wrong. The files don't complete. The whole thing is a mess so you just want to start over. If you set up the bucket with Object Lock in Compliance mode. You're pretty much just going to have to eat the costs for the durations of the retention period? Am I understanding this correctly? Do you guys have any advice for dealing with these situations? This is for backups I am currently using Amazon S3 (not Glacier). Perhaps I should be using Amazon S3 Glacier with Vault lock instead. But I'm not as familiar with it as I've never used it before. Is there a better way to handle this situation? Ultimately I want the files to be immutable after I upload them. But I wouldn't mind if it waited until the upload finished. (SEPARATE QUESTION) Another problem I run into is my S3 Browser uploads everything as "Standard". When I change everything to Glacier Deep Storage it redownloads the data again. While also creating a separate version still in Standard. Am I going to be charged for both? And if so is there any way to avoid this besides using the funky browser upload? (That is how I got the messed up original upload) So in summation: 1) How does Object Lock handle incomplete uploads. Is there anyway to delete them after you uploaded them. 2) Is there a better way to apply a different storage tier to an Object Locked S3 Bucket. Besides uploading it twice or using the browser. Thank you!
1
answers
0
votes
36
views
asked 2 months ago

Browser-Based Upload using HTTP POST

This is my HTML POST Form. ``` <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> </head> <body> <form action="http://sigv4examplebucket.s3.amazonaws.com/" method="post" enctype="multipart/form-data"> Key to upload: <input type="input" name="key" value="user/user1/${filename}" /><br /> <input type="hidden" name="acl" value="public-read" /> <input type="hidden" name="success_action_redirect" value="http://sigv4examplebucket.s3.amazonaws.com/successful_upload.html" /> Content-Type: <input type="input" name="Content-Type" value="image/jpeg" /><br /> <input type="hidden" name="x-amz-meta-uuid" value="14365123651274" /> <input type="hidden" name="x-amz-server-side-encryption" value="AES256" /> <input type="text" name="X-Amz-Credential" value="AKIAIOSFODNN7EXAMPLE/20151229/us-east-1/s3/aws4_request" /> <input type="text" name="X-Amz-Algorithm" value="AWS4-HMAC-SHA256" /> <input type="text" name="X-Amz-Date" value="20151229T000000Z" /> Tags for File: <input type="input" name="x-amz-meta-tag" value="" /><br /> <input type="hidden" name="Policy" value='<Base64-encoded policy string>' /> <input type="hidden" name="X-Amz-Signature" value="<signature-value>" /> File: <input type="file" name="file" /> <br /> <!-- The elements after this will be ignored --> <input type="submit" name="submit" value="Upload to Amazon S3" /> </form> </html> ``` I got this from the AWS S3 Docs shown below. [https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-post-example.html](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-post-example.html) From AWS Console I have gotten my security credentials: Access Key = XXXX Secret Ket = XXXX I am aware that I need to set values for "Policy" and "X-Amz-Signature" but I am not sure as to how to do that. In the docs they have mentioned that I need to StringToSign and get the Policy/Signature but I am not sure how to do that. Can someone help me as to how to generate Policy(Base64-encoded policy string) and Signature for my HTML FORM ?
1
answers
0
votes
23
views
asked 2 months ago

Can we allow getObject with bucket policy using "Effect": "Deny" and condition

My policy role is below JSON format code { "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPublicRead", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::ABC_123", "arn:aws:s3:::ABC_123/*" ], "Condition": { "StringNotLike": { "aws:Referer": [ "http://www.training.sedarspine.com/*", "http://training.sedarspine.com/*", "https://www.training.sedarspine.com/*", "https://training.sedarspine.com/*", "https://sedarspine.com/*", "https://www.sedarspine.com/*", "https://burtlan.sedarspine.com/*", "https://www.burtlan.sedarspine.com/*", "https://sedarglobal.com/*", "https://www.sedarglobal.com/*", "https://live.sedarglobal.com/*", "https://www.live.sedarglobal.com/*", "http://live.sedarglobal.com/*", "http://www.live.sedarglobal.com/*", "https://test.sedarglobal.com/*", "https://www.test.sedarglobal.com/*", "http://localspine.com/*", "https://localspine.com/*", "http://www.localspine.com/*", "https://login.burtlan.com/*", "https://sc.sedarglobal.com/*", "http://sc.sedarglobal.com/*", "https://spinebusiness.com/*", "http://spinebusiness.com/*", "http://localburtlan.com/*", "http://pre.sedarglobal.com/*", "https://pre.sedarglobal.com/*", "https://localspine.test/*", "http://132.1.0.105:3000/*", "http://dxb.sedarspine.com/*", "https://dxb.sedarspine.com/*", "https://sedaruae.homeip.net/*", "http://localhost:3000/*" ] } } }, { "Sid": "AllowPublicRead-1", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::ABC_123", "arn:aws:s3:::ABC_123/*" ] } ] }
0
answers
0
votes
11
views
asked 2 months ago