Unanswered Questions tagged with S3 Object Lock

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

  • 1
  • 12 / page

Can we allow getObject with bucket policy using "Effect": "Deny" and condition

My policy role is below JSON format code { "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPublicRead", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::ABC_123", "arn:aws:s3:::ABC_123/*" ], "Condition": { "StringNotLike": { "aws:Referer": [ "http://www.training.sedarspine.com/*", "http://training.sedarspine.com/*", "https://www.training.sedarspine.com/*", "https://training.sedarspine.com/*", "https://sedarspine.com/*", "https://www.sedarspine.com/*", "https://burtlan.sedarspine.com/*", "https://www.burtlan.sedarspine.com/*", "https://sedarglobal.com/*", "https://www.sedarglobal.com/*", "https://live.sedarglobal.com/*", "https://www.live.sedarglobal.com/*", "http://live.sedarglobal.com/*", "http://www.live.sedarglobal.com/*", "https://test.sedarglobal.com/*", "https://www.test.sedarglobal.com/*", "http://localspine.com/*", "https://localspine.com/*", "http://www.localspine.com/*", "https://login.burtlan.com/*", "https://sc.sedarglobal.com/*", "http://sc.sedarglobal.com/*", "https://spinebusiness.com/*", "http://spinebusiness.com/*", "http://localburtlan.com/*", "http://pre.sedarglobal.com/*", "https://pre.sedarglobal.com/*", "https://localspine.test/*", "http://132.1.0.105:3000/*", "http://dxb.sedarspine.com/*", "https://dxb.sedarspine.com/*", "https://sedaruae.homeip.net/*", "http://localhost:3000/*" ] } } }, { "Sid": "AllowPublicRead-1", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::ABC_123", "arn:aws:s3:::ABC_123/*" ] } ] }
0
answers
0
votes
11
views
asked 2 months ago

Expired s3 Backup Recovery Point

I configured AWS Backup in CDK to enable continuous backups for s3 buckets with this configuration : - backup rule : with `enableContinuousBackup: true` and `deleteAfter 35 days` - backup selection : with `resources` array having the ARN of the bucket directly set and roles setup following the docs of aws : https://docs.aws.amazon.com/aws-backup/latest/devguide/s3-backups.html Later I deleted the stack in CDK and ,as expected, all the resources were deleted except for the vault that was orphaned. The problem happens when trying to delete the recovery points inside the vault, I get back the status as `Expired` with a message `Insufficient permission to delete recovery point`. - I am logged in as a user with AdministratorAccess - I changed the access policy of the vault to allow anyone to delete the vault / recovery point - even when logged as the root of the account, I still get the same message. --- - For reference, this is aws managed policy attached to my user : `AdministratorAccess` , it Allows (325 of 325 services) including AWS Backup obviously. - Here's the vault access policy that I set : ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "backup:DeleteBackupVault", "backup:DeleteBackupVaultAccessPolicy", "backup:DeleteRecoveryPoint", "backup:StartCopyJob", "backup:StartRestoreJob", "backup:UpdateRecoveryPointLifecycle" ], "Resource": "*" } ] } ``` Any ideas what I'm missing here ? **Update ** : - A full week after creating the backup recovery point, and still unable to delete it. - I tried deleting it from the AWS CLI but no luck. - I tried suspending the versioning for the bucket in question and tried, but no luck too.
0
answers
2
votes
133
views
Anis
asked 7 months ago

How to build a mechanism to govern multiple AWS data locking features?

**Background** There is identified need to govern multiple data locking features that AWS Provides in a context of multi-account environment with independent teams. If there is no governance - data locking might be enabled in various AWS accounts (in various regions) causing potential compliance nightmare and related challenges to rollback if data is accidentally locked for multiple years. It seems the only way to exit from compliance mode data locking is to fully close the related AWS account ( data seems then to be deleted after 90 days, even when locked). Optimally the use of AWS locking features would be allowed only by exception (after human review of each use-case). Governance mode could be by default allowed for all accounts/resources, but it should be possible to prevent the use of compliance mode (in any AWS service that provide data locking) with SCPs in AWS Organization. It has been identified at least these three are related operations for data locking: * backup:PutBackupVaultLockConfiguration * glacier:CompleteVaultLock * s3:PutBucketObjectLockConfiguration **Questions** 1. To deny all AWS data locking features - what IAM actions need to be denied with SCP - in addition to to the ones above? 2. Is the only way to exit the Backup Vault lock is to close the related AWS account (with 90 days grace period)? 3. How can one confirm the deletion of data related to question above. The assumption is that data remains until grace period has passed (90 days). Does AWS emit some logs (when account is being closed) that prove that data has been actually wiped? 4. How one can list what various data locks are currently in use? Is Cloudtrail the only option? 5. Are there any other best practise to share - to centrally govern the various AWS data locking features?
0
answers
0
votes
89
views
asked 8 months ago
  • 1
  • 12 / page