Cbas
Cbas

Reputation: 6213

AWS S3 prevent delete while allowing uploads

I'm building an app that lets Everyone to upload to my S3 bucket, but for security purposes I need to disable the ability to delete from the bucket. Since upload/delete permissions are bundled together in the AWS settings, how can I allow one and prevent the other?

enter image description here

SOLUTION:

remove the Access Policy and add a bucket policy with this:

{
"Version": "2008-10-17",
"Statement": [
    {
        "Sid": "AllowPublicRead",
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::bucket_name/*"
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::<bucket_name>/*"
    }
]

}

Upvotes: 1

Views: 1047

Answers (1)

E.J. Brennan
E.J. Brennan

Reputation: 46879

Read this article about the difference between ACL's and IAM policies:

https://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc

You want to create an IAM policy similar to this, not use an ACL:

{
  "Statement": [
    {
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<bucket>/<optional_key>",
      "Principal": {
        "AWS": ["*"]
      }
    }
  ]
}

Upvotes: 3

Related Questions