Bucket policy denying S3:DeleteBucket and S3:DeleteObject still deletes objects

Question

I've applied the following bucket policy to a my-bucket.myapp.com S3 bucket:

{
    "Version": "2008-10-17",
    "Id": "PreventAccidentalDeletePolicy",
    "Statement": [
        {
            "Sid": "PreventAccidentalDelete",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": [
                "s3:DeleteBucket",
                "s3:DeleteObject”
            ],
            "Resource": [
                “arn:aws:s3:::my-bucket.myapp.com”,
                "arn:aws:s3:::my-bucket.myapp.com/*"
            ]
        }
    ]
}

Then in the console, when I attempt to delete the bucket (right-click, Delete) I get the error I'm expecting: Access Denied.

BUT, and here's the rub, the problem is that it still deletes all the objects that are in the bucket

Why does this happen?

And it even happens with a versioned bucket. It just wipes all the versions and the objects are GONE.

Answer 1

Recommended best practice is to not use the root account aside from creating your initial IAM user so you can add restrictions to prevent such an incident. In the event someone has a use-case that needs this behavior programmatically they don't want to put limits in the system as "safe guards". It's up to the user to follow best practice and implement the necessary safeguards as applicable to their situation

The exact process for how amazon authorizes actions on s3 objects: http://docs.aws.amazon.com/AmazonS3/latest/dev/how-s3-evaluates-access-control.html

Section 2|A on this document describes behavior applied to root account in user context: " If the request is made using root credentials of an AWS account, Amazon S3 skips this step."