Bucket policy to prevent bucket delete

Question

I am looking for a bucket policy which allows only the root account user and the bucket creator to delete the bucket. something like below. Please suggest. How to restrict to only bucket creator and root?

{
"Version": "2012-10-17",
"Id": "PutObjBucketPolicy",
"Statement": [
       {
        "Sid": "Prevent bucket delete",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::xxxxxxx:root"
        },
        "Action": "s3:DeleteBucket",
        "Resource": "arn:aws:s3:::test-bucket-s3"
    },
     {
        "Sid": "Prevent bucket delete",
        "Effect": "Deny",
        "Principal": *,
        "Action": "s3:DeleteBucket",
        "Resource": "arn:aws:s3:::test-bucket-s3"
    }
]
}

Answer 1

There are 2 different type of permission in S3.

1. Resource Based policies
2. User Policies

So Bucket policies and access control lists (ACLs) are part of Resource Based and which attached to the bucket.

if all users are in same aws account. you can consider user policy which is attached to user or role.

if you are dealing with multiple aws accounts, Bucket policies or ACL is better.

only different is, Bucket policies allows you grant or deny access and apply too all object in the bucket.

ACL is grant basic read or write permission and can't add conditional check.

Answer 2

A Deny always beats an Allow. Therefore, with this policy, nobody would be allowed to delete the bucket. (I assume, however, that the root user would be able to do so, since it exists outside of IAM.)

There is no need to assign permissions to the root, since it can always do anything.

Also, there is no concept of the "bucket creator". It belongs to the account, not a user.

Therefore:

• Remove the Allow section (it does nothing)
• Test whether the policy prevents non-root users from deleting it
• Test whether the policy still permits the root user to delete it