How to remove "delete" permission on Amazon S3

Question

In the Amazon S3 console I only see a permission option for "upload/delete". Is there a way to allow uploading but not deleting?

Answer 1

This worked perfect . Thanks to Pung Worathiti Manosroi . combined his mentioned policy as per below:

{    

"Statement": [    

    {
        "Effect": "Allow",
        "Action": [
            "s3:GetObject",
            "s3:PutObject",
            "s3:GetObjectAcl",
            "s3:PutObjectAcl",
            "s3:ListBucket",
            "s3:GetBucketAcl",
            "s3:PutBucketAcl",
            "s3:GetBucketLocation"
        ],
        "Resource": "arn:aws:s3:::mybucketname/*",
        "Condition": {}
    },
    {
        "Effect": "Allow",
        "Action": "s3:ListAllMyBuckets",
        "Resource": "*",
        "Condition": {}
    },
    {
        "Effect": "Deny",
        "Action": [
            "s3:DeleteBucket",
            "s3:DeleteBucketPolicy",
            "s3:DeleteBucketWebsite",
            "s3:DeleteObject",
            "s3:DeleteObjectVersion"
        ],
        "Resource": "arn:aws:s3:::mybucketname/*",    

        "Condition": {}    

    }
]
}    

Answer 2

You can attach no-delete policy to your s3 bucket. For example if you don't want this IAM user to perform any delete operation to any buckets or any objects, you can set something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1480692207000",
            "Effect": "Deny",
            "Action": [
                "s3:DeleteBucket",
                "s3:DeleteBucketPolicy",
                "s3:DeleteBucketWebsite",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

Also, you can check your policy with policy simulator https://policysim.aws.amazon.com to check if your set up is what you expected or not.

Hope this helps!

Answer 3

The permissions you are seeing in the AWS Management Console directly are based on the initial and comparatively simple Access Control Lists (ACL) available for S3, which essentially differentiated READ and WRITE permissions, see Specifying a Permission:

• READ - Allows grantee to list the objects in the bucket
• WRITE - Allows grantee to create, overwrite, and delete any object in the bucket

These limitations have been addressed by adding Bucket Policies (permissions applied on the bucket level) and IAM Policies (permissions applied on the user level), and all three can be used together as well (which can become rather complex, as addressed below), see Access Control for the entire picture.

Your use case probably asks for a respective bucket policy, which you an add directly from the S3 console as well. Clicking on Add bucket policy opens the Bucket Policy Editor, which features links to a couple of samples as well as the highly recommended AWS Policy Generator, which allows you to assemble a policy addressing your use case.

For an otherwise locked down bucket, the simplest form might look like so (please ensure to adjust Principal and Resource to your needs):

{
  "Statement": [
    {
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::<bucket_name>/<key_name>",
      "Principal": {
        "AWS": [
          "*"
        ]
      }
    }
  ]
}

Depending on your use case, you can easily compose pretty complex policies by combining various Allow and Deny actions etc. - this can obviously yield inadvertent permissions as well, thus proper testing is key as usual; accordingly, please take care of the implications when using Using ACLs and Bucket Policies Together or IAM and Bucket Policies Together.

Finally, you might want to have a look at my answer to Problems specifying a single bucket in a simple AWS user policy as well, which addresses another commonly encountered pitfall with policies.

Answer 4

Yes, s3:DeleteObject is an option:

http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html

However, there is no differentiation between changing an existing object (which would allow effectively deleting it) and creating a new object.