Skip to main content
Start a Conversation

Solved!

Go to Solution

Holmito

1 Rookie

 • 

5 Posts

89

January 26th, 2024 09:21

Object Lock restrictions

Hi,

Trying to find a way to protect us from a situation that a user will create a bucket using API with 

x-amz-bucket-object-lock-enabled = true

We want to limit the creation of object locked buckets to our portal (more control) 

I cant see a way to limit the above within IAM and using DENY with condition so I need to find other way. 

ECS-noob

1 Rookie

 • 

5 Posts

March 4th, 2025 09:50

We've come pretty far with something like this as a base policy. Maybe you can edit it to your own needs.

But as I said, it is not possible to make sure user can create buckets but not object lock buckets at the same time. But if user cannot create buckets (and cannot change OL-Mode for existing ones), you can control things like this.

In this example a policy that allows GOVERNANCE and Mode (and no object lock) but not COMPLIANCE.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "s3:*",
      "Condition": {
        "StringNotEqualsIgnoreCase": {
          "s3:object-lock-mode": "COMPLIANCE"
        }
      },
      "Resource": [
        "arn:aws:s3:::bucket",
        "arn:aws:s3:::bucket/*"
      ],
      "Effect": "Allow",
      "Sid": "policy-gen"
    },
    {
      "Action": [
        "s3:BypassGovernanceRetention"
      ],
      "Resource": [
        "arn:aws:s3:::bucket",
        "arn:aws:s3:::bucket/*"
      ],
      "Effect": "Deny",
      "Sid": "policy-gen"
    },
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts",
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:GetObjectLegalHold",
        "s3:GetObjectRetention",
        "s3:ListBucketVersions",
        "s3:GetBucketVersioning",
        "s3:GetBucketObjectLockConfiguration",
        "s3:GetLifecycleConfiguration",
        "s3:AbortMultipartUpload",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:PutObject",
        "s3:PutObjectRetention",
        "s3:PutObjectLegalHold",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::bucket",
        "arn:aws:s3:::bucket/*"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    }
  ]
}

ECS-noob

1 Rookie

 • 

5 Posts

February 28th, 2025 09:41

There is no way to limit this other than with deep packet inspection on firewall. We've had this question a lot with our customers. To specify better, I'd need to know if you are talking about bucket creation via the ECS management API or the S3 API?

Holmito

1 Rookie

 • 

5 Posts

February 28th, 2025 10:02

Hi, 
thanks. we only let partners/customers use S3 API but in our portal we ourself use ECS management for tasks like Enable S3 service (create namespace). A customer cannot create a namespace by them self with a random name. 

Was this post helpful?

View All

No Events found!

Top