Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Is there any possibility to lock between policies ?

0

Let's say there is an S3 bucket, which was created by a User through Cloudformation. And the bucket policy is such that there is an explicit "Deny" to delete the Bucket by anyone, including the Root User.

So, is the bucket locked ? Will the bucket not be deleted by normal means , especially, when the Bucket policy or the IAM policy given to the user) cannot be changed by a developer (who is not an admin) ?

Themen
SpeicherSicherheit, Identität & Konformität
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementIAM-Richtlinien
Sprache
English
AB
gefragt vor einem Monat406 Aufrufe
1 Antwort
0

So, is the bucket locked ? Will the bucket not be deleted by normal means , especially, when the Bucket policy or the IAM policy given to the user) cannot be changed by a developer (who is not an admin) ?

If deletion is explicitly prohibited by the bucket policy, the IAM user cannot delete it.
For example, unless you specify a user who can be deleted using the "Condition" key as shown below, you will not be able to delete it.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal":"*",
      "Action": [
        "s3:DeleteBucket",
        "s3:PutBucketPolicy"
      ],
      "Resource": "arn:aws:s3:::s3-bucket-name",
      "Condition": {
        "StringNotEquals": {"aws:username": "admin"}
      }
    }
  ]
}
profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor einem Monat
profile pictureAWS
EXPERTE
ben-from-aws
überprüft vor einem Monat

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt