Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Is there any possibility to lock between policies ?

0

Let's say there is an S3 bucket, which was created by a User through Cloudformation. And the bucket policy is such that there is an explicit "Deny" to delete the Bucket by anyone, including the Root User.

So, is the bucket locked ? Will the bucket not be deleted by normal means , especially, when the Bucket policy or the IAM policy given to the user) cannot be changed by a developer (who is not an admin) ?

Temas
AlmacenamientoSeguridad, identidad y cumplimiento
Etiquetas
Amazon Simple Storage ServiceAWS Identity and Access ManagementPolíticas de IAM
Idioma
English
AB
preguntada hace un mes406 visualizaciones
1 Respuesta
0

So, is the bucket locked ? Will the bucket not be deleted by normal means , especially, when the Bucket policy or the IAM policy given to the user) cannot be changed by a developer (who is not an admin) ?

If deletion is explicitly prohibited by the bucket policy, the IAM user cannot delete it.
For example, unless you specify a user who can be deleted using the "Condition" key as shown below, you will not be able to delete it.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal":"*",
      "Action": [
        "s3:DeleteBucket",
        "s3:PutBucketPolicy"
      ],
      "Resource": "arn:aws:s3:::s3-bucket-name",
      "Condition": {
        "StringNotEquals": {"aws:username": "admin"}
      }
    }
  ]
}
profile picture
EXPERTO
Riku_Kobayashi
respondido hace un mes
profile pictureAWS
EXPERTO
ben-from-aws
revisado hace un mes

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante