Understanding S3 Bucket Deletion Permissions: Am I Misunderstanding Non-Versioned Buckets?

By
Aaron Garnes
-
0
1
Asked By CuriousCoder42 On

I recently encountered an interesting challenge regarding how Amazon S3 manages delete permissions on non-versioned buckets. I always thought that applying a policy to deny delete actions would be straightforward. For instance, I typically set this deny policy for my non-versioned S3 buckets, like so:

```json
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
```

This makes sense to prevent deletes, right? Well, I found out that while this does deny deleting an object normally, if you try to delete the "null version" of the object, it unexpectedly goes through:

```bash
aws s3api delete-object --bucket my-bucket --key delete-me.txt --version-id null
```

This problem arises because it's using the `s3:DeleteObjectVersion` action, even if my bucket has never been versioned! I noticed this quirk while using the "Empty bucket" option in the AWS console, which calls this null version delete, and it left me puzzled. To properly handle this, I realized I need to include both actions in my policy:

```json
{
"Effect": "Deny",
"Principal": "*",
"Action": ["s3:DeleteObject","s3:DeleteObjectVersion"],
"Resource": "arn:aws:s3:::my-bucket/*"
}
}
```

Is anyone else aware of this oddity? Did I overlook something obvious in AWS documentation regarding this?

3 Answers

Answered By CloudExplorer27 On

I’ve got a question about that command using the null version. Does it actually delete the object, or is it still there? I mean, it did execute successfully but did the object truly get deleted?

DataDude99 -

Yeah, once you run that command, it’s really deleted! Every object does have a version, and for non-versioned buckets, that version is always `null`.

CloudWhisperer22 -

Correct! The object is gone. While it’s not obvious, it’s crucial to understand that even non-versioned buckets still handle versions, just in a different way.

Answered By ThoughtfulDev99 On

That’s pretty interesting! Thanks for bringing it to light. It’s good to know about the `s3:DeleteObjectVersion` action’s impact even on non-versioned buckets. Many people might not realize this and could lose data unexpectedly if they aren’t careful with their policies.

Answered By TechieTinker98 On

Absolutely! I often append `*` at the end of permissions like `s3:DeleteObject`, `s3:PutObject`, and `s3:GetObject`, just to cover any edge cases.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.