Home > Net >  How can we allow iam user to only upload object and deny him to delete and list objects?
How can we allow iam user to only upload object and deny him to delete and list objects?

Time:11-08

I wanna create a S3 bucket that anyone can get object but only iam user can upload an object.

My bucket policy is like this. Anyone can read objects, but cannot do delete, list, create action.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:GetObject",
      "Resource": "*"
    }
  ]
}

I attached the below policy for a permission to upload object to a user and the group.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1347416638923",
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my_bucket/*" //fixed as @Marcin mentioned

    }
  ]
}

The problem is that this user can list objects, delete object from javascript. How can we allow this user to only upload object?

We use Wasabi storage by the way.

CodePudding user response:

arn:aws:s3:::my_bucket is a bucket, not objects. Thus it should be:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1347416638923",
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my_bucket/*"
    },
    {
      "Sid": "ExplityDeny",
      "Effect": "Deny",
      "Action": "s3:DeleteObject",
      "Resource": "arn:aws:s3:::my_bucket/*"
    },
    {
      "Sid": "ExplityDeny2",
      "Effect": "Deny",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::my_bucket"
    }
  ]
}

Page link:https//www.codepudding.com/net/183118.html

Prev:DAX Cluster - How does it know which DynamoDB Table to talk to?
Next:Delete Function on the API Getaway
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding