Home > other >  Deny delete of an S3 bucket if a specific tag exists
Deny delete of an S3 bucket if a specific tag exists

Time:12-22

I'm trying to building a policy to deny deletion of an S3 Bucket if a specific tag exists. My idea is, if an S3 bucket has the tag (for example):

Key: prevent_delete Value: true

and someone is try to delete the bucket, deny that permission.so far this is the policy i've been testing:

{
            "Sid": "VisualEditor3",
            "Effect": "Deny",
            "Action": "s3:DeleteBucket",
            "Resource": "*",
            "Condition": {
                "Null": {
                    "aws:RequestTag/prevent_delete": "true"
                }
            }
        }

but still allow to delete S3 bucket even if exist the tag on the S3 Bucket. I wonder if AWS support this action defined by specific tag. In that case, could anyone help me how to do it?

Thank you

CodePudding user response:

Sadly, its not possible. IAM policies based on tags are only supported for objects, not buckets. From docs:

Amazon S3 supports tag-based authorization for only object resources.

You would have to re-write your policy to only deal with objects, not the bucket itself.

Page link:https//www.codepudding.com/other/236741.html

Prev:How to fix TypeError: order must be str, not int
Next:Is there a way to set up AWS Kinesis Firehose to write one record per S3 object?
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding