We've come pretty far with something like this as a base policy. Maybe you can edit it to your own needs.
But as I said, it is not possible to make sure user can create buckets but not object lock buckets at the same time. But if user cannot create buckets (and cannot change OL-Mode for existing ones), you can control things like this.
In this example a policy that allows GOVERNANCE and Mode (and no object lock) but not COMPLIANCE.
There is no way to limit this other than with deep packet inspection on firewall. We've had this question a lot with our customers. To specify better, I'd need to know if you are talking about bucket creation via the ECS management API or the S3 API?
Hi, thanks. we only let partners/customers use S3 API but in our portal we ourself use ECS management for tasks like Enable S3 service (create namespace). A customer cannot create a namespace by them self with a random name.
ECS-noob
1 Rookie
•
5 Posts
1
March 4th, 2025 09:50
We've come pretty far with something like this as a base policy. Maybe you can edit it to your own needs.
But as I said, it is not possible to make sure user can create buckets but not object lock buckets at the same time. But if user cannot create buckets (and cannot change OL-Mode for existing ones), you can control things like this.
In this example a policy that allows GOVERNANCE and Mode (and no object lock) but not COMPLIANCE.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:*",
"Condition": {
"StringNotEqualsIgnoreCase": {
"s3:object-lock-mode": "COMPLIANCE"
}
},
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/*"
],
"Effect": "Allow",
"Sid": "policy-gen"
},
{
"Action": [
"s3:BypassGovernanceRetention"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/*"
],
"Effect": "Deny",
"Sid": "policy-gen"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:ListBucketVersions",
"s3:GetBucketVersioning",
"s3:GetBucketObjectLockConfiguration",
"s3:GetLifecycleConfiguration",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutObject",
"s3:PutObjectRetention",
"s3:PutObjectLegalHold",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
]
}
ECS-noob
1 Rookie
•
5 Posts
1
February 28th, 2025 09:41
There is no way to limit this other than with deep packet inspection on firewall. We've had this question a lot with our customers. To specify better, I'd need to know if you are talking about bucket creation via the ECS management API or the S3 API?
Holmito
1 Rookie
•
5 Posts
0
February 28th, 2025 10:02
Hi,
thanks. we only let partners/customers use S3 API but in our portal we ourself use ECS management for tasks like Enable S3 service (create namespace). A customer cannot create a namespace by them self with a random name.