ECS: IAM Policy Limitation for setting S3 Object Lock Modes

Summary: This article explains why IAM policies cannot be used to set S3 object lock mode in default object lock configuration and provides possible methods for mitigating this limitation within AWS and ECS environments. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

  • IAM policy created to prevent users from selecting a specific S3 Object Lock does not work as expected.
  • Despite the policy, users can enable modes such as Compliance Mode via PutBucketObjectLockConfiguration.
  • IAM policy conditions fail to evaluate the mode transmitted in the request body.

Cause

The AWS action PutBucketObjectLockConfiguration does not support condition keys like s3:object-lock-mode, which would allow policies to control configurations like Compliance Mode. Since the Object Lock Mode is transmitted in the body of the API request, IAM policies cannot process or block it.

Example:
This policy is intended to restrict the s3:PutBucketObjectLockConfiguration action to only allow the GOVERNANCE mode. However, it demonstrates the limitation where the policy does not prevent other modes (e.g., COMPLIANCE) because s3:object-lock-mode is not evaluated for this action. 

    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "s3:PutObjectRetention",
        "s3:PutBucketObjectLockConfiguration"
      ],
      "Resource": [
        "arn:aws:s3:::objlock_new_bkt/*",
        "arn:aws:s3:::objlock_new_bkt"
      ],
      "Condition": {
        "StringEquals": {
          "s3:object-lock-mode": "GOVERNANCE"
     }

Despite the condition allowing only GOVERNANCE, the policy cannot prevent the use of COMPLIANCE mode due to AWS's IAM implementation. As stated in the AWS S3 Authorization ReferenceThis hyperlink is taking you to a website outside of Dell Technologies., s3:object-lock-mode is not a condition key checked for PutBucketObjectLockConfiguration

**Note that this limitation originates from the AWS implementation, which ECS inherits.

 

Resolution

This behavior aligns with AWS's current implementation. The following approaches can be used to enforce limitation to a specific s3 object lock mode. As ECS is functioning as designed, the implementation of these methods should be managed by the ECS/Application administrator. 

  • Restrict API Access:

    • Block the PutBucketObjectLockConfiguration action entirely and configure Object Lock through a controlled interface like a custom portal that validates the requests before passing them to the ECS REST API.
    • Details on the REST API for ECS can be found here.This hyperlink is taking you to a website outside of Dell Technologies.

  • Load Balancer Inspection:

    • Inspect and block requests containing the COMPLIANCE mode in the request body at the load balancer level. This requires HTTPS termination and load balancer support for packet inspection.

Affected Products

ECS, ECS Appliance, ECS Appliance Gen 2, ECS Appliance Gen 3

Products

ECS Appliance Hardware Gen3 EX5000, ECS Appliance Hardware Gen3 EX300, ECS Appliance Hardware Gen3 EX3000, ECS Appliance Hardware Gen2 U-Series, ECS Appliance Hardware Gen3 EX500, ECS Appliance Hardware Gen3 EXF900, ECS Appliance Hardware Series , ECS Appliance Software with Encryption, ECS Appliance Software without Encryption ...
Article Properties
Article Number: 000253587
Article Type: Solution
Last Modified: 28 Nov 2024
Version:  1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.