Bug #37403
closedObject can still be deleted even if s3:DeleteObject policy is set
0%
Description
For example, the testing bucket name is '111', the bucket owner is em_test1
[root@localhost ~]# s3cmd info s3://111
s3://111/ (bucket):
Location: default
Payer: BucketOwner
Expiration Rule: none
Policy: {"Version": "2012-10-17", "Statement": [{"Action": ["s3:PutObject", "s3:DeleteObject"], "Principal": {"AWS": ["arn:aws:iam:::user/em_test1"]}, "Resource": ["arn:aws:s3:::111/InterLeave"], "Effect": "Deny", "Sid": "worm1"}, {"Action": ["s3:GetObject"], "Principal": {"AWS": ["arn:aws:iam:::user/em_test2"]}, "Resource": ["arn:aws:s3:::111/InterLeave"], "Effect": "Allow", "Sid": "worm2"}]}
CORS: none
ACL: em_test1: FULL_CONTROL
We can see that there is a related bucket policy configuration set to bucket 111 which defines that the bucket owner em_test1 can not overwrite (by PutObject) and delete (by DeleteObject) the InterLeave object in the bucket 111.
root@localhost ~]# s3cmd put InterLeave s3://111
upload: 'InterLeave' -> 's3://111/InterLeave' [1 of 1]
37072 of 37072 100% in 0s 3.75 MB/s done
ERROR: S3 error: 403 (AccessDenied)
[root@localhost ~]# s3cmd del s3://111/InterLeave
delete: 's3://111/InterLeave'
Then we really can not overwrite the InterLeave object in bucket 111, but we can still delete it.
Updated by Matt Benjamin over 5 years ago
Updated by Ken Dreyer about 5 years ago
- Status changed from 17 to Pending Backport
- Backport set to mimic, luminous
Updated by Nathan Cutler about 5 years ago
- Copied to Backport #38192: mimic: Object can still be deleted even if s3:DeleteObject policy is set added
Updated by Nathan Cutler about 5 years ago
- Copied to Backport #38193: luminous: Object can still be deleted even if s3:DeleteObject policy is set added
Updated by Nathan Cutler about 5 years ago
- Status changed from Pending Backport to Resolved