1

I need to configure my s3 bucket in a way that when a user inserts a file into the bucket which already exists in the bucket it should block the user inserting that file.

I thought of implementing an object block with a retention policy on the bucket but the object lock does not block the user to insert the file, it only protects the existing file.

This is what AWS documentation says about the object lock.

If you put an object into a bucket that has the same key name as an existing protected object, Amazon S3 creates a new version of that object, stores it in the bucket as requested, and reports the request as completed successfully.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock.html

How can I block any kind of inserts/overwrites if a file with the same name already exists in the bucket?

user34534
  • 21
  • 5
  • 1
    Versioning + Object Lock. – luk2302 Mar 13 '23 at 18:51
  • That was my initial thinking too. Thought of putting a retention policy on the bucket however the lock will not prevent the file to be uploaded, it will only protect the existing file to be overwritten. In this case a new version of the file will be created in the bucket. What I am looking for is completely blocking the file to be uploaded as a new version or overwrite. – user34534 Mar 13 '23 at 19:29
  • How are they 'upload' the file? Is it via a web page or via API calls? – John Rotenstein Mar 13 '23 at 23:19
  • Uploading from the pipeline during deployment. I have a step to upload it. – user34534 Mar 15 '23 at 12:26

2 Answers2

0

The only ways I can think of are:

  1. Probably not a reasonable solution but: you could create an IAM policy that has a deny Effect for the s3:PutObject Action for the object(s) in question. Something like this...
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::bucket/object1",
        "arn:aws:s3:::bucket/object2",
      ]
    }
  ]
}

It's probably not reasonable because you would have to include every object in the bucket in the policy, and update it as objects are added.

  1. In the application tier. Check to see if the object exists and fail if it does. After a write, call to check if an "overwrite" has occurred (by checking versions) and rollback the version if it happened, and show the user an error message.
Steven Evers
  • 16,649
  • 19
  • 79
  • 126
  • Good point but this would require maintenance as the uplods are quite frequent abd I have to update the policy for each object. – user34534 Mar 15 '23 at 12:30
0

I did not try it myself but

  1. You can configure retention mode at bucket level with required retention period https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html#object-lock-retention-modes
  2. Forbid PutObject via bucket conditional policy using s3:object-lock-mode or s3:object-lock-remaining-retention-days conditions
Alexander Pavlov
  • 2,264
  • 18
  • 25
  • This will put a retention policy for the created objects but won't prevent users overwrite a file. Because versioning has to be enabled if a user uploads a file with the same name S3 bucket will create a new version of the same file and store both versions. – user34534 Mar 16 '23 at 14:58
  • @user34534 are saying `Deny` policy for `PutObject` will be ignored? – Alexander Pavlov Mar 16 '23 at 15:43
  • I think you are only mentioning retention policy and not a Deny on PutObject right? Retention policy is really only for how long the objects created cannot be updated - but it allows new version to be uploaded. What I need is to prevent new versions to be uploaded as well and in case of a new upload an error message should be returned. – user34534 Mar 17 '23 at 14:43
  • @user34534 see p2 in my answer. it is expected to work together with p1 – Alexander Pavlov Mar 17 '23 at 16:01
  • I guess setting retention policy for uploaded files + setting Deny on all existing files will prevent overwrites but allow new uploads, right? – user34534 Mar 19 '23 at 19:47
  • @user34534 that's my guess. As I said, I did not try – Alexander Pavlov Mar 19 '23 at 22:12