I am trying to add a bucket policy to avoid bucket deletion & avoid deletion of objects in the bucket as well.
So I need to add a bucket policy to achieve my requirement mentioned above.
The following bucket policy giving error like
'Action does not apply to any resource(s) in statement'
{
"Id": "Policy1527043264306",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1527043262106",
"Action": [
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::prabhath-delete1",
"Principal": {
"AWS": [
"XXXXXXXX"
]
}
}
]
}
We will discuss what caused the issue & how to resolve this.
Reason:
The following will apply on the bucket level only, so you need to define Resource as arn:aws:s3:::prabhath-delete-test
s3:DeleteBucket
s3:DeleteBucketPolicy
The following will apply on the bucket object level, so you need to define Resource as arn:aws:s3:::prabhath-delete-test/*
s3:DeleteObject
Solution:
You need to create two statements to cater the different types of actions as mentioned below:
One statement defines the following
Correct version of bucket policy looks like below:
{
"Version": "2012-10-17",
"Id": "Policy1526996283460",
"Statement": [
{
"Sid": "Stmt1526996142070",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXX:root"
},
"Action": [
"s3:DeleteBucket",
"s3:DeleteBucketPolicy"
],
"Resource": "arn:aws:s3:::prabhath-delete-test"
},
{
"Sid": "Stmt1526996279916",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXX:root"
},
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::prabhath-delete-test/*"
}
]
}
So I need to add a bucket policy to achieve my requirement mentioned above.
The following bucket policy giving error like
'Action does not apply to any resource(s) in statement'
{
"Id": "Policy1527043264306",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1527043262106",
"Action": [
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::prabhath-delete1",
"Principal": {
"AWS": [
"XXXXXXXX"
]
}
}
]
}
We will discuss what caused the issue & how to resolve this.
Reason:
The following will apply on the bucket level only, so you need to define Resource as arn:aws:s3:::prabhath-delete-test
s3:DeleteBucket
s3:DeleteBucketPolicy
The following will apply on the bucket object level, so you need to define Resource as arn:aws:s3:::prabhath-delete-test/*
s3:DeleteObject
Solution:
You need to create two statements to cater the different types of actions as mentioned below:
One statement defines the following
- s3:DeleteBucket
- s3:DeleteBucketPolicy
Another statement defines the following
- s3:DeleteBucketPolicy
{
"Version": "2012-10-17",
"Id": "Policy1526996283460",
"Statement": [
{
"Sid": "Stmt1526996142070",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXX:root"
},
"Action": [
"s3:DeleteBucket",
"s3:DeleteBucketPolicy"
],
"Resource": "arn:aws:s3:::prabhath-delete-test"
},
{
"Sid": "Stmt1526996279916",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXX:root"
},
"Action": "s3:DeleteObject",
"Resource": "arn:aws:s3:::prabhath-delete-test/*"
}
]
}