aws-s3: option for Bucket.grantDelete to not grant s3:DeleteObjectVersion

[plumdog]

Describe the feature

Allow an easy way of granting an identity permission to modify the contents of a versioned bucket, but not delete versions.

Use Case

I want to be able to grant applications permissions to modify objects in a bucket as they need to, but want be sure that they won't permanently delete data. Enabling versioning on the bucket allows this, but if the applications are granted s3:DeleteObjectVersion then a bug or compromise of that application could still delete all data from the bucket including previous versions.

I think this one of the natural uses of S3 versioning, and so the CDK making it easy to grant a suitable set of permissions for this would be helpful.

Proposed Solution

Perhaps add an option like exceptVersions: boolean to Bucket.grantDelete. Or maybe add a new method.

Other Information

There might already be an easy way to do this with the other Bucket.grant* methods, eg with Bucket.grantWrite and passing some values from https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-s3/lib/perms.ts as the third argument.

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.171.1

Environment details (OS name and version, etc.)

n/a

[khushail]

Hi @plumdog , thanks for reaching out. just curious to understand your usecase, wouldn't it be feasbile using granting write access so user can modify the objects -Bucket.grant* and denying the access like this -

{
      "Sid": "statement2",
      "Effect": "Deny",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/abcd"
      },
      "Action": [
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:PutLifecycleConfiguration"
      ],
      "Resource": [
        "arn:aws:s3:::amzn-s3-demo-bucket1",
	    "arn:aws:s3:::amzn-s3-demo-bucket1/*"
      ]
    }

Please feel free to correct me if this understanding is wrong.

[plumdog]

Hi @khushail, in principle I think there could be a way to add a deny for s3:DeleteObjectVersion, though it is perhaps simplest to just not grant the permission at all, rather than grant it and then also deny it. And I don't see any methods like Bucket.deny*` that would do this easily in CDK. Are you able to show how this could be done using CDK?

Regarding your example, I think I would still need for applications to have s3:DeleteObject as I just want to ensure they are not able to permanently delete data from the bucket, they should still be able to create delete markers. And it doesn't look like any of the Bucket.grant* methods grant s3:PutLifecycleConfiguration anyway, so I don't think that would need to be denied.

Ideally, I would identify a simple way of achieving this that I can advertise internally as the correct way of granting applications access to manage data within buckets. And so something like:

always enable bucket versioning and grant applications permissions using myBucket.grantReadWrite(myRole, ['*'], { exceptVersions: true })

would work for this. Something requiring developers to add a policy would introduce more room for error which I would like to avoid if possible.

[khushail]

Thanks for getting back and explaining your point of view in this context @plumdog . I totally understand your point when assigning the access and then denying it would be extra hassle and would leave markers and chance of error as well. Since there is no policy as Bucket.Deny*, IMO , your suggestion to exclude versioned buckets is more appealing and makes sense. Marking it as P2 as this is a good to have feature and P2 would mean it won't be immediately addressed by the team however it would be on their radar and also contributions from the community are welcome in this regard.