Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2021-12-21 03:00:00 +0000

plato gravatar image

To set a deny policy on PutObject for only files that already exist in an S3 bucket, you can use a bucket policy with a condition that checks for object existence using the key name. Here's an example policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyPutForExistingObjects",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::bucket-name/*",
            "Condition": {
                "StringEqualsIfExists": {
                    "s3:ExistingObjectTag/Key": "true"
                }
            }
        }
    ]
}

This policy denies the PutObject action if the object already exists in the bucket by checking the value of the s3:ExistingObjectTag/Key tag. If the tag exists and its value is "true", the PutObject action is denied.

To apply this policy, you can use the AWS Management Console, the AWS CLI, or the SDKs. Make sure to replace "bucket-name" with the name of your S3 bucket.


Copyright QStack.ai, 2010-2023. Content on this site is licensed under the Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service | contact