15

I'm developing a mobile application which will let anyone upload a file to an S3 bucket. I think I'll use the Anonymous Token Vending Machine that is provided by Amazon.

However, I can't see how to write a TokenVendingMachinePolicy.json file that will only allow uploading new files, not overwriting (effectively deleting). I thought allowing just s3:PutObject would be fine, but it appears the s3:PutObject permission allows both. This seems a bit strange, since there's a separate s3:DeleteObject permission, which is useless, since you can just overwrite with 0-length object anyway.

Is there any way to only allow uploading new files? How is this problem usually solved?

houbysoft
  • 31,018
  • 23
  • 95
  • 154
  • 1
    Did you find a solution to this? – davidtgq Jun 11 '16 at 03:19
  • 3
    I have this same question now... if uploads go directly from client browser to S3 bucket using a pre-signed URL, then it's theoretically possible for a user to delete the files of another user just by having the key (which is publicly available) of the file they want to "delete". – davidtgq Jun 11 '16 at 03:25

1 Answers1

5

Unfortunately it's not possible to have a write-once permission. A workaround would be to use versioning on your bucket.

See this answer to a similar question that explains it in detail:

Amazon S3 ACL for read-only and write-once access

Community
  • 1
  • 1
dcro
  • 12,777
  • 4
  • 64
  • 74