Menu
I'm developing a mobile application which will let anyone upload a file to an S3 bucket. I think I'll use the Anonymous Token Vending Machine that is provided by Amazon.
However, I can't see how to write a TokenVendingMachinePolicy.json file that will only allow uploading new files, not overwriting (effectively deleting). I thought allowing just s3:PutObject would be fine, but it appears the s3:PutObject permission allows both. This seems a bit strange, since there's a separate s3:DeleteObject permission, which is useless, since you can just overwrite with 0-length object anyway.
Is there any way to only allow uploading new files? How is this problem usually solved?
281
With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. Object Lock can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
By default, when you upload the file with same name. It will overwrite the existing file. In case you want to have the previous file available, you need to enable versioning in the bucket.
It only copies files that have been added or changed since the last sync. It is designed as a one-way sync, not a two-way sync. Your file is being overwritten because the file in the Source is not present in the Destination. This is correct behavior.
If you pass the same key to upload a file, it is replaced, unless versioning is on. S3 supports versioning. This means that when you upload to the same key twice, two versions of the file are stored. Note that if you upload the exact same file twice, you get to pay for two identical copies of the same file on S3.
Unfortunately it's not possible to have a write-once permission. A workaround would be to use versioning on your bucket.
See this answer to a similar question that explains it in detail:
Amazon S3 ACL for read-only and write-once access
144
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
