S3 bucket policy for object level permission !

As per my understanding S3 bucket policy can be easily used to manage object level permission as well.

To test this I followed the following steps:

I created 2 users

1. S3AdminUser with AmazonS3FullAccess policy

2. S3ReadOnlyUser with AmazonS3ReadOnlyAccess policy

Then using my root account in my bucket I uploaded a text file hello.txt

Now I wanted to create a bucket policy for hello.txt without ACL and test if I can use bucket policy for object level permission.

I opened policy generator and saw this instruction for ARN: arn:aws:s3:::/key_name

As per my understanding S3 bucket contains key value pair where key name is filename and value is the file itself.

So I created a policy to deny deletion of hello.txt for my S3AdminUser and Allow deletion of hello.txt to my S3ReadOnlyUser.

{

"Id": "Policy1541354854702",

"Version": "2012-10-17",

"Statement": [

{

"Sid": "Stmt1541354815037",

"Action": [

"s3:DeleteObject"

],

"Effect": "Deny",

"Resource": "arn:aws:s3:::mybucket/hello.txt",

"Principal": {

"AWS": [

"arn:aws:iam::account_number:user/S3AdminUser"

]

}

},

{

"Sid": "Stmt1541354841909",

"Action": [

"s3:DeleteObject"

],

"Effect": "Allow",

"Resource": "arn:aws:s3:::mybucket/hello.txt",

"Principal": {

"AWS": [

"arn:aws:iam::account_number:user/S3ReadOnlyUser"

]

}

}

]

}

As expected, with admin user I was not able to delete the hello.txt file.

But with read only user I was able to delete the hello.txt file.

So looks like bucket policy allows object level permission as well.

But this lesson tells that for object level permission ACL is the only way.

I believe this lesson needs updates.