Preventing Deletion of an Amazon S3 Bucket Using a Resource-Based Policy

30 minutes
  • 3 Learning Objectives

About this Hands-on Lab

In this hands-on lab, you are a software engineer working for a new startup that is launching an online bookstore for rare and antique books. The founder, Kia, needs your help with protecting her data. Since her technical lead is out sick, she’s calling on you for assistance. In order to protect the book data stored in S3, you will use a resource-based policy in AWS Identity & Access Management (IAM) to prevent an Amazon S3 bucket from being deleted.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Use the AWS Policy Generator to Generate a Resource Policy
  1. Navigate to AWS Policy Generator.
    1. Set the following values:
      • Select Type of Policy: S3 Bucket Policy
      • Effect: Deny
      • Principal: *
      • AWS Service: Amazon S3
      • Actions: DeleteBucket
      • Amazon Resource Name (ARN): *
    2. Click Add Statement.
    3. Click Generate Policy.
    4. Copy the newly generated policy JSON document to the clipboard.
Attach a Resource Policy to an S3 Bucket
  1. Navigate back to the AWS Management Console.
  2. Navigate to S3.
  3. There should be an existing bucket. Click on the bucket name.
  4. Click the Permissions tab.
  5. Scroll down to the Bucket policy section and click Edit.
  6. Paste the previously generated policy in the Policy section.
  7. Copy the Bucket ARN number.
  8. In the bucket policy, locate "Resource" in line 11 and replace * with the copied Bucket ARN number.
  9. Click Save changes.
Test the Resource Policy
  1. Navigate back to S3.
  2. Click on the bucket name.
  3. Click Delete.
  4. In the Delete bucket section, copy the bucket name and paste it in the confirm deletion field.
  5. Click Delete bucket. (NOTE: You will encounter a permission denied message.)
  6. Click Create bucket.
  7. Set a Bucket name as "mytestforacg".
  8. Click Create bucket.
  9. Select the newly created bucket mytestforacg and click Delete.
  10. In the Delete bucket section enter the bucket name, mytestforacg and click Delete Bucket. (NOTE: This bucket should be successfully deleted.)

Additional Resources

Make sure you are using the US-EAST-1 region.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?