3 Ways to Protect S3 Data from Deletes and Overwrites

I was recently tasked with ensuring that objects could not be accidentally deleted or overwritten in an S3 bucket. In my scenario, the bucket stores deployment artifacts. A build pipeline uploads files to the bucket, and EC2 instances download those same files during bootstrap. This task proved a bit more challenging than I expected, so I’ll do a quick walkthrough of my experience and the options available.

IAM

I initially assumed I could handle this solely with IAM. Folding the AWS recommended principle of least privilege, deny access to the bucket except to the two clients, and create a different IAM role for each. For the EC2 instances, I created a role that only allowed read access to objects in the bucket. This is the strictest possible read permission, as it doesn't even allow the client to list the contents of the bucket, only GetObject by key.

For the upload job, IAM was not enough. The role I created prevents deletes by only allowing ListBucket and PutObject permissions, but offers no solution for overwrites. Unfortunately…