How do I prevent deletion of S3 buckets?
It looks like creating a bucket policy might do the trick, but I am having trouble creating the policy.
Solution 1:
The AWS Policy Generator is a very helpful tool for the exploration and creation of such policies, its usage is explained in the respective introductory blog post (a direct link to it it is meanwhile available alongside most policy entry forms within the AWS Management Console as well).
I've created an example according to your specification (make sure to generate a new one for your own resources of course):
{
"Id": "ExamplePolicyId12345678",
"Statement": [
{
"Sid": "ExampleStmtSid12345678",
"Action": [
"s3:DeleteBucket"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::test-example-com",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
Please note that the AWS Management Console currently neither hides the delete command nor reports on its execution being unsuccessful for buckets with such policies, however, the bucket remains in place ;)
Solution 2:
So @Steffen's answer is right but I wanted to put another important note. While the policy will protect against the actual bucket being deleted. It won't protect against the items in the bucket being deleted. Which makes sense, but what you should be aware of is that in the AWS console if you choose delete bucket, it will remove all the items in the bucket, then fail to delete the bucket. So any data you had in the bucket will go away. This isn't obvious at first, and could cause serious issues for someone if they're not aware.
TL;DR; Trying to delete the bucket even with delete bucket prohibited will kill all the items in the bucket but keep the bucket around
Solution 3:
Another option is to enable Versioning and MFA Delete. This makes it harder to empty and delete a bucket.