About bucket policy for immutable storage

Bucket policy protects the metadata objects of immutable storage, such as lockdown-mode.conf and lsu-worm.conf for each volume or sub-bucket. To update the bucket policy, you must run msdpcldutil update bucket-policy command.

If the bucket already has some bucket policy, cloud administrator needs to merge the existing bucket policy with the policy for immutable storage manually. For information about editing the S3 bucket policy, see Adding a bucket policy using the Amazon S3 console topic in the AWS documentation.

Following is the example of bucket policy for immutable storage in AWS S3.

{
    "Version": "2012-10-17",
    "Id": "vtas-lockdown-mode-file-protection",
    "Statement": [
        {
            "Sid": "vrts-lockdown-file-read-only",
            "Effect": "Deny",
            "Principal": "*",
            "Action": [
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:PutObjectRetention"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/volume-name/lockdown-mode.conf",
                "arn:aws:s3:::bucket-name/volume-name/lsu-worm.conf",
                "arn:aws:s3:::bucket-name/volume-name/lockdown-mode.conf",
                "arn:aws:s3:::bucket-name/volume-name/lsu-worm.conf",
                "arn:aws:s3:::bucket-name/volume-name/lockdown-mode.conf",
                "arn:aws:s3:::bucket-name/volume-name/lsu-worm.conf"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:userid": "YOUR-USER-ID-HERE"
                }
            }
        }
    ]
}

See AWS user permissions to create the cloud immutable volume.

About bucket policy for immutable storage

Feedback

Feedback