Do SCP Policies affect S3 Lifecycles?

305 Views Asked by Jonathan Duran At 05 April 2025 at 03:17

If I create and attach the following SCP policy:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Deny",
            "Action": [
                "s3:DeleteObjectVersion"
            ],
            "Resource": ["*"],
            "Condition": {
                "StringNotLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:I am::<MY-ACCOUNT-ID>:role/OrganizationAccountAccessRole"
                    ]
                }
            }
        }
    ]
}

will my S3 lifecycle rules to expire noncurrent objects be affected? Specifically, If I have a rule in one of my OUs that say to keep just 1 noncurrent version of a file and delete/expire the rest, will the SCP policy prevent this from happening?

Original Q&A

There are 1 best solutions below

Paolo On 15 September 2022 at 20:00 BEST ANSWER

From the documentation:

SCPs affect only IAM users and roles that are managed by accounts that are part of the organization

S3 lifecycle rules use neither an IAM user nor an IAM role, therefore the answer is no, the rules won't be affected by the SCP.

Do SCP Policies affect S3 Lifecycles?

There are 1 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-S3

Related Questions in AWS-ORGANIZATIONS

Related Questions in AWS-SCP

Trending Questions

Popular # Hahtags

Popular Questions