1

I know I can allow date based access to S3 files, however is it possible to allow access to certain files in S3 by the age of the object itself?

E.g. something like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "service-prefix:action-name",
            "Resource": "*",
            "Condition": {
                "DateGreaterThan": {"aws:last_modified": "2020-04-01T00:00:00Z"},
                "DateLessThan": {"aws:last_modified": "2020-06-30T23:59:59Z"}
            }
        }
    ]
}
pyCthon
  • 11,746
  • 20
  • 73
  • 135
  • 1
    I don't see anything related to object age or last modified timestamp at [Condition keys for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/list_amazons3.html#amazons3-policy-keys). Wonder if you could tag these objects with their last modified timestamp (and perhaps automate that for new objects via Lambda), then write a policy dependent on [aws:ResourceTag/tag-key](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag)? – jarmod Nov 03 '22 at 18:37
  • oh tags would work great actually! @jarmod – pyCthon Nov 03 '22 at 18:45
  • Do the tags persist if I overwrite the object? Or do I need to add the tag back every time? @jarmod – pyCthon Nov 03 '22 at 19:18
  • 1
    I would not expect the tags to persist. You're essentially uploading a new object, albeit with the same key. Probably easy to test this. But, an S3 event-triggered Lambda function could be the solution to that. – jarmod Nov 03 '22 at 19:33
  • An alternative to using tags is to transition your object to a particular storage class (after it is old enough for you) via a lifecycle rule, then use s3:x-amz-storage-class in the bucket policy to deny access. EDIT: not sure if it would work with GETs, as the documentation only mentions that for PUTs. I think you should try and see what works best. – Amine Zaine Nov 03 '22 at 20:10
  • 1
    tag is your best option – jellycsc Nov 03 '22 at 20:29
  • Can I ask... _Why_ do you want to restrict access based on `LastModified` date? – John Rotenstein Nov 04 '22 at 01:56
  • @JohnRotenstein an easy way to allow sample historical data and paid/live data. – pyCthon Nov 04 '22 at 02:27
  • I would recommend you do this by either placing 'historical' and 'live' data in different paths (eg `life/`, `historical/`) or setting permissions based on the Key (filename). For example, if an object is named with a date (`2020-06-30_file3.csv`), then allow access based on a Prefix (`2020-06`). It would have less resolution (eg by whole months), but it would mean that files do not need to be moved as they age. – John Rotenstein Nov 04 '22 at 02:35
  • @JohnRotenstein tags work nicely. Different paths == more storage costs. Setting by prefix when you want to provide 20+ years or differing years will get messy. – pyCthon Nov 04 '22 at 03:02

1 Answers1

2

Unfortunately there is no such condition key to gate access on the age of an object. See the complete list of S3-specific condition keys.

Ben Whaley
  • 32,811
  • 7
  • 87
  • 85