S3 Object Lock feature prevents object and bucket deletion #863
Comments
|
I would also be interested in this feature especially if we could set up another flag to confirm deletion of governance locked objects. |
|
@deekayw0n @atostivint this feature was recently implemented over in the newly promoted fork that's the successor to this wonderful tool we've been using for years. Documentation for all resource types are underway, but specifically documentation around how to configure the fork to disable governance and object locks is available here Should you run into issues, please let me know. Please see a copy of the notice from the README about the deprecation of this project. Sven was kind enough to grant me access to help triage and close issues and pull requests that have already been addressed in the actively maintained fork. Some additional information is located in the welcome issue for more information. Caution This repository for aws-nuke is no longer being actively maintained. We recommend users to switch to the actively maintained fork of this project at ekristen/aws-nuke. |
|
Thanks kindly @ekristen for all your efforts in resuscitating and bringing new energy back to this valuable tool - FWIW, I migrated to your fork not so long ago and you've already crushed out a few of the issues that were blocking me so I am incredibly grateful! |
|
You're welcome |
Issue:
If an S3 bucket has Object Lock enabled and object(s) within the bucket have this configured, aws-nuke will be unable to delete the object(s) or its associated bucket
Expected Result:
aws-nuke deletes a bucket and its objects regardless of Object Lock status
Actual Results:
Many attempts of aws-nuke trying to delete the object(s) and the bucket with no success
Background:
AWS S3 has an advanced setting call Object Lock that can be toggled at time of bucket creation. The intent of this feature is to be able to prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely (e.g. if you have a legal hold on a particular item)
If objects within the bucket have this applied, aws-nuke will not be able to delete these objects and therein will not be able to delete the associated bucket. This leads to re-attempts and a slowdown of the overall aws-nuke process.
Proposed Solution:
BEST OPTION: If "x-amz-bypass-governance-retention:true" header described (https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-managing.html#object-lock-managing-bypass) allows aws-nuke to delete objects regardless of Object Lock status that may be the way to go as no additional handling would be required.
OKAY OPTION: If the header does not work or cannot be used, aws-nuke should evaluate if Object Lock is enabled at the bucket level and disable this feature only on relevant objects that have it enabled prior to deletion.
SLOWEST OPTION: If there is no bulk operation to determine which objects have Object Lock enabled, aws-nuke should disable Object Lock on every object prior to object and bucket deletion attempts ONLY IF the bucket has this feature enabled.
Without any special handling as provided by these options, I found the peculiar behavior where marking an object for deletion when Object Lock is enabled appears to succeed in the UI however deletion of the bucket will fail with a sad access denied error message... and the object will reappear as if nothing happened.
The text was updated successfully, but these errors were encountered: