S3-Policies
S3 Policies
Experienced users will find an overview of the available policies on this page. The policies control access to functions that give you file handling options and allow you to retrieve additional information, e.g., backup duration or bucket version.
Note
Coscine supports only a limited set of policies from the AWS S3 documentation, partly for security reasons. Further information is provided in the following sections.
User Feedback and Policy Adjustments
Users can contact the RDM staff of their university or the NFDI consortium to discuss proposals for new policies or changes to existing ones and forward these to Coscine. It must be ensured that such proposals do not introduce security issues; therefore, a high hurdle exists especially for policies that interfere with the data life‑cycle or modify permissions. The process works as follows: Received feedback is evaluated. Then proposals are collected and presented to the Coscine Steering Board, which decides on any changes. The time from proposal to implementation can take 3–6 months, in cases which require larger changes on epic level, the duration is expected to be longer.
Policies that are currently under evaluation are listed separately below.
Deviations from AWS S3
The AWS documentation is a popular reference for S3 policies and lists many policies. In some cases, the detailed information there does not match the requirements of datastorage.nrw, which is an S3‑compatible storage system but not identical to Amazon S3.
LifecycleConfiguration
Coscine’s LifecycleConfiguration is set to keep file versions for 7 days, which allows backups until those versions time out. For now, this applies to interrupted uploads as well as overwritten files.
Active Policies
Active Policies The following policies can be used via an S3 client (e.g., MinIO) to retrieve information or modify data. They are also viewable directly in the Git repository.
| Policy Name | Description |
|---|---|
s3:ListBucket |
Allows listing up to 1 000 objects within a bucket. |
s3:ListAllMyBuckets |
Allows listing all buckets that are associated with the user. |
s3:HeadBucket |
Allows checking whether the user has permission to access the bucket. Returns “200 OK”, “404 Not Found”, or “403 Forbidden”. |
s3:HeadObject |
Allows retrieving the metadata of an object. |
s3:ListObjects |
Allows displaying the names of all objects in a bucket. |
s3:GetObject |
Allows downloading an object from a bucket. |
s3:GetObjectAcl |
Allows viewing a list of users and their access rights on an object. |
s3:GetObjectVersion |
Allows viewing metadata for a file and all its versioned copies. |
s3:PutObject |
Allows uploading a file to a bucket. |
s3:DeleteObject |
Allows deleting a file from a bucket. |
s3:CreateMultipartUpload |
Allows initiating a multipart upload. |
s3:ListMultipartUploads |
Allows to list all parts of a multipart upload (currently not functional; a solution is in development). |
s3:AbortMultipartUpload |
Allows aborting a multipart upload. |
s3:CompleteMultipartUpload |
Finalises the upload of the individual file fragments into a single object and verifies integrity via checksums. |
System Policies
These policies are used only internally by the Coscine system and are not exposed to users.
| Policy Name | Description |
|---|---|
s3:DeleteObjectVersion |
Disabled for users for security reasons, to prevent a compromised account from deleting both files and all their backups. |
Policies Under Evaluation
The following policies are currently being analysed or await a decision from the Coscine Steering Board regarding possible implementation.
| Policy Name | Description |
|---|---|
s3:GetLifecycleConfiguration |
Allows querying the lifecycle configuration, including how long versions are retained as backups before deletion. |
s3:ListBucketVersions |
Allows listing all object versions within a bucket. Output is limited to a maximum of 1 000 entries. |
s3:GetObjectRetention |
Allows retrieving retention‑settings for an object, i.e., whether and for how long an Object Lock restricts read access. This concerns WORM resources only. |
s3:GetBucketObjectLockConfiguration |
Allows querying the Object‑Lock configuration of a bucket. |
Rejected Policies
The policies below have already been evaluated and rejected
| Policy Name | Description |
|---|---|
s3:PutLifecycleConfiguration |
Rejected because it would permit shortening the retention period of backup versions or disabling versioning altogether. Enabling this policy would increase the potential damage in the event of a security breach, as it would allow the deletion of files and their backups. |