S3-Policies
S3 Policies
Experienced users will find an overview of the available permissions, also known as "policy actions" on this page. Policies with their policy actions control access to functions that give you file handling options and allow you to retrieve additional information, e.g., backup duration or bucket version.
Note
Coscine supports only a limited set of "API Operations" from the AWS S3 documentation, partly for security reasons. Further information is provided in the following sections.
Because many users inform themselves from the AWS documentation, we would like to clarify a few terms, which are relevant in coscine, but which are often times mixed up in everyday life language. Coscine uses "policies" on the highest level. Those allow certain "api operations". It is typically that there ar multiple "api operations" for a single policy. Those api operations are only possible, if certain permissions (policy actions) are defined. For practical use the policy actions and their api operations are relevant, the policies themselves are handled by the coscine admins.
Please note that in most cases it is possible to guess the name of a permission based on the api operation or vice versa. But there are exceptions, like "ListObjectVersions".
| API Operation | Policy Action / Permission |
|---|---|
| ListObjectVersions | s3:ListBucketVersions |
User Feedback and Policy Adjustments
Users can contact the RDM staff of their university or the NFDI consortium to discuss proposals for new policies or changes to existing ones and forward these to Coscine. It must be ensured that such proposals do not introduce security issues; therefore, a high hurdle exists especially for policies that interfere with the data life‑cycle or modify permissions. The process works as follows: Received feedback is evaluated. Then proposals are collected and presented to the Coscine Steering Board, which decides on any changes. The time from proposal to implementation can take 3–6 months, in cases which require larger changes on epic level, the duration is expected to be longer.
Policies that are currently under evaluation are listed separately below.
Deviations from AWS S3
The AWS documentation is a popular reference for S3 policies and lists many policies. In some cases, the detailed information there does not match the requirements of datastorage.nrw, which is an S3‑compatible storage system but not identical to Amazon S3.
LifecycleConfiguration
Coscine’s LifecycleConfiguration is set to keep file versions for 7 days, which allows backups until those versions time out. For now, this applies to interrupted uploads as well as overwritten files.
Active Policies
Active Policies The following policies can be used via an S3 client (e.g., MinIO) to retrieve information or modify data. They are also viewable directly in the Git repository.
| Name of Policy Action / Permission | Description |
|---|---|
s3:ListBucket |
Allows listing up to 1 000 objects within a bucket. |
s3:ListAllMyBuckets |
Only for Coscine Admins. Allows listing all buckets that are associated with the user. This item is listed only for transparency reasons, as you can find it via the Git repository linked above. A request will throw an error for users, because they do not have the permissions. |
s3:HeadBucket |
Allows checking whether the user has permission to access the bucket. Returns “200 OK”, “404 Not Found”, or “403 Forbidden”. |
s3:HeadObject |
Allows retrieving the metadata of an object. |
s3:ListObjects |
Allows displaying the names of all objects in a bucket. |
s3:GetObject |
Allows downloading an object from a bucket. |
s3:GetObjectAcl |
Allows viewing a list of users and their access rights on an object. |
s3:GetObjectVersion |
Allows viewing metadata for a file and all its versioned copies. |
s3:PutObject |
Allows uploading a file to a bucket. |
s3:DeleteObject |
Allows deleting a file from a bucket. |
s3:CreateMultipartUpload |
Allows initiating a multipart upload. |
s3:AbortMultipartUpload |
Allows aborting a multipart upload. |
s3:ListBucketMultipartUploads |
Allows display of list of running MultipartUploads for a Bucket. This includes MultipartUploads which have been started but not canceled or finished. |
s3:ListMultipartUploadParts |
Allows display of list of transfered parts for a specific MultipartUpload object. parts where the upload process is not finished yet, or canceled through errors, are not listed. |
s3:CompleteMultipartUpload |
Finalises the upload of the individual file fragments into a single object and verifies integrity via checksums. |
policy actions of the past
Some policy actions were available in the past, but are not part of any policies anymore.
| Name of Policy Action / Permission | Description |
|---|---|
| s3:ListMultipartUploads | Has been removed from Coscine as the name did not match any S3 equivalent. Two new policy actions were introduced to handle MultipartUploads. |
| s3:ListObjectVersions | Has been removed from Coscine as the name did not match any S3 equivalent. After a bugfix the api operation with the same name points to the correct policy action s3:ListBucketVersions . |
system policy actions
These policies are used only internally by the Coscine system and are not exposed to users.
| Policy Name | Description |
|---|---|
s3:DeleteObjectVersion |
Disabled for users for security reasons, to prevent a compromised account from deleting both files and all their backups. |
Policies Under Evaluation
The following policies are currently being analysed or await a decision from the Coscine Steering Board regarding possible implementation: currently None.
In implementation or testing
| Name of Policy Action / Permission | Description |
|---|---|
s3:GetLifecycleConfiguration |
Allows querying the lifecycle configuration, including how long versions are retained as backups before deletion. |
s3:ListBucketVersions |
Allows listing all object versions within a bucket. Output is limited to a maximum of 1 000 entries. |
s3:GetBucketPolicy |
Allows querying the bucket for information about permissions |
Rejected Policies
The policies below have already been evaluated and rejected
| Name of Policy Action / Permission | Description |
|---|---|
s3:PutLifecycleConfiguration |
Rejected because it would permit shortening the retention period of backup versions or disabling versioning altogether. Enabling this policy would increase the potential damage in the event of a security breach, as it would allow the deletion of files and their backups. For the future a regulated and more secure solution via the Coscine userinterface is planned. |