If I want that only a user can put objects, and not download or delete. I have to apply a secondary statement denying the GetObject. Yet I did not specify the GetObject. This works { "Sid": "put-only-objects-s2", "Effect": "Deny", "Principal": { "AWS": [ "arn:aws:iam::Company:user/user1", "arn:aws:iam::Company:user/user2" ] }, "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::testbucket/user1/*" }, { "Sid": "put-only-objects-s3", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::Company:user/user1", "arn:aws:iam::Company:user/user2" ] }, "Action": [ "s3:ListBucket", "s3:HeadObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::testbucket/user1/*" }, This does not, you can still download the ones you upload. { "Sid": "put-only-objects-s3", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::Company:user/user1", "arn:aws:iam::Company:user/user2" ] }, "Action": [ "s3:ListBucket", "s3:HeadObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::testbucket/user1/*" }, _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com