Let's say that I have a machine that I want to be able to write to a certain log file stored on an S3 bucket.
So, the machine needs to have writing abilities to that bucket, but, I don't want it to have the ability to overwrite or delete any files in that bucket (including the one I want it to write to).
So basically, I want my machine to be able to only append data to that log file, without overriding it or downloading it.
Is there a way to configure my S3 to work like that? Maybe there's some IAM policy I can attach to it so it will work like I want?
Unfortunately, you can't.
S3 doesn't have an "append" operation.* Once an object has been uploaded, there is no way to modify it in place; your only option is to upload a new object to replace it, which doesn't meet your requirements.
*: Yes, I know this post is a couple of years old. It's still accurate, though.
Update early 2025:
This is now possible, with the major caveat being that it's only supported for S3 Express One Zone, which is AWS relatively new high throughput single AZ mode (Lower redundancy in exchange for higher performance). It's also only supported for "Directory Buckets", not "general purpose" buckets.
Anyone considering using it for the append feature should carefully evaluate whether the redundancy loss is an issue for their workload. Also be aware that if you're moving a lot of data, you risk extra cross-AZ network costs by using single AZ buckets.
https://aws.amazon.com/about-aws/whats-new/2024/11/amazon-s3-express-one-zone-append-data-object/
Since this is only useful for a subset of cases, I believe the original answer is still largely correct.