If I create and attach the following SCP policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Deny",
"Action": [
"s3:DeleteObjectVersion"
],
"Resource": ["*"],
"Condition": {
"StringNotLike": {
"aws:PrincipalArn": [
"arn:aws:I am::<MY-ACCOUNT-ID>:role/OrganizationAccountAccessRole"
]
}
}
}
]
}
will my S3 lifecycle rules to expire noncurrent objects be affected? Specifically, If I have a rule in one of my OUs that say to keep just 1 noncurrent version of a file and delete/expire the rest, will the SCP policy prevent this from happening?
From the documentation:
SCPs affect only IAM users and roles that are managed by accounts that are part of the organization
S3 lifecycle rules use neither an IAM user nor an IAM role, therefore the answer is no, the rules won't be affected by the SCP.