Snapshot to S3 - no delete permission

I have a goal of creating 'write-once' snapshot of my current indexes.
It would be a protection against someone 'accidentally' deleting some of the data.

To achieve that I've created a S3 bucket, but I had to add IAM policy permission:

            "s3:DeleteObject",

via

https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-snapshots.html

{
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListBucketMultipartUploads",
                "s3:ListBucketVersions"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::snaps.example.com"
            ]
        },
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::snaps.example.com/*"
            ]
        }
    ],
    "Version": "2012-10-17"
}

This is because, registration of the repository:

curl -XPUT 'http://localhost:9200/_snapshot/my_s3_repository?pretty' -d {bucket_settings}

while 'registering the repository', does create, and then delete some files in s3 bucket, example:

s3://elb-snapshot/tests-kvpG54MJS0mUqovrwWcIeQ-master
s3://elb-snapshot/tests-kvpG54MJS0mUqovrwWcIeQ-ibLCaJIoSEuJqM1N5rb3ug

I've checked, that actually, after You register the repository (automatically for every cluster node), You can
remove the IAM policy rule, the line:

            "s3:DeleteObject",

and the snapshot would be still working fine!

My question is - would it brake at some time? I guess a new node attachment or a cluster restart might like to repeat write/read/delete bucket test...

(What about removing old files?
I did set up bucket TTL policy to remove files after 365 days
Snapshots to s3; file TTL)

You can create IAM policy without this Permission, if You add verify=false while registering the bucket

curl -XPUT 'http://localhost:9200/_snapshot/my_ttl_repository?verify=false' -d @configure_ttl

It won't create_and_delete files to check the permissions - so there You go.