1 Respuesta
- Más nuevo
- Más votos
- Más comentarios
1
First, double-check that the root user is the root user of the account for which the bucket exists.
If the root user is correct, check the following
If you are using AWS Organizations, make sure you are restricting root user actions in SCP. [1]
[1] Service control policies (SCPs) - AWS Organizations
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#scp-effects-on-permissions
If you have restricted operations on buckets in SCP, remove the restrictions in SCP. [2]
[2] Attaching and detaching service control policies - AWS Organizations
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html
respondido hace 2 años
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 3 años
- OFICIAL DE AWSActualizada hace 2 años
Thanks for the help, I just checked on the root account and the SCP is set to "disabled"
By this you mean I should make sure to NOT restrict the root user actions in SCP correct? (since it's disabled it should be fine)
As for this, I have a root account and a security account. I first log into the security account and then switch to a different role to have access to hop onto another account (research) to access my bucket. In theory, the root account should be able to access all the buckets no?
Thank you for your confirmation.
We understand that SCP has been disabled.
The above explanation assumes that you have a root account in Organizations.
First, even the root account of Organizations does not have root user level privileges on the child accounts.
There is one root user for each account, and only the root user can do certain things.
Therefore, even if there is an IAM user for the root account or a root user for the root account, there are no root user privileges for the security account.
If the S3 bucket whose bucket policy you want to delete is in the security account, use the root user of the security account.
Understood, thanks a bunch!