Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Not able to delete a S3 bucket

0

Hi, We are not able to delete a S3 bucket - even as root user or an IAM user with FullS3Access permissions. Neither able to list the objects within this bucket nor empty the bucket. We are not able to find out who the owner of this bucket either. Is there any other way to delete this bucket being the root user or IAM user with FullAdmin Access ?

The bucket policy looks like this

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "", "Action": [ "s3:Get", "s3:List*" ], "Resource": [ "arn:aws:s3:::pol-ctrl", "arn:aws:s3:::pol-ctrl/" ] }, { "Effect": "Deny", "Principal": "", "Action": "s3:", "Resource": [ "arn:aws:s3:::pol-ctrl", "arn:aws:s3:::pol-ctrl/" ], "Condition": { "StringNotLike": { "aws:userId": [ "AROAZJDZU5QSGDLXTQ37J:*", "AIDAIX4VQCCS2IDFS6LOK", "AIDAZJDZU5QSKQAGUZ4XJ", "AIDAZJDZU5QSAOPHO4NI2", "AIDAJFUCG36HXSSD5E4AA", "AIDAZJDZU5QSAZRPTZBOZ", "AIDAZJDZU5QSH6S2KG3DM", "111111111111" ] } } } ] }

Getting the following error when logged in as root user.

You don't have permission to view Object ownership (bucket settings) configuration You need s3:GetBucketOwnershipControls to view Object ownership (bucket settings) configuration. Learn more about Object ownership in Amazon S3

Thanks, Vijay

Argomenti
Archiviazione
Tag
S3 Object Lock
Lingua
English
rePost-User-1270551
posta un anno fa480 visualizzazioni
1 Risposta
0
Risposta accettata

Based on the provided information, it seems that the bucket policy is configured to deny all actions on the bucket, including listing objects and deleting the bucket itself. This policy is designed to restrict access to specific users or AWS accounts. Modify the bucket policy: Update the bucket policy to remove the "Deny" statement that prevents deletion. The modified policy should allow the necessary permissions to delete the bucket. You can also visit this part of the documentation: Verifying a bucket owner to check the bucket owner.

AWS
David C
con risposta un anno fa
profile picture
ESPERTO
Antonio_Lagrotteria
verificato un anno fa
  • rePost-User-1270551
    un anno fa

    Thanks for the quick response David. That worked perfectly.

  • rePost-User-1270551
    un anno fa

    Thanks David. I had to delete the bucket policy, then go to Block Public Access and uncheck some of the settings there. When I came back, I was able to edit the Bucket Policy and again to allow access. That worked and I was able to delete this bucket.

  • David C
    un anno fa

    Based on the error message you received, it looks like you don't have the necessary permissions to edit the bucket policy, or the existing policy conflicts with the Block Public Access settings. To edit the bucket policy, you need the s3:PutBucketPolicy permission.

    Additionally, the Deny statement in your bucket policy is blocking all access ("Principal": "") to the "vigilant-pol" bucket ("Resource": ["arn:aws:s3:::vigilant-pol", "arn:aws:s3:::vigilant-pol/"]) except for specific AWS user IDs ("aws:userId" condition).

    You must ensure that you have the required permissions as a user to modify the bucket policy. If you are certain you have the necessary permissions, you can try removing the Deny statement or modifying it to allow the desired access. Make sure to review your Block Public Access settings as well to ensure they align with your intended policy changes. To modify the bucket policy in such cases, you need to either disable or adjust the Block Public Access settings to allow the desired level of access. However, it's important to carefully evaluate the security implications and only make changes that align with your security requirements and policies.

  • David C
    un anno fa

    I'm glad that I could help you.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente