- 新しい順
- 投票が多い順
- コメントが多い順
Hi all, thanks you all for the support. Yesterday I clarified with the customer and there was probably a misunderstanding. Yesterday he was able to delete the policy using the root account. One more time, thank you all for your time.
Sebastiano
You can remove bucket policy using root account. please take a look below steps. https://repost.aws/knowledge-center/s3-accidentally-denied-access
If you have denied access to all principals including the root user, you may need to use another IAM user or role that has the necessary permissions to remove the bucket policy.
Firstly, check if there is any IAM user or role that has permissions to remove the bucket policy. If there is none, then you will need to create a new IAM user or role with the necessary permissions to remove the policy.
To create a new IAM user with the necessary permissions, follow these steps:
Sign in to the AWS Management Console using an IAM user or role that has the necessary permissions to create new IAM users.
In the AWS Management Console, navigate to the IAM console and create a new IAM user.
After creating the IAM user, attach an appropriate policy that allows the user to remove the bucket policy.
Sign out of the AWS Management Console and sign in as the newly created IAM user.
Navigate to the S3 console and remove the bucket policy.
Once the bucket policy is removed, detach the policy from the IAM user.
If you don't have the necessary permissions to create an IAM user, you may need to contact AWS Support for assistance. Additionally, AWS support can help you troubleshoot and recover from issues like this.
Just tried, created a new User with AmazonS3FullAccess +
"Action": [ "s3:PutAccessPointPolicyForObjectLambda", "s3:PutAccountPublicAccessBlock", "s3:PutBucketPublicAccessBlock", "s3:PutMultiRegionAccessPointPolicy", "s3:DeleteBucketPolicy", "s3:BypassGovernanceRetention", "s3:ObjectOwnerOverrideToBucketOwner", "s3:DeleteAccessPointPolicyForObjectLambda", "s3:PutAccessPointPublicAccessBlock", "s3:PutObjectVersionAcl", "s3:PutBucketAcl", "s3:PutBucketPolicy", "s3:DeleteAccessPointPolicy", "s3:PutAccessPointPolicy", "s3:PutObjectAcl", "s3:GetAccountPublicAccessBlock", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketOwnershipControls", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:ListBucket"
but no way.... In the Buckets home page under Access -> Error message, when I go in the bucket -> Insufficient permissions to list objects, when I consult Permission tab -> You don't have permission to view the Block public access (bucket settings) configuration, You don’t have permission to get bucket policy, You don't have permission to view Object ownership (bucket settings) configuration, etc....
What can I do? Thanks.
You have a condition for source VPC.
Do you have an s3 gateway setup? If not, create one and then try accessing the bucket so long as the vpc equals the one in your policy.
Do you mean, try to access to S3 bucket not from the internet but from for example a EC2 instance from the internal VPC by using a Gateway endpoint?
The policy above contains a lot of issues. While it is excellent to have an explicit deny, you must also put an explicit allow for the VPC from where it should be allowed. The denied S3 actions also do not contain a wildcard - probably AWS does not cover this case to warn the user that this policy blocks everything.
I recommend to you to connect to AWS Support on it (Go to AWS Support in the AWS Console)
Hi, thanks for the answer. We have only the basic support, do you suggest the Support to have the issue reselved by them? Do you know if it's free?
Already tried....didn't work, same error we have with a non-root users