AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I troubleshoot the "You don't have permissions to edit bucket policy" error that I receive when I modify a bucket policy in Amazon S3?

5 minute read

I must troubleshoot the "You don't have permissions to edit bucket policy" error that I receive when I modify the bucket policy of my Amazon Simple Storage Service (Amazon S3) bucket.

Short description

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Your users receive the "You don't have permissions to edit bucket policy" error because of the following reasons:

Your AWS Identity and Access Management (IAM) user or role doesn't have permissions for the s3:GetBucketPolicy and s3:PutBucketPolicy API operations.
The bucket policy denies your IAM identity permission for s3:GetBucketPolicy and s3:PutBucketPolicy.
You activated the Amazon S3 Block Public Access feature for the bucket.
AWS Organizations service control policies (SCPs) don't allow Amazon S3 access.

To resolve the preceding issues, complete the following troubleshooting steps.

Resolution

Check your permissions for s3:GetBucketPolicy and s3:PutBucketPolicy

Complete the following steps:

Open the IAM console.
In the navigation pane, select the identity that's used to access the bucket policy, such as Users or Roles.
Select the IAM identity name that you use to access the bucket policy.
In the Permissions tab of your IAM identity, expand each policy to view its JSON policy document.

In the JSON policy documents, search for policies that are related to Amazon S3 access. Then, confirm that you have permissions for the s3:GetBucketPolicy and s3:PutBucketPolicy actions on the bucket.
Note: If there's no policy with the s:3GetBucketPolicy and s3:PutBucketPolicy actions, then add these permission to a policy. For instructions on how to modify your IAM permissions, see Change permissions for an IAM user.
The following example IAM policy allows the IAM identity to perform the s3:GetBucketPolicy and s3:PutBucketPolicy actions on DOC-EXAMPLE-BUCKET:

{  "Version": "2012-10-17",  
  "Statement": [  
    {  
      "Sid": "ModifyBucketPolicy",  
      "Action": [  
        "s3:GetBucketPolicy",  
        "s3:PutBucketPolicy"  
      ],  
      "Effect": "Allow",  
      "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET"  
    },  
    {  
      "Sid": "AccessS3Console",  
      "Action": [  
        "s3:GetBucketLocation",  
        "s3:ListAllMyBuckets"  
      ],  
      "Effect": "Allow",  
      "Resource": "arn:aws:s3:::*"  
    }  
  ]  
}

Note: The AccessS3Console statement in the preceding IAM policy grants Amazon S3 console access. It isn't specific to bucket policy changes.

In the JSON policy documents, search for statements with "Effect": "Deny". Then, confirm that these statements don't deny your IAM identity access to s3:GetBucketPolicy or s3:PutBucketPolicy.
Make sure to include the bucket's Amazon Resource Name (ARN) in the Resource section of the policy. In the preceding example, the ARN is aws:s3:::DOC-EXAMPLE-BUCKET.
Note: s3:GetBucketPolicy and s3:PutBucketPolicy are bucket-level actions.
Check if you applied global conditions, such as aws:SourceIP, in the IAM policy to restrict the s3:GetBucketPolicy and s3:PutBucketPolicy actions. If the conditions restrict access, then remove or update them.

Add a bucket policy if it doesn't exist

If you can't find policies that grant s3:GetBucketPolicy or s3:PutBucketPolicy permissions, then add a policy to grant them to your IAM identity. If you find policies that deny access to s3:GetBucketPolicy or s3:PutBucketPolicy, then remove these policies.

Use another IAM identity that has bucket access to modify the bucket policy

Complete the following steps:

Open the Amazon S3 console.
In the left navigation pane, choose General purpose buckets or Directory buckets.
From the list of buckets, open the bucket with the bucket policy that you want to change.
Choose the Permissions tab.
Choose Bucket policy.
Search for statements with "Effect": "Deny".
Edit the bucket policy to update any "Effect": "Deny" statements that deny the IAM identity access to s3:GetBucketPolicy or s3:PutBucketPolicy.
Check if the bucket policy includes conditions such as aws:PrincipalArn that restrict the s3:GetBucketPolicy and s3:PutBucketPolicy actions for your IAM entity. If these conditions restrict access, then remove or update them.

Delete and recreate a bucket policy that denies everyone access

If no one has access to the s3:GetBucketPolicy, s3:PutBucketPolicy or all Amazon S3 actions (s3:*), then use the delete-bucket-policy AWS CLI command to delete the policy:

delete-bucket-policy   
-bucket example_bucket

Note: Replace example_bucket with the name of your bucket.

If you accidentally lock yourself out of the bucket and you can't delete the bucket policy, regain access to the bucket. After you delete the bucket policy you can create a new one.

Turn off Amazon S3 Block Public Access

If your bucket policy grants public access, then turn off Amazon S3 Block Public Access for the bucket. For more information, see Blocking public access to your Amazon S3 storage and The meaning of "public".

Note: To prevent public access to private buckets, activate Amazon S3 Block Public Access for your bucket before you deactivate it at the AWS account level.

For AWS Organizations, delete SCPs that don't allow Amazon S3 access

If you use AWS Organizations, then review your service (SCPs). Look for any statements that explicitly deny the s3:PutBucketPolicy action or other Amazon S3 policy actions. Delete the SCPs that apply the Deny effect to s3:* actions when your organization doesn't require the policies.

The following example policy denies access to all Amazon S3 actions:

{  "Version": "2012-10-17",  
  "Statement": [  
    {  
      "Effect": "Deny",  
      "Action": "s3:*",  
      "Resource": "*"  
    }  
  ]  
}

Topics: Storage
Tags: Amazon Simple Storage Service
Language: English

Relevant content

I see the exception 403 forbidden error while reading from s3 raw bucket . My bucket will have nested folders , to access that files my spark reader will call recursively that folder files
rePost-User-0434590
asked 3 years ago
Why am I encountering a 403 error when trying to download a file from an S3 bucket in another account using S3FileDownloader in an ECS container with EC2?
Athul Lal
asked 2 years ago
An error occurred (403) when calling the HeadObject operation: Forbidden when downloading a file from S3 bucket
Suresh
asked 2 years ago
How do I update an S3 bucket policy managed by Control Tower that has SCP blocking bucket policy changes?
AWqs
asked 5 months ago
How to fix Syntax Error when editing Bucket Policy?
Accepted Answer
thevoice
asked 2 years ago
Why do I get the error "Invalid principal in policy" when I try to update my Amazon S3 bucket policy?
AWS OFFICIALUpdated 6 months ago
How do I resolve the "Access Denied" error in Kinesis Data Firehose when I write to an Amazon S3 bucket?
AWS OFFICIALUpdated 2 years ago
Why am I getting a "403 Forbidden" error when I try to upload files in Amazon S3?
AWS OFFICIALUpdated 7 months ago
How can I troubleshoot issues when granting public read access to an Amazon S3 object using a bucket policy or an object ACL?
AWS OFFICIALUpdated 3 years ago
Why Does S3 Return 403 Instead of 404 When the Object Doesn’t Exist?
EXPERT
Tyler
published 2 years ago