How do I troubleshoot the error "You don't have permissions to edit bucket policy" when I try to modify a bucket policy in Amazon S3?

5 minute read
0

I'm getting the following error when I try to modify the bucket policy of my Amazon Simple Storage Service (Amazon S3) bucket: You don't have permissions to edit bucket policy

Short description

You get this error because of the following reasons:

To resolve these issues, try the following:

  • Check that the IAM user or role has s3:GetBucketPolicy permission to view the bucket policy and s3:PutBucketPolicy permission to edit it. Add an IAM user policy to grant you access if one doesn't exist.
  • If you're denied permissions, then use another IAM identity that has bucket access, and edit the bucket policy. Or, delete and recreate the bucket policy if no one has access to it.
  • If you're trying to add a public read policy, then turn off the bucket's S3 Block Public Access feature.
  • If you use AWS Organizations, then verify that you don't have any service control policies that explicitly deny S3 actions. Also, confirm that you can add exceptions for your operation.

Resolution

Check your permissions for s3:GetBucketPolicy and s3:PutBucketPolicy

Follow these steps:

1.    Open the IAM console.

2.    Select the identity that's used to access the bucket policy, such as User or Role.

3.    Select the IAM identity name that you're using to access the bucket policy.

4.    In the Permissions tab of your IAM identity, expand each policy to view its JSON policy document.

5.    In the JSON policy documents, search for policies related to Amazon S3 access. Then, confirm that you have permissions for the s3:GetBucketPolicy and s3:PutBucketPolicy actions on the bucket.

The following example IAM policy allows the IAM identity to perform the s3:GetBucketPolicy and s3:PutBucketPolicy actions on DOC-EXAMPLE-BUCKET:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ModifyBucketPolicy",
      "Action": [
        "s3:GetBucketPolicy",
        "s3:PutBucketPolicy"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
    },
    {
      "Sid": "AccessS3Console",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

Note: The AccessS3Console statement in the preceding IAM policy grants Amazon S3 console access. It isn't specific to modifying a bucket policy.

6.    In the JSON policy documents, search for statements with "Effect": "Deny". Then, confirm that these statements don't deny your IAM identity access to s3:GetBucketPolicy or s3:PutBucketPolicy.

7.    Make sure that the bucket ARN (example: arn:aws:s3:::DOC-EXAMPLE-BUCKET) is present in the Resource section of the policy. This is because, s3:GetBucketPolicy and s3:PutBucketPolicy are bucket level actions.

8.    Check if any global conditions such as aws:SourceIP are applied in the IAM policy to restrict the s3:GetBucketPolicy and s3:PutBucketPolicy actions. If these conditions restrict access, then remove or update these conditions.

Add a bucket policy if it doesn't exist

If you can't find policies that grant s3:GetBucketPolicy or s3:PutBucketPolicy permissions, then add a policy to grant them to your IAM identity. If you find policies that deny access to s3:GetBucketPolicy or s3:PutBucketPolicy, then remove these policies. For instructions on modifying your IAM permissions, see Changing permissions for an IAM user.

Use another IAM identity that has bucket access and modify the bucket policy

Follow these steps to modify the bucket policy:

1.    Open the Amazon S3 console.

2.    From the list of buckets, open the bucket with the bucket policy that you want to change.

3.    Choose the Permissions tab.

4.    Choose Bucket policy.

5.    Search for statements with "Effect": "Deny".

6.    Edit the bucket policy to update any "Effect": "Deny" statements that deny the IAM identity access to s3:GetBucketPolicy or s3:PutBucketPolicy.

7.    Check if conditions such as aws:PrincipalArn are applied in the bucket policy to restrict the s3:GetBucketPolicy and s3:PutBucketPolicy actions for your IAM entity. If these conditions restrict access, then remove or update these conditions.

Delete and recreate the bucket policy if it denies everyone access

If the bucket policy denies everyone access to s3:GetBucketPolicy, s3:PutBucketPolicy, or all Amazon S3 actions (s3:*), then delete the bucket policy. If you can't delete the bucket policy, then try deleting the policy as the AWS account root user. After the policy is deleted, you can create a new bucket policy.

Turn off S3 Block Public Access

If your bucket policy grants public access, then check if S3 Block Public Access is turned on for the bucket and turn it off. To prevent future denied access to S3 buckets that you make public, confirm that you didn't turn on S3 Block Public Access for the account.

For more information, see Blocking public access to your Amazon S3 storage. Also, see The meaning of public.

Note: Before turning off S3 Block Public Access at the account level, confirm that you turned it on at the bucket level for private buckets. This is required to prevent unwanted public access to these private buckets.

For AWS Organizations, delete service control policies that don't allow Amazon S3 access

If you're using AWS Organizations, then check the service control policies for any statements that explicitly deny the s3:PutBucketPolicy action or any other S3 action. Delete the service control policies that explicitly deny S3 actions in accordance to your organization's security policies.

For example, the following policy denies access to all S3 actions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "*"
    }
  ]
}
AWS OFFICIAL
AWS OFFICIALUpdated a year ago