I incorrectly configured my bucket policy to deny all users access to my Amazon Simple Storage Service (Amazon S3) bucket.
Resolution
Conditions for the bucket policy can't be met
If the bucket policy conditions can't be met, you can still regain access to your Amazon S3 bucket. To regain access to your bucket, complete the following steps:
- Open the AWS Management Console as the root user account.
Important: Don't use the root user account for everyday tasks. Use the root user account credentials only for tasks that require you to sign in as the root user. Root user account credentials aren't the same as an AWS Identity Access Management (IAM) user or role that has full administrator access. Also, you can't attach IAM policies with allow or deny permissions to the root user account. For security, it's a best practice for the account administrator to rotate the root user account password.
- Open the Amazon S3 console.
- Navigate to the incorrectly configured bucket.
- Choose the Permissions tab.
- Choose Bucket Policy.
- Choose Edit.
- In the bucket policy, identify the conditions that resulted in a bucket lockout. Then, to prevent future lockouts, edit or delete those conditions.
- Choose Save Changes.
- Sign out from the AWS Management Console.
After the root user modifies the bucket policy to restore access permissions, an IAM user with bucket access can apply the corrected bucket policy. For more information, see Examples of Amazon S3 bucket policies and Adding a bucket policy by using the Amazon S3 console.
Conditions for the bucket policy can be met
If the bucket policy conditions can be met but you can't use the root user account, then modify the policy. However, you must meet the bucket policy conditions to modify it. To regain access to your bucket, complete the following steps:
- Review the bucket policy to determine the conditions of your bucket that can be fulfilled.
- To meet the bucket policy conditions, complete any required actions so that the policy evaluates to true. See the following examples of bucket policy conditions that can block S3 bucket access:
The IP address of the client isn't whitelisted.
The VPC endpoint isn't whitelisted.
The request is made from within the VPC but the VPC doesn't have an Amazon S3 endpoint.
The DENY condition blocks some or all principals and is missing a condition block.
- After you regain access, identify the conditions that resulted in a bucket lockout. Then, to prevent future lockouts, edit or delete those conditions.
- Test the changes and verify that the level of access control is correct.
If you're not sure of the policy that's applied to a bucket before a lockout, use AWS CloudTrail to review the event. To search for recent PutBucketPolicy actions in the account with CloudTrail, complete the following steps:
- Open the CloudTrail console.
- In the navigation pane, choose Event history.
- On the Event history page, under Lookup attributes, choose Event name.
- In the Enter an event name field, choose PutBucketPolicy, and then press Enter.
- Choose the most recent event and review the details of the event. The event shows the request and response parameters. This includes the bucket name and the full bucket policy.