How do I regain access to my Amazon S3 bucket after I accidentally denied everyone access?

Short description

To regain access to your S3 bucket, you can change your access steps to meet the conditions in the bucket policy. If you can't meet the bucket policy conditions, then use an AWS Organizations management account. If AWS Organizations isn't available to you, then use a root user AWS account. It's a best practice to use AWS Organizations to centralize root access.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Important: For security and privacy reasons, AWS Support doesn't have access to customer data and can't access a bucket policy on your behalf. If you can't regain access to your S3 bucket, then AWS Support can't recover it. For more information about data security, see Shared responsibility model.

Change your access steps to meet the conditions in the bucket policy

If you can change your access steps to meet the conditions in the bucket policy, then you can regain access immediately. In that case you don't need to use AWS Organizations or the root user account. After you get access, modify the policy to remove the conditions that blocked access for you and other users.

To regain access to your bucket, complete the following steps:

1. Get a copy of the bucket policy. You can get this from AWS CloudTrail records, a team member who still has access, or with help from AWS Support.

2. If there are bucket policy conditions that you don't meet, then complete any required actions so that the policy evaluates to true. The following are examples of bucket policy conditions that can block S3 bucket access, and actions to get access:

   Condition type	Action
   IP address allow list (aws:SourceIP)	Connect from an allowed IP address or use VPN.
   Amazon Virtual Private Cloud (Amazon VPC) (aws:sourceVpc)	Make a request from within the specified Amazon VPC.
   Amazon VPC endpoint (aws:sourceVpce)	Make a request with the correct endpoint.
   Multifactor Authentication (MFA) requirement (aws:MultiFactorAuthPresent)	Turn on and use MFA authentication.
   Condition block in Deny statement is missing	Use root user access.

3. After you regain access, identify and delete the conditions that resulted in the bucket lockout.

4. Test the changes to confirm that the level of access control is correct.

AWS Organizations member accounts

If you can't meet the conditions in the bucket policy, then use an AWS Organizations account to regain access to accidentally locked S3 buckets.

To regain access to your S3 bucket, take a privileged action on a member account and delete the misconfigured bucket policy. Then, add a valid bucket policy.

For more information, see Centrally managing root access for customers using AWS Organizations.

What to do when you can't meet the conditions in the bucket policy or use AWS Organizations

If you don't meet the conditions in the bucket policy and you can't use AWS Organizations, then delete bucket policy conditions that caused the lockout. Complete the following steps:

1. Sign in to the AWS Management Console as the AWS account root user.
   Note: You must have root user access. Administrative access isn't sufficient to delete bucket policy conditions.
   Important: Don't use the account root user for everyday tasks. Use the root user credentials only for tasks that require you to sign in as the root user. Root user credentials aren't the same as an AWS Identity Access Management (IAM) user or role that has administrator access. Also, you can't attach IAM policies with Allow or Deny permissions to the root user account. It's a security best practice for the account administrator to periodically change the password for the account root user.
2. Open the Amazon S3 console.
3. Navigate to the incorrectly configured bucket.
4. Choose the Permissions tab.
5. In Bucket Policy, choose Edit.
6. In the bucket policy, identify and delete the conditions that resulted in the bucket lockout.
7. Choose Save Changes.
8. Sign out of the AWS Management Console.

After you modify the bucket policy as the account root user, an IAM user with bucket access can apply the corrected bucket policy. For more information, see Examples of Amazon S3 bucket policies and Adding a bucket policy by using the Amazon S3 console.

Use CloudTrail to find the bucket name and policy

If you don't know the policy that you applied to the bucket before the lockout, then use AWS CloudTrail to review the event. To search for recent PutBucketPolicy API actions in the account, you can use the CloudTrail console or the AWS CLI.

Note: CloudTrail event history covers the past 90 days of events. You can configure CloudTrail to send management event logs to an S3 bucket to get a longer record. To get a record of a PutBucketPolicy action more than 90 days ago, you must query the CloudTrail logs in Amazon S3.

To use CloudTrail in the console, complete the following steps:

1. Open the CloudTrail console.
2. In the navigation pane, choose Event history.
3. On the Event history page, under Lookup attributes, choose Event name.
4. In the Enter an event name search pane, choose PutBucketPolicy, and then press Enter.
5. Choose the most recent event and review the details. The event shows the request and response parameters that includes the bucket name and policy.

To use CloudTrail through the AWS CLI, run the following put-bucket-policy command:

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=PutBucketPolicy --region example-region

Note: Replace example-region with your AWS Region.