Why can't I delete my Amazon S3 bucket?

Resolution

Prerequisites

Before you delete an Amazon S3 bucket, take the following actions:

• For buckets that you host as a static website, review and update Amazon Route 53 hosted zone settings that relate to the bucket.
• If the bucket receives log data from Elastic Load Balancing (ELB), then stop log delivery to the bucket before you delete the bucket.

Note: If you delete a bucket name, then the name becomes available for all users. If another AWS account uses the bucket name, then you can't reuse the bucket name. As a best practice, don't delete the bucket. Instead, empty it.

The S3 bucket isn't empty

To delete an Amazon S3 bucket, the bucket must be empty. Use the Amazon S3 console, AWS Command Line Interface (AWS CLI), or SDK to manually empty the bucket. If the bucket is large and you configured versioning, then it takes a long time to manually delete the object. In this case, use Amazon S3 Lifecycle configuration to empty the buckets. 

Note: If you receive errors when you run AWS CLI commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

For buckets that you configured with versioning or are in the Suspended status, include the following rules in your lifecycle configuration:

• Rule 1: Expire all current versions of objects after X days of creation. Permanently delete all noncurrent versions of objects after Y days when they become noncurrent.
• Rule 2: Expire all single delete markers and incomplete multipart uploads after Z days.

For buckets that you didn't configure with versioning, include the following rules in your lifecycle configuration:

• Rule 1: Expire all current versions of the objects after X days of object creation.
• Rule 2: Expire all incomplete multipart uploads after Z days.

Note: To quickly delete the bucket, set X, Y, and Z to 1 day.

Amazon S3 lifecycle rules run once each day. After the lifecycle rules run, all objects that are eligible for expiration are marked for deletion. Because the lifecycle policy actions are asynchronous, it takes several days for the objects to be physically deleted from the bucket. After an object is marked for deletion, you're no longer charged for the storage that's associated with the object.

Use the AWS CLI

Run the following command to permanently delete objects from an Amazon S3 bucket that you didn't configure with versioning:

aws s3 rm s3://bucket-name --recursive

Run the following command to permanently delete all objects in an Amazon S3 bucket that's suspended or that you configured with versioning:

aws s3api delete-objects --bucket bucket-name --delete "$(aws s3api list-object-versions --bucket bucket-name --output=json --query='{Objects: Versions[].{Key:Key,VersionId:VersionId}}')"

Note: Replace bucket-name with your Amazon S3 bucket name.

Use the Amazon S3 console

Complete the following steps:

1. Open the Amazon S3 console.
2. In the navigation pane, select the bucket that you want to empty, and then choose Empty.
3. On the Empty bucket page, enter permanently delete in the text field to delete all objects in the bucket, and then choose Empty.
4. (Optional) Review the Empty bucket: Status page to see the progress.

Note: If object versions in an Amazon S3 bucket are in governance mode, then the AWS Identity and Access Management (IAM) identity requires s3:BypassGovernanceRetention permission. To bypass governance mode, you must include the x-amz-bypass-governance-retention:true header in your request. For requests that you make on the AWS Management Console, the Console applies the header automatically to requests that have the required permissions to bypass governance mode.

During the retention period, an IAM identity can't delete object versions that are protected in compliance mode, including the AWS account root user. After the retention period, delete the objects that are protected in compliance. After the bucket is empty, delete the Amazon S3 bucket.

Access points are associated with the bucket

Before you delete the Amazon S3 bucket, delete all access points that are attached to the bucket. You can't delete buckets that have S3 access points or Multi-Region Access Points attached within the same account.

The IAM identity doesn't have sufficient permissions

In the IAM policy for the IAM identity that you use to delete the bucket, grant DeleteBucket permissions. Or, include the delete-bucket API action in the bucket policy.

An explicit DENY statement prevents the deletion

An explicit DENY statement takes precedence over an explicit ALLOW statement. Confirm that the IAM identity, bucket, and virtual private cloud (VPC) policies don't contain explicit DENY statements.

When AWS Elastic Beanstalk creates a bucket, the policies contain explicit DENY statements by default. Before you delete the Amazon S3 bucket, delete the explicit DENY statement or the bucket policy.