I can't delete my Amazon Simple Storage Service (Amazon S3) bucket and I'm not sure why.
Resolution
Prerequisites
Before you delete an Amazon S3 bucket, confirm the following points:
- All AWS accounts share the Amazon S3 namespace. If you delete a bucket name, then the name becomes available for all users. If another AWS account claims the bucket name, then you can't reuse the bucket name. It's a best practice to empty the bucket instead of deleting it entirely.
- For buckets that are hosted as a static website, review and update Amazon Route 53 hosted zone settings that relate to the bucket.
- If the bucket receives log data, then stop the delivery of logs to the bucket before you delete it.
Amazon S3 bucket isn't empty
To delete an Amazon S3 bucket, the bucket must be empty. Use the AWS Management Console, AWS Command Line Interface (AWS CLI), or SDK to delete a bucket manually. If the bucket is large and has versioning configured, then it takes a long time to delete the objects manually. In these cases, use Amazon S3 Lifecycle configuration to empty the buckets.
Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent AWS CLI version.
For buckets that have versioning configured or are in a suspended status, include the following rules in your lifecycle configuration:
- Rule 1: Expire all current versions of objects after X days of creation. Permanently delete all noncurrent versions of objects after Y days of becoming noncurrent.
- Rule 2: Expire all lone delete markers and incomplete multipart uploads after Z days.
For buckets with versioning not configured, include the following rules in your lifecycle configuration:
- Rule 1: Expire all current versions of the objects after X days of object creation.
- Rule 2: Expire all incomplete multipart uploads after Z days.
Note: To delete the bucket quickly in this example, set X, Y, and Z to 1 day.
Amazon S3 runs the lifecycle rules daily at 12:00AM UTC. After the lifecycle rules run, all objects that are eligible for expiration are marked for deletion. Because the lifecycle policy actions are asynchronous, it takes several days for the objects to be physically deleted from the bucket. After an object is marked for deletion, you're no longer charged for the storage that's associated with the object.
Using the AWS CLI
Run the following command to permanently delete objects from an Amazon S3 bucket with versioning not configured:
aws s3 rm s3://bucket-name --recursive
Run the following command to permanently delete all objects in an Amazon S3 bucket with versioning configured or suspended:
aws s3api delete-objects --bucket BUCKET_NAME --delete "$(aws s3api list-object-versions --bucket BUCKET_NAME --output=json --query='{Objects: Versions[].{Key:Key,VersionId:VersionId}}')"
Using the Amazon S3 console
- Open the Amazon S3 console.
- In the navigation pane, choose Buckets.
- Under Buckets, select the bucket that you want to empty. Then, choose Empty.
- On the Empty bucket page, type permanently delete in the text field to delete all objects in the bucket. Then, choose Empty.
- (Optional) Review the Empty bucket: Status page to see the emptying progress.
Note: If object versions in an Amazon S3 bucket are locked in governance mode, then the AWS Identity and Access Management (IAM) identity requires "s3:BypassGovernanceRetention" permissions. To bypass governance mode, you must include the "x-amz-bypass-governance-retention:true" header in your request. For requests made in the AWS Management Console, the Console applies the header automatically to requests with the required permissions to bypass governance mode.
During the retention period, an IAM identity can't delete object versions protected in compliance mode. This includes the root user of the account. After the retention period, delete the objects that are protected in compliance. After the bucket is empty, delete the Amazon S3 bucket.
Amazon S3 bucket has access points associated with it
Before you delete the Amazon S3 bucket, delete all access points attached to the bucket. For more information, see Deleting an access point.
IAM identity making the DeleteBucket request doesn't have sufficient permissions
Grant the IAM identity that is deleting the Amazon S3 bucket DeleteBucket permissions on the IAM policy. Or, grant the Amazon S3 bucket policy permissions to perform the DeleteBucket action.
Explicit DENY statement preventing the deletion
An explicit DENY statement takes precedence over an explicit ALLOW statement. Confirm that the following policies don't contain any explicit DENY statements:
- IAM policy of the IAM identity
- Amazon S3 bucket policy
- Virtual Private Cloud (VPC) endpoint policy
When AWS Elastic Beanstalk creates a bucket, the policies contain explicit DENY statements by default. Before you delete the Amazon S3 bucket, delete the explicit DENY statement or the bucket policy.
Related information
Emptying a bucket
How S3 Object Lock works
Deleting a bucket