Cannot re-create S3 bucket present in a deleted account

Question

I had an account part of the organization, that I removed and then recreated. The account had a specific bucket with Terraform state, and it's name is generated with --tfstate, so chances are high it is unique. After deleting the account and recreating it (after maybe a month or so), I cannot recreate a S3 bucket with the same name. Please note that this bucket was not deleted prior to deleting the account.

It seems to me as if this bucket is orphaned, yet I cannot do nothing about it. The actual error I'm getting from Terraform is:
* error checking access to S3 bucket --tf-state: AllAccessDisabled: All access to this object has been disabled
  	status code: 403, request id: , host id:

When try creating the bucket by hand with aws cli, I get:
AWS_PROFILE= aws --region us-east-1 s3 mb s3://--tf-state
make_bucket failed: s3://--tf-state An error occurred (BucketAlreadyExists) when calling the CreateBucket operation: The requested bucket name is not available. The bucket namespace is shared by all users of the system. Please select a different name and try again.

And, as expected, calling s3 rb returns AllAccessDisabled...

I'm on free plan so no actual support and tried to create a billing ticket to find out at least if I'm billed for this account and if AWS can do anything about it, but for some reason that ticket was not created. I plan to try again today.

Is there anything I can do to either re-gain access to this bucket so that I can properly delete it and recreate it? Or is AWS able to help me in any way without paying for support? I know I can always rename my account and thus creating a new TF state bucket, or just updating the naming convention for my TF state buckets for all accounts as an workaround, but I'd rather properly solve this and not change the code if at all possible.

Steve_M · Accepted Answer

> Please note that this bucket was not deleted prior to deleting the account.

That's your problem.

When an AWS account is closed, it is not deleted straight away. There is a 90 days "cooling off period" where the account is inaccessible, no resources are running, and you're not charged for anything. But you can still decide to re-open your account within those 90 days, and everything that was in your account will be restored to the state it was just before the account was closed.

https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-closing.html#post-closure-period

You (nor anybody else) can't create a bucket with the same name as the one in the account that was closed, because there is a chance that the account may be re-opened, and so that bucket with that name needs to be available again. And as you know, bucket names have to be unique globally.

> Is there anything I can do to either re-gain access to this bucket so that I can properly delete it and recreate it?

You can either wait for the 90 days to elapse, or you can re-open the account, delete the bucket, and close the account again. The clock will reset to zero on the 90 days cooling off period when you do this.

re:Post Agent · Answer

The issue you're experiencing is a common one when dealing with S3 buckets in deleted AWS accounts. When an AWS account is deleted, the S3 buckets associated with that account are not automatically deleted. Instead, they enter a state where they are inaccessible but still occupy the global S3 namespace.

In your case, the bucket from the deleted account is still occupying the namespace, preventing you from creating a new bucket with the same name in your recreated account. This is why you're receiving the "BucketAlreadyExists" error when trying to create the bucket, and the "AllAccessDisabled" error when trying to access or delete it.

Unfortunately, there's no straightforward way for you to regain access to this bucket or delete it yourself, as it's associated with an account that no longer exists. This situation is often referred to as an "orphaned" bucket.

Your options are somewhat limited, but here are a few things you can try:

1. Wait longer: Sometimes, AWS eventually cleans up these orphaned resources, but the timeframe can be unpredictable and potentially quite long (months or even longer).

2. Contact AWS Support: Even though you're on the free plan, you can try to escalate this issue through AWS Support. While they may not offer full technical support, they might be able to assist with account-related issues like this. Keep trying to create a billing ticket or explore other support channels.

3. Consider a workaround: As you mentioned, you could rename your account or update your naming convention for TF state buckets. While not ideal, this might be the quickest solution if you need to move forward with your work.

4. Use a different region: In some cases, you might be able to create a bucket with the same name in a different region, although this is not guaranteed and may not be suitable for your use case.

If none of these options work and you need to stick with the current naming convention, you may need to wait for AWS to eventually clean up the orphaned bucket or consider upgrading to a support plan that would allow you to get more direct assistance from AWS in resolving this issue.  
**Sources**  
[Resource handler returned message: " already exists | AWS re:Post](https://repost.aws/questions/QUCJVrb1KZSti1ePVOTFv-tg/resource-handler-returned-message-resourcename-already-exists)  
[Is it possible to delete a bucket and create again the bucket on a different region with same name? | AWS re:Post](https://repost.aws/questions/QUSYkbtoqFS3mEjDVWsy-cEw/is-it-possible-to-delete-a-bucket-and-create-again-the-bucket-on-a-different-region-with-same-name)  
[Cannot find new s3 bucket | AWS re:Post](https://repost.aws/questions/QUgWccAWJTRiekqY1EoxlPog/cannot-find-new-s3-bucket)

Cannot re-create S3 bucket present in a deleted account

Relevant content