S3 Bucket policy - not accessible by anyone anymore

0

Hi, this morning logged in my admin account I inserted a bucket policy like this one:

{ "Version": "2012-10-17", "Id": "Policy1415115909153", "Statement": [ { "Sid": "Access-to-specific-VPC-only", "Principal": "", "Action": "s3:", "Effect": "Deny", "Resource": ["arn:aws:s3:::awsexamplebucket1", "arn:aws:s3:::awsexamplebucket1/*"], "Condition": { "StringNotEquals": { "aws:SourceVpc": "vpc-111bbb22" } } } ] }

for my bucket and my vpc. Now I'm not able to access the bucket nor remove the policy, the same for the root user. Is it possible to do something? I don't want to delete the bucket.... Many thanks!

Sebastiano Rota

5 Answers
1
Accepted Answer

Hi all, thanks you all for the support. Yesterday I clarified with the customer and there was probably a misunderstanding. Yesterday he was able to delete the policy using the root account. One more time, thank you all for your time.

Sebastiano

answered a year ago
profile picture
EXPERT
reviewed 5 months ago
0

You can remove bucket policy using root account. please take a look below steps. https://repost.aws/knowledge-center/s3-accidentally-denied-access

AWS
answered a year ago
profile pictureAWS
EXPERT
reviewed a year ago
  • Already tried....didn't work, same error we have with a non-root users

0

If you have denied access to all principals including the root user, you may need to use another IAM user or role that has the necessary permissions to remove the bucket policy.

Firstly, check if there is any IAM user or role that has permissions to remove the bucket policy. If there is none, then you will need to create a new IAM user or role with the necessary permissions to remove the policy.

To create a new IAM user with the necessary permissions, follow these steps:

Sign in to the AWS Management Console using an IAM user or role that has the necessary permissions to create new IAM users.

In the AWS Management Console, navigate to the IAM console and create a new IAM user.

After creating the IAM user, attach an appropriate policy that allows the user to remove the bucket policy.

Sign out of the AWS Management Console and sign in as the newly created IAM user.

Navigate to the S3 console and remove the bucket policy.

Once the bucket policy is removed, detach the policy from the IAM user.

If you don't have the necessary permissions to create an IAM user, you may need to contact AWS Support for assistance. Additionally, AWS support can help you troubleshoot and recover from issues like this.

profile picture
answered a year ago
  • Just tried, created a new User with AmazonS3FullAccess +

    "Action": [ "s3:PutAccessPointPolicyForObjectLambda", "s3:PutAccountPublicAccessBlock", "s3:PutBucketPublicAccessBlock", "s3:PutMultiRegionAccessPointPolicy", "s3:DeleteBucketPolicy", "s3:BypassGovernanceRetention", "s3:ObjectOwnerOverrideToBucketOwner", "s3:DeleteAccessPointPolicyForObjectLambda", "s3:PutAccessPointPublicAccessBlock", "s3:PutObjectVersionAcl", "s3:PutBucketAcl", "s3:PutBucketPolicy", "s3:DeleteAccessPointPolicy", "s3:PutAccessPointPolicy", "s3:PutObjectAcl", "s3:GetAccountPublicAccessBlock", "s3:GetBucketPolicy", "s3:GetBucketPolicyStatus", "s3:GetBucketOwnershipControls", "s3:GetBucketAcl", "s3:GetBucketCORS", "s3:ListBucket"

    but no way.... In the Buckets home page under Access -> Error message, when I go in the bucket -> Insufficient permissions to list objects, when I consult Permission tab -> You don't have permission to view the Block public access (bucket settings) configuration, You don’t have permission to get bucket policy, You don't have permission to view Object ownership (bucket settings) configuration, etc....

    What can I do? Thanks.

0

You have a condition for source VPC.

Do you have an s3 gateway setup? If not, create one and then try accessing the bucket so long as the vpc equals the one in your policy.

profile picture
EXPERT
answered a year ago
  • Do you mean, try to access to S3 bucket not from the internet but from for example a EC2 instance from the internal VPC by using a Gateway endpoint?

0

The policy above contains a lot of issues. While it is excellent to have an explicit deny, you must also put an explicit allow for the VPC from where it should be allowed. The denied S3 actions also do not contain a wildcard - probably AWS does not cover this case to warn the user that this policy blocks everything.

I recommend to you to connect to AWS Support on it (Go to AWS Support in the AWS Console)

answered a year ago
  • Hi, thanks for the answer. We have only the basic support, do you suggest the Support to have the issue reselved by them? Do you know if it's free?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions