- Newest
- Most votes
- Most comments
Hello.
What kind of bucket policy did you specifically set?
If you are no longer able to change bucket policy settings as an IAM user, you need to sign in as the root user of your AWS account and edit the bucket policy.
https://repost.aws/knowledge-center/s3-accidentally-denied-access
I suggest you open the CloudTrail console, open the Event History view, set the console (in the upper right-hand corner) to the region where you S3 bucket resides, and filter the CloudTrail log by the "Event name" value of "PutBucketPolicy". Find the latest successful ("errorCode" is empty or missing) log event for the correct bucket.
It sounds like you may have blocked all access to the bucket. In that case, the IAM role AWS Config is using is also likely unable to read the bucket policy, and its configuration wouldn't reflect the current state of your bucket.
In the CloudTrail event, you can find the full contents of the bucket policy that was last set. Check it for a way in (such as a specific IP address, source VPC, or role ARN) and see if you can fix the issue by using the permitted source, principal, or some API call that isn't blocked. For example, if only Get* and Describe* actions are blocked, you can still execute DeleteBucketPolicy to remove the whole policy and get back to setting a new one.
If all actions are blocked for everyone, then you'll need to log on as the root user of your account, as others also pointed out. Root has a hardwired permission to view, modify, or delete the bucket policy, regardless of what the bucket policy says, so you can fix or reset the policy as root.
Relevant content
- asked 6 months ago
- Accepted Answerasked 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 months ago
I am not sure but when I checked the AWS Config Event Recorder it seems to be the generic bucket policy which we created for our buckets to avoid any HTTP request and we are using AWS Organizations for managing our AWS accounts so you think we are able to fix it in that case
You can sign in as the root user and modify bucket policies even in an Organizations member account. For member accounts, you will need to reset your password once. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_access-as-root