S3 Access Denied

0

Hi AWS, I was able to access one of the S3 bucket till yesterday but when I was trying to list the objects or bucket properties and bucket policy I am getting an Access Denied error suddenly. I have attached AWS Managed Policy S3FullAccess and also IAM policy following this AWS blog post https://repost.aws/knowledge-center/s3-access-denied-bucket-policy but still no luck. I however figured out my coworker has attached a bucket policy which leads to this sudden mishappening.

Can you please help me in fixing the issue?

Thanks

2 Answers
2

Hello.

What kind of bucket policy did you specifically set?
If you are no longer able to change bucket policy settings as an IAM user, you need to sign in as the root user of your AWS account and edit the bucket policy.
https://repost.aws/knowledge-center/s3-accidentally-denied-access

profile picture
EXPERT
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
profile pictureAWS
EXPERT
reviewed 3 months ago
0

I suggest you open the CloudTrail console, open the Event History view, set the console (in the upper right-hand corner) to the region where you S3 bucket resides, and filter the CloudTrail log by the "Event name" value of "PutBucketPolicy". Find the latest successful ("errorCode" is empty or missing) log event for the correct bucket.

It sounds like you may have blocked all access to the bucket. In that case, the IAM role AWS Config is using is also likely unable to read the bucket policy, and its configuration wouldn't reflect the current state of your bucket.

In the CloudTrail event, you can find the full contents of the bucket policy that was last set. Check it for a way in (such as a specific IP address, source VPC, or role ARN) and see if you can fix the issue by using the permitted source, principal, or some API call that isn't blocked. For example, if only Get* and Describe* actions are blocked, you can still execute DeleteBucketPolicy to remove the whole policy and get back to setting a new one.

If all actions are blocked for everyone, then you'll need to log on as the root user of your account, as others also pointed out. Root has a hardwired permission to view, modify, or delete the bucket policy, regardless of what the bucket policy says, so you can fix or reset the policy as root.

EXPERT
Leo K
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions