Can't access S3 bucket as root

Question

Hello,
I've created a bucket with the following policy:

```
{
     'Version': '2008-10-17',
     'Statement': [{
         'Sid': 'eb-58950a8c-feb6-11e2-89e0-0800277d041bc',
         'Effect': 'Deny',
         'Principal': {
           'AWS': '*'
         },
         'Action': '*',
         'Resource': bucket.attrArn
       }]
   }
```

which restricts any action on the bucket.

Now I can't do anything with it as any user (which is expected) but also as root (which is a surprise for me). I have Organizations and SCP with full access attached to a root account.

Is there a way to delete the bucket now or should I reach out to support?

Accepted Answer

Refer to https://repost.aws/knowledge-center/s3-accidentally-denied-access for instructions to regain access to a bucket of lockout. Root user can update or delete the bucket policy regardless of the policy content. Note that here root user is different from an user with admin access.  Update and delete bucket policy under such situation is one of the few tasks that require root credentials currently: https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-tasks.html

Answer

I was able to delete bucket policy (and access bucket afterwards) with root account and aws cli. To do so you need:
* get access keys for root account
* run `aws s3api delete-bucket-policy --bucket bucket-name` as root

from the Administrator account I got `An error occurred (AccessDenied) when calling the DeleteBucketPolicy operation: Access Denied`

Can't access S3 bucket as root

Relevant content