Impossible to delete bucket policies even with root account

0

I locked myself out of one of my buckets by denying access to all users in the bucket policies. This bucket is in a child account of my root user.

To fix this, the doc says the root user is the only user authorized to delete a policy when every user is locked out so I tried this script:

#!/bin/bash
export AWS_ACCESS_KEY_ID=<root_user_key>
export AWS_SECRET_ACCESS_KEY=<root_user_key>
aws sts get-caller-identity
aws s3api delete-bucket-policy --bucket "my-bucket"

And got this:

{
    "UserId": "101535111111",
    "Account": "101535111111",
    "Arn": "arn:aws:iam::101535111111:root"
}

An error occurred (AccessDenied) when calling the DeleteBucketPolicy operation: Access Denied

I also tried to access the bucket from the console from the root account, I'm also getting: locked

I'm out of ideas...

1 Answer
1
Accepted Answer

First, double-check that the root user is the root user of the account for which the bucket exists.
If the root user is correct, check the following

If you are using AWS Organizations, make sure you are restricting root user actions in SCP. [1]

[1] Service control policies (SCPs) - AWS Organizations
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#scp-effects-on-permissions

If you have restricted operations on buckets in SCP, remove the restrictions in SCP. [2]

[2] Attaching and detaching service control policies - AWS Organizations
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html

profile picture
mn87
answered 2 months ago
  • Thanks for the help, I just checked on the root account and the SCP is set to "disabled"

    If you are using AWS Organizations, make sure you are restricting root user actions in SCP.

    By this you mean I should make sure to NOT restrict the root user actions in SCP correct? (since it's disabled it should be fine)

    double-check that the root user is the root user of the account for which the bucket exists.

    As for this, I have a root account and a security account. I first log into the security account and then switch to a different role to have access to hop onto another account (research) to access my bucket. In theory, the root account should be able to access all the buckets no?

  • I just checked on the root account and the SCP is set to "disabled"

    Thank you for your confirmation.
    We understand that SCP has been disabled.

    As for this, I have a root account and a security account. I first log into the security account and then switch to a different role to have access to hop onto another account (research) to access my bucket. In theory, the root account should be able to access all the buckets no?

    The above explanation assumes that you have a root account in Organizations.

    First, even the root account of Organizations does not have root user level privileges on the child accounts.

    There is one root user for each account, and only the root user can do certain things.

    Therefore, even if there is an IAM user for the root account or a root user for the root account, there are no root user privileges for the security account.

    If the S3 bucket whose bucket policy you want to delete is in the security account, use the root user of the security account.

  • Understood, thanks a bunch!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions