By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to see S3 Buckets List in AWS management console Getting Error "You don't have permissions to list buckets"

0

When I try to view the buckets list in AWS, I am getting this error,

Enter image description here

I have started facing this issue first time. Before that, I was successfully able to view buckets list and perform all operations on the buckets. I have also tried to analyse what permissions I have and i have seen that I am a member of admin group that gives me access to all the services on AWS as can be seen in the following images but still I am unable to view the buckets. Can anyone guide me about this issue. Thanks

Enter image description here

Enter image description here

Topics
Security, Identity, & ComplianceManagement & GovernanceStorage
Tags
AWS Identity and Access ManagementAWS Management ConsoleS3 Select
Language
English
rePost-User-3477099
asked 10 months ago1614 views
2 Answers
0

Any Deny statements override Allow statements, so the best approach is to go hunting for them. In this case your policies include AWSCompromisedKeyQuarantineV2 which contains:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "cloudtrail:LookupEvents",
                "ec2:RequestSpotInstances",
                "ec2:RunInstances",
                "ec2:StartInstances",
                "iam:AddUserToGroup",
                "iam:AttachGroupPolicy",
                "iam:AttachRolePolicy",
                "iam:AttachUserPolicy",
                "iam:ChangePassword",
                "iam:CreateAccessKey",
                "iam:CreateInstanceProfile",
                "iam:CreateLoginProfile",
                "iam:CreatePolicyVersion",
                "iam:CreateRole",
                "iam:CreateUser",
                "iam:DetachUserPolicy",
                "iam:PassRole",
                "iam:PutGroupPolicy",
                "iam:PutRolePolicy",
                "iam:PutUserPermissionsBoundary",
                "iam:PutUserPolicy",
                "iam:SetDefaultPolicyVersion",
                "iam:UpdateAccessKey",
                "iam:UpdateAccountPasswordPolicy",
                "iam:UpdateAssumeRolePolicy",
                "iam:UpdateLoginProfile",
                "iam:UpdateUser",
                "lambda:AddLayerVersionPermission",
                "lambda:AddPermission",
                "lambda:CreateFunction",
                "lambda:GetPolicy",
                "lambda:ListTags",
                "lambda:PutProvisionedConcurrencyConfig",
                "lambda:TagResource",
                "lambda:UntagResource",
                "lambda:UpdateFunctionCode",
                "lightsail:Create*",
                "lightsail:Delete*",
                "lightsail:DownloadDefaultKeyPair",
                "lightsail:GetInstanceAccessDetails",
                "lightsail:Start*",
                "lightsail:Update*",
                "organizations:CreateAccount",
                "organizations:CreateOrganization",
                "organizations:InviteAccountToOrganization",
                "s3:DeleteBucket",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:PutLifecycleConfiguration",
                "s3:PutBucketAcl",
                "s3:PutBucketOwnershipControls",
                "s3:DeleteBucketPolicy",
                "s3:ObjectOwnerOverrideToBucketOwner",
                "s3:PutAccountPublicAccessBlock",
                "s3:PutBucketPolicy",
                "s3:ListAllMyBuckets",
                "ec2:PurchaseReservedInstancesOffering",
                "ec2:AcceptReservedInstancesExchangeQuote",
                "ec2:CreateReservedInstancesListing",
                "savingsplans:CreateSavingsPlan"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}
EXPERT
skinsman
answered 10 months ago
profile picture
EXPERT
Antonio_Lagrotteria
reviewed 10 months ago
profile picture
EXPERT
Riku_Kobayashi
reviewed 10 months ago
  • rePost-User-3477099
    10 months ago

    Thanks for the reply. Yes, you are right. This policy "AWSCompromisedKeyQuarantineV2" has limited my access due to which I can not view buckets in S3 service but the problem is that this policy has also limited my access to the IAM due to which I can not remove this policy from my user. Can you guide me in this regard? Thanks

  • skinsman EXPERT
    10 months ago

    Please have a look at https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCompromisedKeyQuarantineV2.html - your access has been limited for a reason. As it says there, "Do NOT remove this policy. Instead, please follow the instructions specified in the support case created for you regarding this event.".

  • rePost-User-3477099
    10 months ago

    Hi, I have tried to follow the instructions. Instruction say that i have to create new access key and i should delete the old one before removing this policy but the problem is that I do not have now permissions to do these steps because this policy has been attached to my user.

  • skinsman EXPERT
    10 months ago

    The AWSCompromisedKeyQuarantineV2 policy prevents someone with access to the compromised access-key being able to do any damage, including being able to remove the policy to re-enable full access. So your IAM User with this policy can't be used to fix it up, is has to be done from another IAM Principal with appropriate permissions.

0

Hello, Please check the S3 bucket policy too. If a user wants to use the AWS Management Console to view buckets and the contents of any of those buckets, the user must have the s3:ListAllMyBuckets and s3:GetBucketLocation permissions. for example { "Id": "Policy1686696361193", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1686696358634", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Effect": "Allow", "Resource": "*", "Principal": { "AWS": [ "arn:aws:iam::1111222333444:group/mygroup" ] } } ] }

Useful Links: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html

AWS
Hrishikesh_L
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content