Impossible to delete bucket policies even with root account
I locked myself out of one of my buckets by denying access to all users in the bucket policies. This bucket is in a child account of my root user.
To fix this, the doc says the root user is the only user authorized to delete a policy when every user is locked out so I tried this script:
#!/bin/bash
export AWS_ACCESS_KEY_ID=<root_user_key>
export AWS_SECRET_ACCESS_KEY=<root_user_key>
aws sts get-caller-identity
aws s3api delete-bucket-policy --bucket "my-bucket"
And got this:
{
"UserId": "101535111111",
"Account": "101535111111",
"Arn": "arn:aws:iam::101535111111:root"
}
An error occurred (AccessDenied) when calling the DeleteBucketPolicy operation: Access Denied
I also tried to access the bucket from the console from the root account, I'm also getting:
I'm out of ideas...
- 最新
- 最多得票
- 最多評論
First, double-check that the root user is the root user of the account for which the bucket exists.
If the root user is correct, check the following
If you are using AWS Organizations, make sure you are restricting root user actions in SCP. [1]
[1] Service control policies (SCPs) - AWS Organizations
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#scp-effects-on-permissions
If you have restricted operations on buckets in SCP, remove the restrictions in SCP. [2]
[2] Attaching and detaching service control policies - AWS Organizations
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_attach.html
相關內容
AWS 官方已更新 2 年前- AWS 官方已更新 3 年前
Thanks for the help, I just checked on the root account and the SCP is set to "disabled"
By this you mean I should make sure to NOT restrict the root user actions in SCP correct? (since it's disabled it should be fine)
As for this, I have a root account and a security account. I first log into the security account and then switch to a different role to have access to hop onto another account (research) to access my bucket. In theory, the root account should be able to access all the buckets no?
Thank you for your confirmation.
We understand that SCP has been disabled.
The above explanation assumes that you have a root account in Organizations.
First, even the root account of Organizations does not have root user level privileges on the child accounts.
There is one root user for each account, and only the root user can do certain things.
Therefore, even if there is an IAM user for the root account or a root user for the root account, there are no root user privileges for the security account.
If the S3 bucket whose bucket policy you want to delete is in the security account, use the root user of the security account.
Understood, thanks a bunch!