How do I unlock or delete an AWS S3 bucket that inadvertently locked with a bucket policy?

Question

I am the AWS account owner, admin (both IAM and root password - not recommended I know, but have some legacy apps that depend on root pw). I recently added a bucket policy which has subsequently rendered the bucket locked an inaccessible to me:

$ aws s3 rb s3://<my-bucket> --force
A client error (AccessDenied) occurred when calling the ListObjects operation:   Access Denied
Completed 1 part(s) with ... file(s) remaining
remove_bucket failed: s3://<my-bucket>/ A client error (AccessDenied) occurred when calling the DeleteBucket operation: Access Denied

I've tried both the CLI and the AWS S3 console, but only receive the error: Sorry! You do not have permissions to view this bucket.

It's a small relief that this bucket is completely empty, but I need to use this particular name and am stuck as I cannot do anything with it.

I'm hoping I'm not the only one who has experienced this dilemma.

(P.S. - I'd post the EXACT bucket policy I used, but I created it using the console and, if I entered some part of it incorrectly as I suspect, I can't get at it to copy/paste it here for you...)

Kind regards, Jeff.

Answer 1

Directly from AWS support:

Hello,

G** here with AWS Support. I understand that your bucket policy for S3 bucket ‘s3-bucket-name’ prevents access, or removal of bucket. There are a couple of ways you can delete the bucket policy as follows and then delete the bucket itself:

1. Log into the AWS S3 Console with root credentials. Please note that the root account is different than an account with ‘Administrator Access’ [1]. The root account should have access to modify/delete this bucket policy. Unfortunately, I have noticed that this is a fickle option which only works sometimes. OR
2. (Option works all of the time) Delete bucket policy through AWS cli as follows (Linux and Windows options):

Via Linux: $ export AWS_DEFAULT_REGION= us-east-1 $ export AWS_ACCESS_KEY_ID="ROOT_KEY_ID" $ export AWS_SECRET_ACCESS_KEY="ROOT_SECRET_KEY" $ aws s3api delete-bucket-policy --bucket s3-bucket-name

Via Windows: set AWS_DEFAULT_REGION= us-east-1 set AWS_ACCESS_KEY_ID="ROOT_KEY_ID" set AWS_SECRET_ACCESS_KEY="ROOT_SECRET_KEY" aws s3api delete-bucket-policy --bucket s3-bucket-name

If so, could you please provide the output for the following after setting up your root account credentials: $ aws s3api delete-bucket-policy --bucket s3-bucket-name --debug

Note that these are both using root account credentials. Please attempt these methods and let me know if you have any issue. I hope this information was helpful. Please feel free to reach out to me with any additional questions or concerns.

[1] Root Account vs IAM User - http://docs.aws.amazon.com/es_es/general/latest/gr/root-vs-iam.html

Best regards, G**

Option 2 worked for me.

Cheers!

Answer 2

Since you are a root user, I think this approach may help:

Step1: Create a IAM user.

Step2: Create a policy with delete bucket privilege and associate it with the IAM user created in step 1.

Step3: Associate the user to your s3 bucket.

Login in with the created user credentials and try to delete the bucket.

Answer 3

If you are logged in as the root user, go to the S3 Management console and find the bucket.

Select the bucket in the list without opening it.

Click "actions", then "properties".

Delete the bucket policy in the "permissions" section.

Then delete the bucket using the "actions" menu.