An error occurred (AccessDenied) when calling the PutBucketVersioning operation: This operation may only be performed by the bucket owner

Question

Using the AWS s3api CLI, enable MFA Delete for the S3 buckets that fail this rule, for example:

aws s3api put-bucket-versioning --bucket bucketname --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa "your-mfa-serial-number mfa-code"

but getting this error: An error occurred (AccessDenied) when calling the PutBucketVersioning operation: This operation may only be performed by the bucket owner.

Even I tried creating new bucket to do this but same error am getting. has anyone gone through this?

Answer 1

In the documentation it states you must be the root user to enable this.

The bucket owner, the AWS account that created the bucket (root account), and all authorized IAM users can enable versioning, but only the bucket owner (root account) can enable MFA Delete.

Other than this any other BucketVersioning configuration can be completed by the root user or a permitted IAM user/role.

This tries to prevent an employee accidently enabling the feature because they have too many permissions.

As a warning if you're configuring this via the CLI, do not leave root IAM credentials after the action has been taken.

Answer 2

Since its not specified in your question, I will assume a most likely scenario of not using a root account.

MFA Delete can be only enabled by the root of your account (from docs):

The bucket owner, the AWS account that created the bucket (root account), and all authorized IAM users can enable versioning, but only the bucket owner (root account) can enable MFA Delete.