CODEWITHSUNDEEP
amazon-web-servicesamazon-s3amazon-iam
user10916892
user10916892

Reputation: 997

Not able to update/delete Bucket policy with admin role after adding a Deny policy

I logged into aws console with DevUser role and updated bucket policy with deny all as per below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Principal": "*",
            "Effect": "Deny",
            "Action": "*",
            "Resource": "arn:aws:s3:::bucketName"
        }
    ]
}

After doing this i am not able to list bucket permissions or view anything under the bucket as expected, now i want to revert this change but i am not able to neither with DevUser nor with AdminUser role. I also tried to delete bucket policy using cli but did not work:

aws s3api delete-bucket-policy --bucket bucketName

Error:

An error occurred (AccessDenied) when calling the DeleteBucketPolicy operation: Access Denied

How can I revert the DENY all change?

Upvotes: 1

Views: 1099

Answers (1)

luk2302
luk2302

Reputation: 57183

You (user or role), a normal or even an admin user cannot revert that change.
Only the root user for the account can delete delete the bucket policy. If you do not have access to those root user credentials because you do not own that account but it is e.g. managed by some IT department or some other colleague you need to ask them to delete the bucket policy for you.

See https://aws.amazon.com/premiumsupport/knowledge-center/s3-accidentally-denied-access/

And for the next time you need to remember to check and be careful that you do not lock yourself out of the bucket. The bucket policy does exactly what you want: it denies any access, including by you yourself. (the root user is the only exception and cannot be denied access to)

Upvotes: 2

Related Questions