I accidentally denied everyone access to my Amazon S3 bucket. How do I regain access?

3 minute read

I incorrectly configured my bucket policy to deny all users access to my Amazon Simple Storage Service (Amazon S3) bucket.


Conditions for the bucket policy can't be met

If the conditions for the bucket policy can't be met, then you can still regain access of your Amazon S3 bucket. To regain access to your bucket, sign in to the Amazon S3 console as the AWS account root user. Then, delete the bucket policy.

Important: Don't use the root user for everyday tasks. Limit the use of these credentials to only the tasks that require you to sign in as the root user. Root credentials aren't the same as an AWS Identity Access Management (IAM) user or role with full administrator access. You can't attach IAM policies with allow or deny permissions to the root account.

  1. Sign in to the AWS Management Console as the account root user.
  2. Open the Amazon S3 console.
  3. Navigate to the incorrectly configured bucket.
  4. Choose the Permissions tab.
  5. Choose Bucket Policy.
  6. Choose Delete.
  7. On the Delete bucket policy page, enter delete into the text field to confirm the deletion of the bucket policy.
  8. Choose Delete.
  9. Sign out of the AWS Management Console.
  10. (Optional) It's a best practice for the account administrator to rotate the root user password.

After the root user deletes the bucket policy, an IAM user with bucket access can apply a new bucket policy with the correct permissions. For more information, see Bucket policy examples and Adding a bucket policy by using the Amazon S3 console.

Conditions for the bucket policy can be met

If you can't use the root user account, then you can delete the policy if you meet the bucket policy conditions.

To regain access to your bucket, complete the following steps:

  1. Review the bucket policy to determine the conditions that are set that can be fulfilled.
  2. Take the steps to meet the bucket policy conditions.
  3. After regaining access, update the bucket policy to remove or modify the restrictive conditions to prevent future lockouts.
  4. Test the changes and make sure that the level of access control is correct.

If you're unsure of the policy applied to a bucket prior to a lockout, then use AWS CloudTrail to review the event. To search for recent PutBucketPolicy actions in the account using CloudTrail, complete the following steps:

  1. Open the CloudTrail console.
  2. In the navigation pane, choose Event history.
  3. On the Event history page, under Lookup attributes, choose Event name.
  4. In the Enter an event name field, choose PutBucketPolicy and press enter.
  5. Choose the most recent event and review the details of the event. The event displays the request and response parameters. This includes the bucket name and the full bucket policy.
AWS OFFICIALUpdated a year ago