By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Access denied to delete objects in s3 bucket

1

Hello, I am using access key and secret key of iam users to delete objects in a s3 bucket. The iam user is assigned with a policy that has full access to list, get, put and delete objects in this s3 bucket. I can list, get and put but cannot delete even though the policy assigned to the user has deleteObject action. I also tried to create a policy for the bucket with all actions and resources in the bucket and make the arn of the iam user principal, but it does not help.

Could anyone help me out? Many thanks,

4 Answers
1

The bucket policy I shared below can be deleted by anyone in the AWS account who has permission to do so.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-bucket-user-policy-specifying-principal-intro.html#s3-aws-account-permissions

{ 
    "Version": "2012-10-17", 
    "Id": "Policy1689496022829", 
    "Statement": [ 
        { 
            "Sid": "Stmt1689495997312", 
            "Effect": "Allow", 
            "Principal": { 
                "AWS": "arn:aws:iam::250422108324:root" 
            }, 
            "Action": "s3:*", 
            "Resource": [ 
                "arn:aws:s3:::skindex-facet/*", 
                "arn:aws:s3:::skindex-facet" 
            ] 
        } 
    ] 
}

In addition, S3 buckets that are no longer accessible to anyone can be edited by logging in as the AWS root user to edit the bucket policy.
https://repost.aws/knowledge-center/s3-accidentally-denied-access

profile picture
EXPERT
answered a year ago
0

Can you share your current IAM user policies and the bucket policies set for your S3 buckets?
If all permissions are fine with the IAM user, try deleting the S3 bucket policy and deleting the object.
Also, have you set up SCP in AWS Organizations, etc.?
If SCP is configured, also make sure that deleteObject is allowed in SCP.

profile picture
EXPERT
answered a year ago
  • Just for the sake of understanding, I just assigned the policy AmazonS3FullAccess and the bucket policy as follows:

    { "Version": "2012-10-17", "Id": "Policy1689496022829", "Statement": [ { "Sid": "Stmt1689495997312", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::250422108324:user/hoanguyen" }, "Action": "s3:", "Resource": [ "arn:aws:s3:::skindex-facet/", "arn:aws:s3:::skindex-facet" ] } ] }

    I just created another bucket and tried again. It's still not working for delete command but working for listing, getting and putting command.

    Thanks,

  • To allow only specific users to operate S3 buckets, set the following bucket policy.
    All operations are denied by the bucket policy and "aws:username" is set in "Condition" under "StringNotEquals" to allow only specific IAM users to operate.

    {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "AllowUserAccess",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
              "arn:aws:s3:::skindex-facet/*",
              "arn:aws:s3:::skindex-facet"
            ],
            "Condition": {
              "StringNotEquals": {
                "aws:username": "hoanguyen"
              }
            }
          }
        ]
    }
    
  • Probably my question is not clear enough to you. Sorry for that. What I mean is that I would like to delete objects in that bucket via aws sdk but couldnt due to access denied. The question is how I can delete objects via aws sdk. With your policy, I guess all actions to the resources in the bucket will be denied.

    Furthermore, my bucket is not public, so aws wont allow to me to set principal "*".

  • It is possible to set this bucket policy. I confirm that it can be configured in my environment. By setting this bucket policy, only users (hoanguyen) can operate on the S3 bucket.
    By the way, if AmazonS3FullAccess is set in the IAM policy, you should be able to delete the object by simply deleting the bucket policy.

  • Ah sorry, misread the condition part. I actually dont like to deny everyone else like this because others would lose management access. I just tried your code and aws does allow me to do it. Unfortunately, after that I lost all authorization to perform all actions together.

0

In the previous answer, Riku rightly mentioned that IAM identity, bucket policy and SCP are three things which you should check.

Explicit deny error comes because of restrictions in one or more of the following type of policies:

  1. Identity-based policies
  2. Resource-based policies
  3. Permissions boundary
  4. Service control policies
  5. Session policy

Since this is for DeleteObject, there would be restriction either through Resource based policy(bucket policy), SCP, Permission Boundary, Session Policy. Can you paste cloudtrail API call detail for access denied error after redacting your account/resource information.

Also, check if there is any SCP attached to this account by going to organization->policies->scp-> see policy content and it's attached target. Explicit deny most commonly appears because of deny either at SCP or permissions boundary, which doesn't come into notice immediately.

When you add allow for Deleteobject access in bucket policy(as suggested above), make sure that there is no deny condition for same action.

Hope you find this helpful.

profile pictureAWS
EXPERT
answered a year ago
  • hi, I already checked some of them which are relevant but still confused why I couldnt delete objects via aws sdk. There is no permission boundaries. As you can see in my bucket policy above, all actions are allowed without any conditions. Currently I have policies in iam role and bucket policies.

0

So here's what you should do when looking into this. If you're getting access denied within S3, there's multiple areas to check. Here's a few that I can think of off the top of my head. To do this, let's try start very simple and work towards more complexity as we move on.

  1. Validate the IAM policy with the role/user you are logged in with. In some cases these can get crazy confusing if you have NotAction, etc... Validate you do have permissions via the policy first.
  2. Check the bucket policy to validate there is no blocks there. Be aware that assigning permissions at a bucket policy level does NOT grant a user/role the ability to do an action. They still need the policy as IAM is evaluated first.
  3. Make sure you have no organization blocks
  4. Open the bucket, go to an object in question and go to permissions, make sure the owner is your account. If it's another account, then you won't have access to it and it'll need to be deleted by the other account.
  5. Checked the object to see if it has object lock on it. You can do this by going to the properties of the object. If this is enabled, then again you'll need to remove this before you can delete the object
  6. Check if the object has KMS encryption enabled. If it does, you'll need permissions to the KMS key via IAM and via the KMS policy (this one is overlooked a lot in my time troubleshooting customer S3 issues)

There's probably a few areas I'm forgetting, but these are a few spots to check to help you move forward and should solve the issue.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions