How do I unlock or delete an AWS S3 bucket that inadvertently locked with a bucket policy?

Question

I am the AWS account owner, admin (both IAM and root password - not recommended I know, but have some legacy apps that depend on root pw). I recently added a bucket policy which has subsequently rendered the bucket locked an inaccessible to me:

$ aws s3 rb s3://<my-bucket> --force
A client error (AccessDenied) occurred when calling the ListObjects operation:   Access Denied
Completed 1 part(s) with ... file(s) remaining
remove_bucket failed: s3://<my-bucket>/ A client error (AccessDenied) occurred when calling the DeleteBucket operation: Access Denied

I've tried both the CLI and the AWS S3 console, but only receive the error: Sorry! You do not have permissions to view this bucket.

It's a small relief that this bucket is completely empty, but I need to use this particular name and am stuck as I cannot do anything with it.

I'm hoping I'm not the only one who has experienced this dilemma.

(P.S. - I'd post the EXACT bucket policy I used, but I created it using the console and, if I entered some part of it incorrectly as I suspect, I can't get at it to copy/paste it here for you...)

Kind regards, Jeff.

Answer 1

Directly from AWS support:

Hello,

G** here with AWS Support. I understand that your bucket policy for S3 bucket ‘s3-bucket-name’ prevents access, or removal of bucket. There are a couple of ways you can delete the bucket policy as follows and then delete the bucket itself:

1. Log into the AWS S3 Console with root credentials. Please note that the root account is different than an account with ‘Administrator Access’ [1]. The root account should have access to modify/delete this bucket policy. Unfortunately, I have noticed that this is a fickle option which only works sometimes. OR
2. (Option works all of the time) Delete bucket policy through AWS cli as follows (Linux and Windows options):

Via Linux: $ export AWS_DEFAULT_REGION= us-east-1 $ export AWS_ACCESS_KEY_ID="ROOT_KEY_ID" $ export AWS_SECRET_ACCESS_KEY="ROOT_SECRET_KEY" $ aws s3api delete-bucket-policy --bucket s3-bucket-name

Via Windows: set AWS_DEFAULT_REGION= us-east-1 set AWS_ACCESS_KEY_ID="ROOT_KEY_ID" set AWS_SECRET_ACCESS_KEY="ROOT_SECRET_KEY" aws s3api delete-bucket-policy --bucket s3-bucket-name

If so, could you please provide the output for the following after setting up your root account credentials: $ aws s3api delete-bucket-policy --bucket s3-bucket-name --debug

Note that these are both using root account credentials. Please attempt these methods and let me know if you have any issue. I hope this information was helpful. Please feel free to reach out to me with any additional questions or concerns.

[1] Root Account vs IAM User - http://docs.aws.amazon.com/es_es/general/latest/gr/root-vs-iam.html

Best regards, G**

Option 2 worked for me.

Cheers!