I’ve created a bucket with the following policy:
{
'Version': '2008-10-17',
'Statement': [{
'Sid': 'eb-58950a8c-feb6-11e2-89e0-0800277d041bc',
'Effect': 'Deny',
'Principal': {
'AWS': '*'
},
'Action': '*',
'Resource': bucket.attrArn
}]
}
which restricts any action on the bucket.
Now I can’t do anything with it as any user (which is expected) but also as root (which is a surprise for me). I have Organizations and SCP with full access attached to a root account.
Is there a way to delete the bucket now or should I reach out to support?
2
Answers
I was able to delete bucket policy (and access bucket afterwards) with root account and aws cli. To do so you need:
aws s3api delete-bucket-policy --bucket bucket-name
as rootfrom the Administrator account I got
An error occurred (AccessDenied) when calling the DeleteBucketPolicy operation: Access Denied
See this link below, it talks about how root is not a normal IAM user that an IAM policy can be applied to. If that’s the case, you should not be subject to the Deny policy if you are the root.
https://www.youtube.com/watch?v=8kuoS5JY-sI
Worth trying to check and ensure that the root user that you connected as belongs to the management account, maybe?
The top level SCP may allow all permissions but maybe you are root at the OU level where a more restrictive SCP is in effect?