skip to Main Content

I’ve created a bucket with the following policy:

{
     'Version': '2008-10-17',
     'Statement': [{
         'Sid': 'eb-58950a8c-feb6-11e2-89e0-0800277d041bc',
         'Effect': 'Deny',
         'Principal': {
           'AWS': '*'
         },
         'Action': '*',
         'Resource': bucket.attrArn
       }]
   }

which restricts any action on the bucket.

Now I can’t do anything with it as any user (which is expected) but also as root (which is a surprise for me). I have Organizations and SCP with full access attached to a root account.

Is there a way to delete the bucket now or should I reach out to support?

2

Answers


  1. Chosen as BEST ANSWER

    I was able to delete bucket policy (and access bucket afterwards) with root account and aws cli. To do so you need:

    • get access keys for root account
    • run aws s3api delete-bucket-policy --bucket bucket-name as root

    from the Administrator account I got An error occurred (AccessDenied) when calling the DeleteBucketPolicy operation: Access Denied


  2. See this link below, it talks about how root is not a normal IAM user that an IAM policy can be applied to. If that’s the case, you should not be subject to the Deny policy if you are the root.

    https://www.youtube.com/watch?v=8kuoS5JY-sI

    Worth trying to check and ensure that the root user that you connected as belongs to the management account, maybe?

    The top level SCP may allow all permissions but maybe you are root at the OU level where a more restrictive SCP is in effect?

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search