Not able to update/delete Bucket policy with admin role after adding a Deny policy

1
votes

I logged into aws console with DevUser role and updated bucket policy with deny all as per below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Principal": "*",
            "Effect": "Deny",
            "Action": "*",
            "Resource": "arn:aws:s3:::bucketName"
        }
    ]
}

After doing this i am not able to list bucket permissions or view anything under the bucket as expected, now i want to revert this change but i am not able to neither with DevUser nor with AdminUser role. I also tried to delete bucket policy using cli but did not work:

aws s3api delete-bucket-policy --bucket bucketName

Error:

An error occurred (AccessDenied) when calling the DeleteBucketPolicy operation: Access Denied

How can I revert the DENY all change?

1
amazon-web-servicesamazon-s3amazon-iam

1 Answers

0
votes

An admin user is not enough. You need the root user credentials for the account, log in as the root user and delete the bucket policy. If you do not have access to those credentials because you do not own that account but it is e.g. managed by some IT department or some other colleague you need to ask them to delete the bucket policy for you.

See https://aws.amazon.com/premiumsupport/knowledge-center/s3-accidentally-denied-access/

And for the next time you need to remember to check and be careful that you do not lock yourself out of the bucket. The bucket policy does exactly what you want: it denies any access, including by you yourself. (the root user is the only exception and cannot be denied access to)