Locked out of your S3 bucket?

Category AWS Troubleshooting
5 July 2023

In S3 buckets you can set a bucket policy to allow or disallow actions on the S3 bucket. Often this is used to set a bucket policy to only allow access through an VPC endpoint:

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
     {
       "Sid": "Access-to-specific-VPCE-only",
       "Principal": "*",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::awsexamplebucket1",
                    "arn:aws:s3:::awsexamplebucket1/*"],
       "Condition": {
         "StringNotEquals": {
           "aws:SourceVpce": "vpce-1a2b3c4d"
         }
       }
     }
   ]
}

When you apply this policy to the bucket in the admin interface (or through infrastructure automation) you will see that you can not access this bucket anymore:

This makes sense as you’ve just asked AWS to make it available through the VPC endpoint only. But this policy also stops you from managing the bucket policy to correct it.

The only way you can correct this is to login with the root user and remove the bucket policy:

Note the root user also does not have access to manage the bucket and it’s objects. But an exception has been made on the bucket policy to be able to correct lock-outs like this!

Recent articles:
NEW

How to get free AWS credits for your startup or scale-up

Read more >
NEW

IAM policy pitfalls

Read more >

How to overcome "Unsupported Wildcard In Principal"

Read more >

Need an AWS Expert?

Plan a free meeting now, no strings attached.