In S3 buckets you can set a bucket policy to allow or disallow actions on the S3 bucket. Often this is used to set a bucket policy to only allow access through an VPC endpoint:
{ "Version": "2012-10-17", "Id": "Policy1415115909152", "Statement": [ { "Sid": "Access-to-specific-VPCE-only", "Principal": "*", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::awsexamplebucket1", "arn:aws:s3:::awsexamplebucket1/*"], "Condition": { "StringNotEquals": { "aws:SourceVpce": "vpce-1a2b3c4d" } } } ] }
When you apply this policy to the bucket in the admin interface (or through infrastructure automation) you will see that you can not access this bucket anymore:
This makes sense as you’ve just asked AWS to make it available through the VPC endpoint only. But this policy also stops you from managing the bucket policy to correct it.
The only way you can correct this is to login with the root user and remove the bucket policy:
Note the root user also does not have access to manage the bucket and it’s objects. But an exception has been made on the bucket policy to be able to correct lock-outs like this!