Locked out of your S3 bucket?

Category AWS Troubleshooting
5 July 2023

In S3 buckets you can set a bucket policy to allow or disallow actions on the S3 bucket. Often this is used to set a bucket policy to only allow access through an VPC endpoint:

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
     {
       "Sid": "Access-to-specific-VPCE-only",
       "Principal": "*",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::awsexamplebucket1",
                    "arn:aws:s3:::awsexamplebucket1/*"],
       "Condition": {
         "StringNotEquals": {
           "aws:SourceVpce": "vpce-1a2b3c4d"
         }
       }
     }
   ]
}

When you apply this policy to the bucket in the admin interface (or through infrastructure automation) you will see that you can not access this bucket anymore:

This makes sense as you’ve just asked AWS to make it available through the VPC endpoint only. But this policy also stops you from managing the bucket policy to correct it.

The only way you can correct this is to login with the root user and remove the bucket policy:

Note the root user also does not have access to manage the bucket and it’s objects. But an exception has been made on the bucket policy to be able to correct lock-outs like this!

Recent articles:
NEW

ES Foundation to be officially launched at SaaS Summit Benelux 2024

Read more >
NEW

Reduce AWS Fargate pull times with SOCI

Read more >

Reduce your AWS CloudFront costs by switching to Cloudflare

Read more >

Discover your freedom

Plan a free and personal demo of ES Foundation.