Locked out of your S3 bucket?

Category AWS Troubleshooting
5 July 2023

In S3 buckets you can set a bucket policy to allow or disallow actions on the S3 bucket. Often this is used to set a bucket policy to only allow access through an VPC endpoint:

{
   "Version": "2012-10-17",
   "Id": "Policy1415115909152",
   "Statement": [
     {
       "Sid": "Access-to-specific-VPCE-only",
       "Principal": "*",
       "Action": "s3:*",
       "Effect": "Deny",
       "Resource": ["arn:aws:s3:::awsexamplebucket1",
                    "arn:aws:s3:::awsexamplebucket1/*"],
       "Condition": {
         "StringNotEquals": {
           "aws:SourceVpce": "vpce-1a2b3c4d"
         }
       }
     }
   ]
}

When you apply this policy to the bucket in the admin interface (or through infrastructure automation) you will see that you can not access this bucket anymore:

This makes sense as you’ve just asked AWS to make it available through the VPC endpoint only. But this policy also stops you from managing the bucket policy to correct it.

The only way you can correct this is to login with the root user and remove the bucket policy:

Note the root user also does not have access to manage the bucket and it’s objects. But an exception has been made on the bucket policy to be able to correct lock-outs like this!

Recent articles:
NEW

Reduce AWS Fargate pull times with SOCI

Read more >
NEW

Reduce your AWS CloudFront costs by switching to Cloudflare

Read more >

Cross account AWS KMS keys

Read more >

Need an AWS Expert?

Plan a free meeting now, no strings attached.