My bucket policy has the wrong VPC or VPC endpoint ID. How can I fix the policy so that I can access the bucket?

Last updated: 2020-12-23

My Amazon Simple Storage Service (Amazon S3) bucket specifies the incorrect Amazon Virtual Private Cloud (Amazon VPC) ID or VPC endpoint ID. How can I fix the policy so that I can access the bucket again?

Resolution

The VPC ID or VPC endpoint ID is valid, but it's for the wrong VPC

If the VPC ID or VPC endpoint ID in the bucket policy is valid but points to the wrong VPC, then follow these steps:

Note: If you specified a VPC ID in the bucket policy, make sure that a VPC endpoint is associated with the VPC. Otherwise, you will not be able to update the bucket.

1.    Connect to an Amazon Elastic Compute Cloud (Amazon EC2) instance that's in the currently allowed VPC.

Note: The Amazon EC2 instance must also use a route table that allows traffic to Amazon S3 through the VPC endpoint. Additionally, the instance must have a role or credentials with permission to access the S3 bucket.

2.    From the instance, run the following AWS Command Line Interface (AWS CLI) command to get the bucket policy:

aws s3api get-bucket-policy --bucket example_bucket

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent AWS CLI version.

3.    Copy the existing bucket policy, and then keep it as a reference for a later step.

4.    Run this command to delete the bucket policy:

Warning: The following command deletes the entire bucket policy. Be sure to keep a copy of the existing bucket policy for reference.

aws s3api delete-bucket-policy --bucket example_bucket

5.    Edit the previous bucket policy to point to the correct VPC or VPC endpoint. Or, remove the VPC restriction entirely if you don't need access restricted by VPC. Then, save the corrected policy as a JSON document.

6.    From an AWS account with access to the bucket, add the corrected bucket policy to the bucket by running the put-bucket-policy command:

aws s3api put-bucket-policy --bucket example_bucket --policy file://policy.json

The VPC ID or VPC endpoint ID is not valid

If the VPC ID or VPC endpoint ID in the bucket policy is invalid (or mistyped), then you receive an error. To update the invalid (or incorrect) policy, you must have AWS account root user access. You can't edit or remove a policy even with admin level access.

Note: These procedures don't apply to AWS GovCloud (US). If you're an AWS GovCloud (US) user, contact AWS Support for assistance.

Follow these steps to correct the bucket policy using the Amazon S3 console:

1.    Sign in to the Amazon S3 console as the root user.

2.    Select the Amazon S3 bucket with the bucket policy that you want to delete or edit.

Note: After you open the bucket, you might see an "Access Denied" error in the console. You can proceed with the next steps even if you see this error.

3.    Choose the Permissions view.

4.    Choose Bucket Policy.

5.    To delete the bucket policy entirely, choose Delete. To edit only the VPC ID or VPC endpoint ID, correct the ID in the Bucket policy editor, and then choose Save.

Warning: If you delete the bucket policy entirely, be sure to keep a copy of the existing bucket policy for reference.

Follow these steps to correct the bucket policy using the AWS CLI:

Warning: This procedure uses root user credentials (access keys). It's a best practice to use root user credentials only for emergency or recovery scenarios. Avoid using root account credentials unless necessary. For more information, see Lock away your AWS account root user access keys.

1.    Run the following command to configure the AWS CLI:

aws configure

2.    The command return prompts you to enter your credentials. Enter your root user credentials. For instructions on how to generate these credentials, see Creating access keys for the root user.

3.    Run this command to get the bucket policy:

aws s3api get-bucket-policy --bucket example_bucket

4.    Copy the existing bucket policy, and then keep it as a reference for a later step.

5.    Run this command to delete the bucket policy:

Warning: The following command deletes the entire bucket policy. Be sure to keep a copy of the existing bucket policy for reference.

aws s3api delete-bucket-policy --bucket example_bucket

6.    Edit the previous bucket policy to point to the correct VPC or VPC endpoint. Or, remove the VPC restriction entirely if you don't need access restricted by the VPC. Then, save the corrected policy as a JSON document.

7.    Add the corrected bucket policy to the bucket by running the put-bucket-policy command:

aws s3api put-bucket-policy --bucket example_bucket --policy file://policy.json

AWS best practices

After you correct your bucket policy, make sure to adhere to the following best practices:


Did this article help?


Do you need billing or technical support?