Jonathan shows you how to
correct a bucket policy
with the wrong VPC ID

jonathangildea_0518

I can't access an Amazon Simple Storage Service (Amazon S3) bucket because the Amazon Virtual Private Cloud (VPC) ID or VPC endpoint ID in the bucket policy is wrong. How can I fix the policy so that I can access the bucket again?

The VPC ID or VPC endpoint ID is valid, but it's for the wrong VPC

If the VPC ID or VPC endpoint ID in the bucket policy is valid but points to the wrong VPC, follow these steps:

Note: If you specified a VPC ID in the bucket policy, the VPC must have an associated VPC endpoint to access the bucket and correct the policy.

1.    Connect to an Amazon Elastic Compute Cloud (Amazon EC2) instance that's in the currently allowed VPC and that also uses a route table that allows traffic to Amazon S3 through the VPC endpoint. The instance must also have a role or credentials with permission to access the bucket.

2.    From the instance, run the following AWS Command Line Interface (AWS CLI) command to get the bucket policy:

aws s3api get-bucket-policy --bucket example_bucket

3.    Copy the existing bucket policy, and then keep it as a reference for a later step.

4.    Run this command to delete the bucket policy:

Warning: The following command deletes the entire bucket policy. Be sure to keep a copy of the existing bucket policy for reference.

aws s3api delete-bucket-policy --bucket example_bucket

5.    Edit the previous bucket policy to point to the correct VPC or VPC endpoint. Or, remove the VPC restriction entirely if you don't need access restricted by VPC. Then, save the corrected policy as a JSON document.

6.    From an AWS account with access to the bucket, add the corrected bucket policy to the bucket by running this command:

aws s3api put-bucket-policy --bucket example_bucket --policy file://policy.json

The VPC ID or VPC endpoint ID is not valid

If the VPC ID or VPC endpoint ID in the bucket policy is not valid (for example, it's mistyped or the VPC no longer exists), then you must have AWS account root user access to delete or edit the incorrect policy. You can't delete or edit the policy even with an AWS Identity and Access Management (IAM) user or role that has administrator-level access.

Note: These procedures don't apply to AWS GovCloud (US). If you're an AWS GovCloud (US) user, contact AWS Support for assistance.

Follow these steps to correct the bucket policy using the Amazon S3 console:

1.    Sign in to the Amazon S3 console as the root user.

2.    Select the bucket with the bucket policy that you want to delete or edit.
Note: After you open the bucket, you might see an "Access Denied" error in the console. You can proceed with the next steps even if you see this error.

3.    Choose the Permissions view.

4.    Choose Bucket Policy.

5.    To delete the bucket policy entirely, choose Delete. To edit only the VPC ID or VPC endpoint ID, correct the ID in the Bucket policy editor, and then choose Save.
Warning: If you delete the bucket policy entirely, be sure to keep a copy of the existing bucket policy for reference.

Follow these steps to correct the bucket policy using the AWS CLI:

Warning: This procedure uses root user credentials (access keys), which AWS recommends using only for emergency or recovery scenarios. Avoid using root account credentials unless necessary. For more information, see Lock Away Your AWS Account Root User Access Keys.

1.    Run this command to configure the AWS CLI:

aws configure

2.    The command returns prompts to enter your credentials. Enter your root user credentials. For instructions on how to generate these credentials, see Creating Access Keys for the Root User.

3.    Run this command to get the bucket policy:

aws s3api get-bucket-policy --bucket example_bucket

4.    Copy the existing bucket policy, and then keep it as a reference for a later step.

5.    Run this command to delete the bucket policy:

Warning: The following command deletes the entire bucket policy. Be sure to keep a copy of the existing bucket policy for reference.

aws s3api delete-bucket-policy --bucket example_bucket

6.    Edit the previous bucket policy to point to the correct VPC or VPC endpoint. Or, remove the VPC restriction entirely if you don't need access restricted by VPC. Then, save the corrected policy as a JSON document.

7.    Add the corrected bucket policy to the bucket by running this command:

aws s3api put-bucket-policy --bucket example_bucket --policy file://policy.json

Important: As an AWS security best practice, be sure to do the following after you correct the bucket policy:


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-08-08