Why am I getting an Access Denied error from the Amazon S3 console when I try to modify a bucket policy?

Last updated: 2020-11-10

I'm trying to modify the bucket policy of my Amazon Simple Storage Service (Amazon S3) bucket using the console, but I'm getting an Access Denied error. How can I fix this?

Short description

To view a bucket policy from the Amazon S3 console, your AWS Identity and Access Management (IAM) user or role must have permission to the s3:GetBucketPolicy action. To edit an existing bucket policy, your IAM identity must have permission to perform the s3:PutBucketPolicy action.

To resolve the Access Denied error, check the following:

  • Your IAM identity has permissions for both s3:GetBucketPolicy and s3:PutBucketPolicy.
  • The bucket policy doesn't deny your IAM identity permission for s3:GetBucketPolicy or s3:PutBucketPolicy.
  • Your change to the bucket policy doesn't grant public access when Amazon S3 Block Public Access is enabled.
  • The AWS Organizations service control policy allows Amazon S3 access.
  • If the bucket policy denies everyone access to s3:GetBucketPolicy, s3:PutBucketPolicy, or all Amazon S3 actions (s3:*), then delete the bucket policy.

Resolution

Your IAM identity has permissions for both s3:GetBucketPolicy and s3:PutBucketPolicy

1.    Open the IAM console.

2.    From the console, open the IAM user or role that you're using to access the bucket policy.

3.    In the Permissions tab of your IAM user or role, expand each policy to view its JSON policy document.

4.    In the JSON policy documents, search for policies related to Amazon S3 access. Then, confirm that you have permissions for the s3:GetBucketPolicy and s3:PutBucketPolicy actions on the bucket.

For example, this IAM policy allows the user or role to perform the s3:GetBucketPolicy and s3:PutBucketPolicy actions on DOC-EXAMPLE-BUCKET:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ModifyBucketPolicy",
      "Action": [
        "s3:GetBucketPolicy",
        "s3:PutBucketPolicy"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
    },
    {
      "Sid": "AccessS3Console",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

Note: The "AccessS3Console" statement in the previous example IAM policy grants Amazon S3 console access and isn't specific to modifying a bucket policy.

5.    In the JSON policy documents, be sure to also search for statements with "Effect": "Deny". Then, confirm that those statements don't deny your IAM user or role access to the s3:GetBucketPolicy or s3:PutBucketPolicy actions on the bucket.

6.    If you can't find policies that grant you permissions for s3:GetBucketPolicy or s3:PutBucketPolicy on the bucket, then add a policy that grants your IAM identity those permissions. If you find any policies that deny you access for s3:GetBucketPolicy or s3:PutBucketPolicy on the bucket, remove the statement or policy that's denying you access. For instructions on modifying your IAM permissions, see Changing permissions for an IAM user.

The bucket policy doesn't deny your IAM identity permission to s3:GetBucketPolicy or s3:PutBucketPolicy

If you confirm that your IAM identity grants you the correct permissions, but you still can't modify the bucket policy, then another IAM identity with access must check the bucket policy. This IAM identity must check the policy for any statements that are blocking your access.

Follow these steps using an IAM identity with access to the bucket policy:

1.    Open the Amazon S3 console.

2.    From the list of buckets, open the bucket with the bucket policy that you want to change.

3.    Choose the Permissions tab.

4.    Choose Bucket policy.

5.    Search for statements with "Effect": "Deny".

6.    Modify the bucket policy to edit or remove any "Effect": "Deny" statements that are incorrectly denying the IAM user or role access to s3:GetBucketPolicy or s3:PutBucketPolicy.

Your change to the bucket policy doesn't grant public access when Amazon S3 Block Public Access is enabled

Review the bucket policy change to see if the change grants public access to the bucket. Then, check to see if Amazon S3 Block Public Access is enabled on the bucket or the account. If S3 Block Public Access is enabled, you get an Access Denied error when you try to save a bucket policy that grants public access.

The AWS Organizations service control policy allows Amazon S3 access

If you're using AWS Organizations, check the service control policies for any statements that explicitly deny Amazon S3 access, specifically for the s3:PutBucketPolicy action.

For example, the following policy explicitly denies access to all Amazon S3 actions and results in an Access Denied error.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

If the bucket policy denies everyone access to s3:GetBucketPolicy, s3:PutBucketPolicy, or all Amazon S3 actions (s3:*), then delete the bucket policy

If no IAM identities can view or modify the bucket policy, the AWS account root user always has permission to delete the existing bucket policy. After the existing policy is deleted by the root user, your IAM user or role can create a new bucket policy.


Did this article help?


Do you need billing or technical support?