Why am I getting an Access Denied error from the Amazon S3 console when I try to modify a bucket policy?

Last updated: 2021-04-27

I keep getting an Access Denied error when I try to modify the bucket policy of my Amazon Simple Storage Service (Amazon S3) bucket. How can I fix this?

Short description

To view a bucket policy from the Amazon S3 console, your AWS Identity and Access Management (IAM) user or role must have s3:GetBucketPolicy permissions. To edit an existing bucket policy, your IAM identity must have permission to perform the s3:PutBucketPolicy action.

To resolve the Access Denied error, check the following:

  • Your IAM identity has permissions for both s3:GetBucketPolicy and s3:PutBucketPolicy.
  • The bucket policy doesn't deny your IAM identity permission for s3:GetBucketPolicy or s3:PutBucketPolicy.
  • Your change to the bucket policy doesn't grant public access when Amazon S3 Block Public Access is enabled.
  • The AWS Organizations service control policy allows Amazon S3 access.
  • If the bucket policy denies everyone access to s3:GetBucketPolicy, s3:PutBucketPolicy, or all Amazon S3 actions (s3:*), then delete the bucket policy.
    Note:
    If you can't delete a bucket policy, try deleting the policy as the AWS account root user.

Resolution

Your IAM identity has permissions for both s3:GetBucketPolicy and s3:PutBucketPolicy

1.    Open the IAM console.

2.    Select the entity that is used to access the bucket policy, such as User or Role.

3.    Select the IAM user or role name that you're using to access the bucket policy.

4.    In the Permissions tab of your IAM user or role, expand each policy to view its JSON policy document.

5.    In the JSON policy documents, search for policies related to Amazon S3 access. Then, confirm that you have permissions for the s3:GetBucketPolicy and s3:PutBucketPolicy actions on the bucket.

For example, this IAM policy allows the user or role to perform the s3:GetBucketPolicy and s3:PutBucketPolicy actions on DOC-EXAMPLE-BUCKET:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ModifyBucketPolicy",
      "Action": [
        "s3:GetBucketPolicy",
        "s3:PutBucketPolicy"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
    },
    {
      "Sid": "AccessS3Console",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

Note: The "AccessS3Console" statement in the previous example IAM policy grants Amazon S3 console access and isn't specific to modifying a bucket policy.

6.    In the JSON policy documents, be sure to also search for statements with "Effect": "Deny". Then, confirm that those statements don't deny your IAM user or role access to the s3:GetBucketPolicy or s3:PutBucketPolicy actions on the bucket.

7.    If you can't find policies that grant s3:GetBucketPolicy or s3:PutBucketPolicy permissions, then add a policy granting your IAM identity those permissions. If you find any policies that deny access for s3:GetBucketPolicy or s3:PutBucketPolicy on the bucket, remove those statements or policies. For instructions on modifying your IAM permissions, see Changing permissions for an IAM user.

The bucket policy doesn't deny your IAM identity permission to s3:GetBucketPolicy or s3:PutBucketPolicy

If you still can't modify the bucket policy after confirming your IAM permissions, then check the policy using another IAM identity. This IAM identity must have bucket access, so that you can check the policy for statements that are blocking your access.

Follow these steps using an IAM identity with access to the bucket policy:

1.    Open the Amazon S3 console.

2.    From the list of buckets, open the bucket with the bucket policy that you want to change.

3.    Choose the Permissions tab.

4.    Choose Bucket policy.

5.    Search for statements with "Effect": "Deny".

6.    Modify the bucket policy to update any "Effect": "Deny" statements that incorrectly deny the IAM identity access to s3:GetBucketPolicy or s3:PutBucketPolicy.

Your change to the bucket policy doesn't grant public access when Amazon S3 Block Public Access is enabled

Review the bucket policy change to see if the change grants public access to the bucket. Then, check to see if Amazon S3 Block Public Access is enabled on the bucket or the account. If S3 Block Public Access is enabled, you get an Access Denied error when you try to save a bucket policy that grants public access.

The AWS Organizations service control policy allows Amazon S3 access

If you're using AWS Organizations, check the service control policies for any statements that explicitly deny Amazon S3 access. In particular, check the service control policies for statements denying the s3:PutBucketPolicy action.

For example, the following policy explicitly denies access to all Amazon S3 actions and results in an Access Denied error.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

If the bucket policy denies everyone access to s3:GetBucketPolicy, s3:PutBucketPolicy, or all Amazon S3 actions (s3:*), then delete the bucket policy

If no IAM identities can view or modify the bucket policy, the AWS account root user always has permission to delete the existing bucket policy. After the existing policy is deleted by the root user, your IAM user or role can create a new bucket policy.


Did this article help?


Do you need billing or technical support?