Why am I getting an "Access Denied" error from the Amazon S3 console when I try to modify a bucket policy?

Last updated: 2019-04-25

I'm trying to modify the bucket policy of my Amazon Simple Storage Service (Amazon S3) bucket using the console, but I'm getting an "Access Denied" error. How can I fix this? 

Short Description

To view a bucket policy from the Amazon S3 console, your AWS Identity and Access Management (IAM) user or role must have permission to the s3:GetBucketPolicy action. To edit an existing bucket policy, your IAM identity must have permission to the s3:PutBucketPolicy action.

To resolve the "Access Denied" error, check the following:

  • Your IAM identity has permission to both s3:GetBucketPolicy and s3:PutBucketPolicy.
  • The bucket policy doesn't deny your IAM identity permission to s3:GetBucketPolicy or s3:PutBucketPolicy.
  • If the bucket policy denies everyone access to s3:GetBucketPolicy and s3:PutBucketPolicy, delete the bucket policy.

Resolution

Your IAM identity has permission to both s3:GetBucketPolicy and s3:PutBucketPolicy

1.    Open the IAM console.

2.    From the console, open the IAM user or role that you're using to access the bucket policy.

3.    In the Permissions tab of your IAM user or role, expand each policy to view its JSON policy document.

4.    In the JSON policy documents, search for policies related to Amazon S3 access. Then, confirm that you have permission to the s3:GetBucketPolicy and s3:PutBucketPolicy actions on the bucket.

For example, this IAM policy allows the user or role to perform the s3:GetBucketPolicy and s3:PutBucketPolicy actions on awsexamplebucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt",
      "Action": [
        "s3:GetBucketPolicy",
        "s3:PutBucketPolicy"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::awsexamplebucket/*"
    }
  ]
}

As another example, this IAM policy grants the user or role access to all Amazon S3 actions on awsexamplebucket. You don't need to add permissions to s3:GetBucketPolicy or s3:PutBucketPolicy if you have permission to all Amazon S3 actions. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::awsexamplebucket/*"
    }
  ]
}

5.    In the JSON policy documents, be sure to also search for statements with "Effect": "Deny". Then, confirm that those statements don't deny your IAM user or role access to the s3:GetBucketPolicy or s3:PutBucketPolicy actions on the bucket.

6.    If you can't find policies that grant you access to s3:GetBucketPolicy or s3:PutBucketPolicy on the bucket, add a policy that grants your IAM identity those permissions. If you find any policies that deny you access to s3:GetBucketPolicy or s3:PutBucketPolicy on the bucket, remove the statement or policy that's denying you access. For instructions on modifying your IAM permissions, see Changing Permissions for an IAM User.

The bucket policy doesn't deny your IAM identity permission to s3:GetBucketPolicy or s3:PutBucketPolicy

If you confirm that your IAM identity grants you the correct permissions, but you still can't modify the bucket policy, then another IAM identity with access must check the bucket policy. This IAM identity must check the policy for any statements that are blocking your access.

Follow these steps using an IAM identity with access to the bucket policy:

1.    Open the Amazon S3 console.

2.    From the list of buckets, open the bucket with the bucket policy that you want to change.

3.    Choose the Permissions tab.

4.    Choose Bucket policy.

5.    Search for statements with "Effect": "Deny".

6.    Modify the bucket policy to edit or remove any "Effect": "Deny" statements that are incorrectly denying the IAM user or role access to s3:GetBucketPolicy or s3:PutBucketPolicy.

If the bucket policy denies everyone access to s3:GetBucketPolicy and s3:PutBucketPolicy, delete the bucket policy

If no IAM identities are able to view or modify the bucket policy, the AWS account root user has permission to delete the existing bucket policy. After the existing policy is deleted by the root user, your IAM user or role can create a new bucket policy.


Did this article help you?

Anything we could improve?


Need more help?