How do I fix my bucket policy when it has the wrong VPC or VPC endpoint ID?

4 minute read
0

My Amazon Simple Storage Service (Amazon S3) bucket specifies the incorrect Amazon Virtual Private Cloud (Amazon VPC) ID or VPC endpoint ID. I want to I fix the policy so that I can access the bucket again.

Resolution

Note:

The VPC ID or VPC endpoint ID is valid, but it's for the wrong VPC

Note: If you specified a VPC ID in the bucket policy, then you must associate a VPC endpoint with the VPC. Otherwise, you can't update the bucket.

Complete the following steps:

  1. Connect to an Amazon Elastic Compute Cloud (Amazon EC2) instance that's in the allowed VPC.
    Note: The Amazon EC2 instance must also use a route table that allows traffic to Amazon S3 through the VPC endpoint. Also, the instance must have a role or credentials with permission to access the S3 bucket.

  2. From the instance, run the get-bucket-policy AWS CLI command to get the bucket policy:

    aws s3api get-bucket-policy --bucket example_bucket
  3. Important: Copy the existing bucket policy to use in a later step.

  4. Delete the bucket policy:

    aws s3api delete-bucket-policy --bucket example_bucket
  5. Edit the previous bucket policy to point to the correct VPC or VPC endpoint. Or, if you don't need the VPC to restrict access, then remove the VPC restriction.

  6. Save the corrected policy in JSON format.

  7. From an AWS account that has access to the bucket, run the put-bucket-policy command to add the corrected bucket policy to the bucket:

    aws s3api put-bucket-policy --bucket example_bucket --policy file://policy.json

The VPC ID or VPC endpoint ID isn't valid

If the VPC ID or VPC endpoint ID in the bucket policy isn't valid or is mistyped, then you receive an error. To update the policy, you must have account root user access. You can't edit or remove a policy with only admin level access.

Note: These procedures don't apply to AWS GovCloud (US). If you're an AWS GovCloud (US) user, then contact AWS Support for assistance.

Use the Amazon S3 console to correct the bucket policy

Complete the following steps:

  1. Open the Amazon S3 console as the root user.
  2. Select the Amazon S3 bucket that has the bucket policy that you want to delete or edit.
    Note: After you open the bucket, you might see an Access Denied error in the console. You can still proceed with the next steps.
  3. Choose the Permissions view.
  4. Choose Bucket Policy.
  5. To delete the bucket policy, choose Delete. To edit only the VPC ID or VPC endpoint ID, correct the ID in the Bucket policy editor, and then choose Save.
    Warning: If you delete the bucket policy, be sure to keep a copy of the existing bucket policy for reference.

Use the AWS CLI to correct the bucket policy

Warning: This procedure uses root user credentials (access keys). It's a best practice to use root user credentials only for emergency or recovery scenarios. For more information, see Safeguard your root user credentials and don't use them for everyday tasks.

Complete the following steps:

  1. Run the following command to configure the AWS CLI:

    aws configure
  2. Enter your root user credentials. For instructions on how to generate the credentials, see Creating access keys for the root user.

  3. Get the bucket policy:

    aws s3api get-bucket-policy --bucket example_bucket
  4. Important: Copy the existing bucket policy to use in a later step.

  5. Run the following command to delete the bucket policy:

    aws s3api delete-bucket-policy --bucket example_bucket
  6. Edit the previous bucket policy to point to the correct VPC or VPC endpoint. Or, if you don't need the VPC to restrict access, then remove the VPC restriction.

  7. Save the corrected policy in JSON format.

  8. Run the put-bucket-policy command to add the corrected bucket policy to the bucket:

    aws s3api put-bucket-policy --bucket example_bucket --policy file://policy.json

Follow AWS best practices

After you correct your bucket policy, follow these best practices:

Related information

Controlling access from VPC endpoints with bucket policies

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago