After applying a policy to an S3 bucket to limit access to my VPC endpoint, I am unable to access the S3 bucket at all. How can I regain access to the S3 bucket?

Bucket permissions intended to specifically limit bucket access to connections originating from my VPC endpoint are now blocking all connections to the bucket.

First ensure that the designated VPC endpoint has been created and is associated with the VPC route policy so that connections from instances in the VPC can be routed through it. If you are still unable to access the bucket through your VPC endpoint, you can remove the bucket policy by running the following commands from the AWS Command Line Interface (CLI) with account root credentials.

Note
The following AWS CLI commands are intended for use in a Linux environment. To run these commands from a Windows command prompt, substitute "set" for "export". Substitute appropriate values for REGION, ROOT_KEY_ID, ROOT_SECRET_KEY, and LOCKED_BUCKET.

$ export AWS_DEFAULT_REGION="REGION"

$ export AWS_ACCESS_KEY_ID="ROOT_KEY_ID"

$ export AWS_SECRET_ACCESS_KEY="ROOT_SECRET_KEY"

$ aws s3api delete-bucket-policy --bucket "LOCKED_BUCKET"

These commands remove the policy from the inaccessible S3 bucket and allow normal IAM user access. To create and apply an S3 bucket policy that limits access to a particular VPC endpoint, review the example bucket policies at Example Bucket Policies for VPC Endpoints for Amazon S3.

Amazon S3, bucket policy, VPC, endpoint, restrict, access, VPCE


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2015-12-31