How to Unlock S3 Bucket Policy in a Organization Member Account
While working on a POC I accidentally set a bucket policy like this one ... { "Version": "2012-10-17", "Statement": [{ "Action": "s3:*", "Effect": "Deny", "Resource": [ "arn:aws:s3:::dummybucket", "arn:aws:s3:::dummybucket/*" ], "Principal": "*" }] } Yeah ... That's the problem of copy&paste and a barely edit without double check. A policy that caused a bunch of errors and locked me out of the bucket, even though I had an AdministratorAccess policy. Initially, I thought the fix would be easy—just delete the bucket policy using root access. But there was a catch, the bucket was in an account that’s part of an AWS Organization, and by default, member accounts don’t have root credentials. After some research and trial and error, I found the solution. I’m sharing it here to save you some time if you ever find yourself in the same situation! Log in to the AWS Console using the management account ( the one that manages AWS Organization). Enable Centralized root access for member accounts at IAM Console After enabling root access, reload the page, select the account with the misconfigured bucket, and choose the Take Privileged Action option. Choose Delete Amazon S3 bucket policy, select the affected bucket, and remove the problematic policy. And that's it, a simple and quick solution to what can be a headache. Optionally disable Centralized root access for member accounts
While working on a POC I accidentally set a bucket policy like this one ...
{
"Version": "2012-10-17",
"Statement": [{
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::dummybucket",
"arn:aws:s3:::dummybucket/*"
],
"Principal": "*"
}]
}
Yeah ... That's the problem of copy&paste and a barely edit without double check. A policy that caused a bunch of errors and locked me out of the bucket, even though I had an AdministratorAccess policy.
Initially, I thought the fix would be easy—just delete the bucket policy using root access. But there was a catch, the bucket was in an account that’s part of an AWS Organization, and by default, member accounts don’t have root credentials.
After some research and trial and error, I found the solution. I’m sharing it here to save you some time if you ever find yourself in the same situation!
Log in to the AWS Console using the management account ( the one that manages AWS Organization).
Enable Centralized root access for member accounts at IAM Console
- After enabling root access, reload the page, select the account with the misconfigured bucket, and choose the Take Privileged Action option.
- Choose Delete Amazon S3 bucket policy, select the affected bucket, and remove the problematic policy.
And that's it, a simple and quick solution to what can be a headache.
Optionally disable Centralized root access for member accounts
