DEV Community

Cover image for How to Unlock S3 Bucket Policy in a Organization Member Account
1

How to Unlock S3 Bucket Policy in a Organization Member Account

While working on a POC I accidentally set a bucket policy like this one ...

{
    "Version": "2012-10-17",
    "Statement": [{
        "Action": "s3:*",
        "Effect": "Deny",
        "Resource": [
            "arn:aws:s3:::dummybucket",
            "arn:aws:s3:::dummybucket/*"
        ],
        "Principal": "*"
    }]
}
Enter fullscreen mode Exit fullscreen mode

Yeah ... That's the problem of copy&paste and a barely edit without double check. A policy that caused a bunch of errors and locked me out of the bucket, even though I had an AdministratorAccess policy.

Initially, I thought the fix would be easy—just delete the bucket policy using root access. But there was a catch, the bucket was in an account that’s part of an AWS Organization, and by default, member accounts don’t have root credentials.

After some research and trial and error, I found the solution. I’m sharing it here to save you some time if you ever find yourself in the same situation!

  • Log in to the AWS Console using the management account ( the one that manages AWS Organization).

  • Enable Centralized root access for member accounts at IAM Console

IAM Panel

Enabling Root Access

  • After enabling root access, reload the page, select the account with the misconfigured bucket, and choose the Take Privileged Action option.

Take privileged action

  • Choose Delete Amazon S3 bucket policy, select the affected bucket, and remove the problematic policy.

Delete Amazon S3 bucket policy

Confirm Delete Amazon S3 bucket policy

And that's it, a simple and quick solution to what can be a headache.

Optionally disable Centralized root access for member accounts

Top comments (0)

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more