Certified Security - Specialty

Sign Up Free or Log In to participate!

Root user can’t delete bucket policy with Explicit Deny.

This pertains to the lab in Chapter 3 (Bucket Policies) of the AWS Certified Security – Specialty 2020 course. I set up the bucket policy with the Explicit Deny as an Admin. I then logged out and back in as a normal S3 user with limited permissions ("Allow" access to the bucket) I had previously added the contradictory deny policy to. The result is that I was denied any sort of access and the point that Explicit Deny policies will always trump an Allow policy was proven. 

However, in the next lesson (Ch, 3 (ACL Policies) I was logged in as a Root user in order to delete the policy but even there I was denied access to the bucket! How is this possible? How can I delete the policy or the bucket?


Okay, so today I went back and replicated the same process I followed during the lab yesterday. As a root user, I created a bucket (no public access) and then added the contradictory policy (Explicit Deny everything for everyone and then additional ALLOW statement for MyS3User). I finished the remainder of the exercise and everything behaved as expected when I logged in as MyS3User (could no longer access the bucket). But when I logged back in as ROOT user to delete the policy I get an "Access Denied" error. Apparently Explicit Deny applies to Root users, too?

2 Answers

this query, I too cnnot delete the explicit deny bucket policy applied to the bucket, hence cannot delete the bucket. Pls HELP

You’ll need to do this through AWS CLI using root access keys.

Follow the instructions at https://aws.amazon.com/premiumsupport/knowledge-center/s3-accidentally-denied-access/

IMPORTANT: As mentioned in that article, don’t forget to remove the root profile from AWS CLI.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?