How to fix 'Access Denied' while deleting empty S3 Elastic Beanstalk?

Question

I've noticed some Elastic Beanstalk is drawing about $20 to $30 every month on my AWS account and it turns out it is an empty S3 bucket.

I tried deleting it but it returns "Access Denied" error.

I also tried to use life cycle to remove it, but it also didn't work. Here is how I set up the life cycle:

I set it to remove 1 day after creation

You need to look elsewhere for the $20-$30... It's not coming from an empty bucket. You have an Elastic Beanstalk environment actually running, the bucket is just its configuration. — Michael - sqlbot, Oct 03 '15 at 22:26
Try to delete the elastic beanstalk application from the console — Tal, Oct 05 '15 at 10:57
Ate you using the same user as the one who created it? If you do than your lady chance is aws support — Tal, Oct 05 '15 at 11:35
@tal No I created it myself. I actually got to sit down with an AWS engineer and he was puzzled too. Now this is taken by an AWS support and I am not sure how and when it would be resolved...was hoping to find a solution if someone already struggled with this before. — Aero Wang, Oct 05 '15 at 15:30
i faced same issue , just go to bucket policy section , and remove completely bucket policy and try to delete bucket now , it should work — Bravo, Jan 25 '19 at 04:14

score 159 · Accepted Answer · answered Oct 05 '15 at 22:57

159

Check the bucket policy on the S3 bucket. The bucket name seems to be the standard bucket that beanstalk creates to store your application versions, logs etc. To prevent accidental deletion of the bucket, the bucket policy denies delete permission. You can update the permissions on the S3 bucket policy to allow delete from your root account. Most likely your bucket policy currently does not allow deletion of the bucket. Then you will be able to delete the bucket.

Read more about S3 bucket permissions here: http://docs.aws.amazon.com/AmazonS3/latest/UG/EditingBucketPermissions.html

answered Oct 05 '15 at 22:57

Rohit Banga

18,458
31
113
191

Yes I have all the permissions set to Me, Authenticated User, aero.windwalker(which is my account), and Everyone. Still doesn't work. D: – Aero Wang Oct 06 '15 at 02:13
27

I am not talking about the permission your IAM user or root account has. Check your S3 bucket policy. Right click on the bucket in the S3 console, select properties and in the Permissions section of the properties pane, select "Edit bucket policy". I think you will find a deny on DeleteBucket there. – Rohit Banga Oct 06 '15 at 02:47
9

**"Most likely your bucket policy currently does not allow deletion of the bucket"** - Right on the mark. Saved my day! – Vinay Vissh Dec 14 '17 at 07:51
1

I actually had to remove the section that denied root delete permission from the JSON. – theillien Nov 18 '18 at 02:28
2

Saved my day too! I'm surprised why they can't just provide the GUI instead of the edition a JSON? bucket policy file instead. No wonder they offer a free trial period of 1 year, just to silently charge fee after the trial. – mark42inbound Feb 06 '19 at 06:38
3

Also, if anybody is not able to edit and save the policy JSON document, go ahead and delete that policy document for the s3 bucket. then you'll be able to delete. – Vishwasa Navada K Aug 03 '19 at 09:23

score 77 · Answer 2 · answered May 24 '16 at 08:33

77

Elastic beanstalk added this restriction automatically as it creates the bucket. To remove it you will first have to empty the bucket out.

Once done, select the bucket --> Properties --> Permissions --> Edit bucket policy.

You will now see the permissions Elastic Beanstalk automatically added to that bucket. Scroll to where you find the "Action": "s3:DeleteBucket", above that Change "Effect": "Deny" to "Effect": "Allow"

Once done, save change and delete the bucket.

answered May 24 '16 at 08:33

Erion S

1,603
18
24

This is great and works. Though the thread above gives the reason and solution. I support this because it is short and sweet. – Nan Zhou Apr 25 '17 at 00:39
This saved me a lot of time. Thanks! – Shubham Jangle Dec 04 '22 at 13:48

score 19 · Answer 3 · answered Sep 17 '19 at 03:20

By default, Elastic Beanstalk set some policies on your bucket that prevents the delete operation on the bucket to prevent accidental deletion of the bucket.

I highlighted the operation in red in the image below.

Step to delete the bucket:

Click on the bucket name
Click on the Permissions tab between Properties and Management tab
Click on the Bucket Policy tab
Once you are in the bucket policy tab, click the delete button on the policy

Once complete, you go back to the list of the buckets and try to delete the bucket now.

DONE

Happy Coding

score 18 · Answer 4 · answered Sep 15 '16 at 10:15

This is Elastic beanstalk resection to save your accidental deletion. you can solve this issues by following 2 steps.

Grantee permission to upload and delete
Edit bucket policy by bucket => Properties => Permissions => Edit bucket policy and set allow "Effect": "Allow" from "Effect": "Deny"

Check below screenshot for more help.

Permission SCreenshot:

Bucket Policy

score 3 · Answer 5 · answered Sep 29 '19 at 16:46

3

Very short and simple approach would be (if you are sure that you no longer require the bucket) is to remove the bucket policy and then try to delete the bucket. Works in all cases. As the bucket is created by Elastic Beanstalk and configured policy will not allow any changes/delete by other users. Removing policy will allow you to perform action.

answered Sep 29 '19 at 16:46

Niraj Kumar

61
2

This is a smart solution if this is allowed in the scenarios. – Arefe Sep 06 '21 at 05:47

score 2 · Answer 6 · answered Feb 18 '19 at 06:26

I also came across the same error while deleting the bucket created by EBS "Access Denied" because by default EBS denies DELETE operation on s3 bucket create by it as it is used by EBS for storing logs of application any other pieces of information. To delete it you have to change the bucket's policy Steps:- Bucket => Properties => Permissions => Bucket Policy edit the bucket policy where "Action": "s3:DeleteBucket" change the "Effect": "Deny" to "Effect": "Allow"

score 2 · Answer 7 · answered Sep 17 '20 at 17:58

The bucket can be deleted only in the following 3 steps:

Select the bucket to be deleted then click on Permission section in opened drawer window
Click on Bucket Policy button
Replace Deny word with Allow in the object that has "Action": "s3:Deletebucket" line then click on Save button

Thereafter you can delete the bucket.

Figure for step 1:

Figure for step 2:

Figure for step 3:

score 0 · Answer 8 · answered Dec 27 '22 at 09:57

0

go to buckets--> permissions --> click on edit bucket policy and then then delete the policy then you can easily able to delete bucket

answered Dec 27 '22 at 09:57

MhnSkta

73
8

How to fix 'Access Denied' while deleting empty S3 Elastic Beanstalk?

8 Answers8