You don't have permission to delete bucket "elasticbeanstalk-{region}-{account-id}"

# You don't have permission to delete bucket "elasticbeanstalk-{region}-{account-id}" [TOC] --- :::danger After you or your AWS admin has updated your IAM permissions to allow `s3:DeleteBucket`, choose **delete bucket**. Learn more about [Identity and Access Management in Amazon S3](https://docs.aws.amazon.com/console/s3/accesscontrol) If you have the `s3:DeleteBucket` permission in your IAM user policy and you cannot delete a bucket, the bucket policy might include a deny statement for `s3:DeleteBucket`. Before you can delete the bucket, you must delete the deny s3:DeleteBucket statement or delete the bucket policy. ###### API response ``` User: arn:aws:iam::{account-id}:user/{iam-user} is not authorized to perform: s3:DeleteBucket on resource: "arn:aws:s3:::elasticbeanstalk-{region}-{account-id}" with an explicit deny in a resource-based policy ``` ::: ## Cause Original bucket policy be like: ```json= { "Version": "2008-10-17", "Statement": [ { "Sid": "eb-{uuid}", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account-id:role/aws-elasticbeanstalk-ec2-role" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::elasticbeanstalk-{region}-{account-id}/resources/environments/logs/*" }, { "Sid": "eb-{uuid}", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::{account-id}:role/aws-elasticbeanstalk-ec2-role" }, "Action": [ "s3:ListBucket", "s3:ListBucketVersions", "s3:GetObject", "s3:GetObjectVersion" ], "Resource": [ "arn:aws:s3:::elasticbeanstalk-{region}-{account-id}", "arn:aws:s3:::elasticbeanstalk-{region}-{account-id}/resources/environments/*" ] }, { "Sid": "eb-{uuid}", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "s3:DeleteBucket", "Resource": "arn:aws:s3:::elasticbeanstalk-{region}-{account-id}" } ] } ``` ## Solution Remove lines 29 to 37 from original bucket policy: ```json= }, { "Sid": "eb-{uuid}", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "s3:DeleteBucket", "Resource": "arn:aws:s3:::elasticbeanstalk-{region}-{account-id}" ``` Run the following command to [update](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/put-bucket-policy.html) the bucket policy: ```shell aws s3 put-bucket-policy \ --bucket nameOfTheBucket \ --policy file://bucketPolicyAsAJSONDocument \ --profile specificProfileFromCredentialFile ``` The bucket can now be [deleted](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/delete-bucket.html): ```shell aws s3api delete-bucket \ --bucket nameOfTheBucket \ --profile specificProfileFromCredentialFile ```