[s3] Can't be found if S3 bucket policy exists with Deny *

[alexandrosgkesos]

Steps to reproduce

1. Create S3 bucket
2. Set the following policy

{
  "Version": "2012-10-17",
   "Statement": [
      {
         "Effect": "Deny",
         "Principal": "*",
         "Action": "*",
         "Resource": "arn:aws:s3:::YOUR-BUCKET"
      }
   ]
}

3. Run aws-nuke.

Result: S3 bucket is not in the results...but SQS with a similar policy is

sqs_policy='{\"Version\":\"2012-10-17\",\"Id\":\"Policy1564523767951\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"SQS:*\",\"Resource\":\"*\"}]}'

aws-nuke's output
time="2024-12-10T11:58:51Z" level=error msg="unable to list queue tags" error="AccessDenied: User: arn:aws:sts::AccountID:assumed-role/OrganizationAccountAccessRole/NewAccountRole is not authorized to perform: sqs:listqueuetags on resource: arn:aws:sqs:eu-west-1:AccountID:test-queue with an explicit deny in a resource-based policy\n\tstatus code: 403, request id: aef99db2-c939-57ce-948d-c260e602610c"
...
time="2024-12-10T11:59:05Z" level=error msg="There are resources in failed state, but none are ready for deletion, anymore."
time="2024-12-10T11:59:05Z" level=error msg="AccessDenied: User: arn:aws:sts::AccountID:assumed-role/OrganizationAccountAccessRole/NewAccountRole is not authorized to perform: sqs:deletequeue on resource: arn:aws:sqs:eu-west-1:AccountID:test-queue with an explicit deny in a resource-based policy\n\tstatus code: 403, request id: 7d1fd59b-2434-526f-af05-8a490b7d92d6"
time="2024-12-10T11:59:05Z" level=fatal msg=failed

aws-nuke - v3.35.1 - 5546c46
Do you really want to nuke the account with the ID AccountID and the alias 'ALIAS'?
Waiting 3s before continuing.
eu-west-1 - SQSQueue - https://sqs.eu-west-1.amazonaws.com/AccountID/test-queue - [QueueURL: "https://sqs.eu-west-1.amazonaws.com/AccountID/test-queue"] - would remove
Scan complete: 21 total, 1 nukeable, 20 filtered.
Do you really want to nuke the account with the ID AccountID and the alias 'ALIAS'?
Waiting 3s before continuing.
eu-west-1 - SQSQueue - https://sqs.eu-west-1.amazonaws.com/AccountID/test-queue - [QueueURL: "https://sqs.eu-west-1.amazonaws.com/AccountID/test-queue"] - failed
Removal requested: 0 waiting, 1 failed, 20 skipped, 0 finished
...three more tries

nuke-config

$ grep S3 nuke-config-template.yml
    - S3AccessPoint
    - S3Bucket
    - S3MultipartUpload
    - S3Object

S3 list and delete Bucket can be seen (not denied)

$ aws s3api list-buckets
{
    "Buckets": [
        {
            "Name": "*-alex-testbucket",
            "CreationDate": "2024-12-10T11:38:17+00:00"
        }
    ],
    "Owner": {
        "DisplayName": "....",
        "ID": "...."
    },
    "Prefix": null
}
$ aws s3 ls
2024-12-10 13:38:17 *-alex-testbucket

$ aws s3 rb s3://*-alex-testbucket
remove_bucket failed: s3://*-alex-testbucket An error occurred (AccessDenied) when calling the DeleteBucket operation: User: arn:aws:sts::AccountID:assumed-role/OrganizationAccountAccessRole/NewAccountRole is not authorized to perform: s3:DeleteBucket on resource: "arn:aws:s3:::*-alex-testbucket" with an explicit deny in a resource-based policy

[ekristen]

If I'm understanding you correctly you are saying that if a bucket policy is blocking access, the resulting bucket doesn't show up in aws nuke.

It looks like this is due to how the resource is written, S3Bucket skips if an error is encountered. SQS still adds even if an error is encountered.

Not sure which is the preferred behavior.

[alexandrosgkesos]

AWS CLI lists the bucket with "deny all" policy. I believe aws-nuke should add it, otherwise we won't know about it.

Because of that, currently I assume root without checking the aws-nuke output, list and reset S3 bucket policy and then re-run nuke.

Now that I think about it, I should assume root before running aws-nuke😂

[ekristen]

Yeah that's fair. The issue is this https://github.com/ekristen/aws-nuke/blob/main/resources/s3-bucket.go#L118 -- I'll see about patching it later tonight.