I'm trying to upload files to my Amazon Simple Storage Service (Amazon S3) bucket using the Amazon S3 console. However, I'm getting an HTTP 403 Forbidden error instead. How can I troubleshoot this?

To troubleshoot the HTTP 403 Forbidden error from the Amazon S3 console, check the following:

  • Missing permissions to use an AWS Key Management Service (AWS KMS) key
  • Bucket policy requires encryption
  • Bucket access control list (ACL) doesn't allow the AWS account root user to write objects
  • AWS Organizations service control policy doesn't allow access to Amazon S3

Missing permissions to use an AWS KMS key

If the S3 bucket uses default encryption with a custom AWS KMS key, then you must have the permissions to use the key to access the bucket.

To get the permissions to use the key, a key administrator must add you as a user of the custom AWS KMS key by following these steps:

  1. Open the AWS Identity and Access Management (IAM) console.
  2. In the navigation pane, choose Encryption keys.
  3. From the list of keys, choose the key that's associated with your bucket.
  4. Expand Key Policy.
  5. Under Key Users, choose Add.
  6. From the list of IAM users and roles, select the IAM user.
  7. Choose Attach.

Bucket policy requires encryption

If your bucket policy requires server-side encryption using AWS KMS or Amazon S3-managed encryption keys, then verify that you're using the correct encryption header to upload objects.

When you're using the Amazon S3 console to upload an object, review the Set properties step, and then confirm that the correct Encryption is selected.

Missing permissions to s3:PutObject or s3:PutObjectAcl

Verify that the IAM user or role that you're using allows the s3:PutObject action on the bucket. Without this permission, you'll get an HTTP 403 Forbidden error.

If you're trying to modify the object's ACL during the upload, then your IAM user or role must also allow the s3:PutObjectAcl action.

Bucket ACL doesn't allow the root user to write objects

If you're using the root user account to upload objects to the S3 bucket, then verify that the bucket's ACL grants the root user the access to Write objects. For more information, see How Do I Set ACL Bucket Permissions?

AWS Organizations service control policy doesn't allow access to Amazon S3

If you're using AWS Organizations, then check the service control policies to be sure that access to Amazon S3 is allowed.

For example, the following policy results in an HTTP 403 Forbidden error when you try to access Amazon S3 because it explicitly denies access:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Deny",
    "Action": "S3:*",
    "Resource": "*"
  }]
}

For more information on the features of AWS Organizations, see Enabling All Features in Your Organization.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-02-12