Why am I getting an HTTP 403 Forbidden error when I try to upload files using the Amazon S3 console?

Last updated: 2020-06-29

I'm trying to upload files to my Amazon Simple Storage Service (Amazon S3) bucket using the Amazon S3 console. However, I'm getting an HTTP 403 Forbidden error instead. How can I troubleshoot this?

Short description

To troubleshoot the HTTP 403 Forbidden error from the Amazon S3 console, check the following:

  • Missing permissions to s3:PutObject or s3:PutObjectAcl
  • Missing permissions to use an AWS Key Management Service (AWS KMS) key
  • Explicit deny statement in the bucket policy
  • Bucket access control list (ACL) doesn't allow the AWS account root user to write objects
  • AWS Organizations service control policy doesn't allow access to Amazon S3

Resolution

Missing permissions to s3:PutObject or s3:PutObjectAcl

Verify that the AWS Identity and Access Management (IAM) user or role that you're using has permissions for the s3:PutObject action on the bucket. Without this permission, you'll get an HTTP 403 Forbidden error.

If you're trying to modify the object's ACL during the upload, then your IAM user or role must also have permissions for the s3:PutObjectAcl action.

Missing permissions to use an AWS KMS key

If the S3 bucket uses default encryption with a custom AWS KMS key, then you must have the permissions to use the key to access the bucket.

To get the permissions to use the key, a key administrator must add you as a user of the custom AWS KMS key. The key administrator must follow these steps to add you as a key user:

  1. Open the AWS KMS console.
  2. From the navigation pane, choose Customer managed keys.
  3. From the list of keys, choose the key that's associated with the bucket.
  4. Under Key users, choose Add.
  5. In the Add key users dialog box, select the IAM user, and then choose Add.

Explicit deny statement in the bucket policy

Review the bucket policy for any statements that explicitly deny ("Effect": "Deny") permission for s3:PutObject unless certain conditions are met. Verify that your upload meets the bucket policy requirements for access to the s3:PutObject action.

For example, if your bucket policy explicitly denies s3:PutObject unless the request includes server-side encryption using AWS KMS or Amazon S3-managed encryption keys, then verify that you're using the correct encryption header to upload objects.

The following example statement in a bucket policy explicitly denies any access to s3:PutObject on the bucket awsdoc-example-bucket unless the upload request includes encryption with the AWS KMS key arn:aws:kms:us-east-1:111122223333:key:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::awsdoc-example-bucket/*",
      "Condition": {
        "StringNotLikeIfExists": {
          "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:111122223333:key/*"
        }
      },
      "Principal": "*"
    }
  ]
}

Warning: Before you save a bucket policy with an explicit deny statement, you must carefully review the parameters for the explicit denial of access. If you get accidentally locked out, see I accidentally denied everyone access to my Amazon S3 bucket. How do I regain access?

Bucket ACL doesn't allow the root user to write objects

If you're using the root user account to upload objects to the S3 bucket, then verify that the bucket's ACL grants the root user access to Write objects. For more information, see How do I set ACL bucket permissions?

AWS Organizations service control policy doesn't allow access to Amazon S3

If you're using AWS Organizations, then check the service control policies to be sure that access to Amazon S3 is allowed.

For example, the following policy results in an HTTP 403 Forbidden error when you try to access Amazon S3 because it explicitly denies access:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Deny",
    "Action": "S3:*",
    "Resource": "*"
  }]
}

For more information on the features of AWS Organizations, see Enabling all features in your organization.