Why am I getting a "403 Access Denied" error when I try to modify a bucket policy in Amazon S3?

Last updated: 2022-05-16

I keep getting a "403 Access Denied" error when I try to modify the bucket policy of my Amazon Simple Storage Service (Amazon S3) bucket.

Short description

The "403 Access Denied" error can occur due to the following reasons:

To resolve these issues:

  • Check that the IAM user or role has s3:Get:BucketPolicy permission to view the bucket policy and s3:PutBucketPolicy permission to edit it. Add an IAM user policy to grant you access if one doesn't exist.
  • If you're denied permissions, then use another IAM identity that has bucket access, and edit the bucket policy. Or, delete and recreate the bucket policy if no one has access to it.
  • If you're trying to add a public read policy, then disable the bucket's S3 Block Public Access.
  • If you use AWS Organizations, then verify that you don't have any service control policies that explicitly deny S3 actions. Also, confirm that you can add exceptions for your operation.

Resolution

Check your permissions for s3:GetBucketPolicy and s3:PutBucketPolicy

Follow these steps:

1.    Open the IAM console.

2.    Select the identity that's used to access the bucket policy, such as User or Role.

3.    Select the IAM identity name that you're using to access the bucket policy.

4.    In the Permissions tab of your IAM identity, expand each policy to view its JSON policy document.

5.    In the JSON policy documents, search for policies related to Amazon S3 access. Then, confirm that you have permissions for the s3:GetBucketPolicy and s3:PutBucketPolicy actions on the bucket.

The following example IAM policy allows the IAM identity to perform the s3:GetBucketPolicy and s3:PutBucketPolicy actions on DOC-EXAMPLE-BUCKET:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ModifyBucketPolicy",
      "Action": [
        "s3:GetBucketPolicy",
        "s3:PutBucketPolicy"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
    },
    {
      "Sid": "AccessS3Console",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::*"
    }
  ]
}

Note: The AccessS3Console statement in the preceding IAM policy grants Amazon S3 console access. It isn't specific to modifying a bucket policy.

6.    In the JSON policy documents, search for statements with "Effect": "Deny". Then, confirm that these statements don't deny your IAM identity access to s3:GetBucketPolicy or s3:PutBucketPolicy.

Add a bucket policy if it doesn't exist

If you can't find policies that grant s3:GetBucketPolicy or s3:PutBucketPolicy permissions, then add a policy to grant them to your IAM identity. If you find policies that deny access to s3:GetBucketPolicy or s3:PutBucketPolicy, then remove these policies. For instructions on modifying your IAM permissions, see Changing permissions for an IAM user.

Use another IAM identity that has bucket access and modify the bucket policy

Follow these steps to modify the bucket policy:

1.    Open the Amazon S3 console.

2.    From the list of buckets, open the bucket with the bucket policy that you want to change.

3.    Choose the Permissions tab.

4.    Choose Bucket policy.

5.    Search for statements with "Effect": "Deny".

6.    Edit the bucket policy to update any "Effect": "Deny" statements that deny the IAM identity access to s3:GetBucketPolicy or s3:PutBucketPolicy.

Delete and recreate the bucket policy if it denies everyone access

If the bucket policy denies everyone access to s3:GetBucketPolicy, s3:PutBucketPolicy, or all Amazon S3 actions (s3:*), then delete the bucket policy. If you can't delete the bucket policy, then try deleting the policy as the AWS account root user. After the policy is deleted, you can create a new bucket policy.

Disable S3 Block Public Access

If your bucket policy grants public access, then check if S3 Block Public Access is enabled on the bucket and disable it. To prevent future denied access to S3 buckets that you make public, confirm that you don't have S3 Block Public Access enabled for the account.

Note: Before disabling S3 Block Public Access at the account level, confirm that it's enabled at the bucket level for private buckets to prevent unwanted public access.

For AWS Organizations, delete service control policies that don't allow Amazon S3 access

If you're using AWS Organizations, then check the service control policies for any statements that explicitly deny the s3:PutBucketPolicy action or any other S3 action. Delete the service control policies that explicitly deny S3 actions in accordance to your organization's security policies.

For example, the following policy denies access to all S3 actions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

Did this article help?


Do you need billing or technical support?