Why am I getting an Access Denied error message when I upload files to my Amazon S3 bucket that has AWS KMS default encryption?

Last updated: 2020-10-19

My Amazon Simple Storage Service (Amazon S3) bucket has AWS Key Management Service (AWS KMS) default encryption. My AWS Identity and Access Management (IAM) user or role has s3:PutObject permission on the bucket. I'm trying to upload files to the bucket, but Amazon S3 returns an Access Denied error message. How can I fix this?

Resolution

Update the AWS KMS permissions of your IAM user or role based on the error message that you receive.

Important: If the AWS KMS key and the IAM user or role belong to different AWS accounts, then you must add the KMS permissions to both the IAM policy and the KMS key policy.

"An error occurred (AccessDenied) when calling the PutObject operation: Access Denied"

This error message indicates that your IAM user or role needs permission for the kms:GenerateDataKey action. This permission is required for buckets that use default encryption with a custom AWS KMS key. Follow these steps to add permission for kms:GenerateDataKey:

  1. Open the IAM console.
  2. From the console, open the IAM user or role that you're using to upload files to the Amazon S3 bucket.
  3. In the Permissions tab of your IAM user or role, expand each policy to view its JSON policy document.
  4. In the JSON policy documents, look for policies related to AWS KMS access. Review statements with "Effect": "Allow" to check if the user or role has permissions for the kms:GenerateDataKey action on the bucket's AWS KMS key. If this permission is missing, then add the permission to the appropriate policy. For instructions, see Adding permissions to a user (console) or Modifying a role permissions policy (console).
  5. In the JSON policy documents, look for statements with "Effect": "Deny". Then, confirm that those statements don't deny your IAM user or role access to the kms:GenerateDataKey action on the key used to encrypt the bucket.

"An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied"

This error message indicates that your IAM user or role needs permission for the kms:GenerateDataKey and kms:Decrypt actions. These permissions are required for multipart uploads to a bucket with AWS KMS default encryption. Follow these steps to add permissions for kms:GenerateDataKey and kms:Decrypt:

  1. Open the IAM console.
  2. From the console, open the IAM user or role that you're using to upload files to the Amazon S3 bucket.
  3. In the Permissions tab of your IAM user or role, expand each policy to view its JSON policy document.
  4. In the JSON policy documents, look for policies related to AWS KMS access. Review statements with "Effect": "Allow" to check if the user or role has permissions for kms:GenerateDataKey and kms:Decrypt on the bucket's AWS KMS key. If these permissions are missing, then add the permissions to the appropriate policy. For instructions, see Adding permissions to a user (console) or Modifying a role permissions policy (console).
  5. In the JSON policy documents, look for statements with "Effect": "Deny". Then, confirm that those statements don't deny your IAM user or role access to kms:GenerateDataKey and kms:Decrypt on the key used to encrypt the bucket.

Did this article help?


Do you need billing or technical support?