My Amazon Simple Storage Service (Amazon S3) bucket has AWS Key Management Service (AWS KMS) default encryption. My AWS Identity and Access Management (IAM) user or role has s3:PutObject permission on the bucket. I'm trying to upload files to the bucket, but Amazon S3 returns an "Access Denied" error message. How can I fix this?

Update the AWS KMS permissions of your IAM user or role based on the error message that you receive:

Important: If the AWS KMS key and the IAM user or role belong to different AWS accounts, you must add the AWS KMS permissions on both the IAM policy and the AWS KMS key policy.

"An error occurred (AccessDenied) when calling the PutObject operation: Access Denied"

Add permission to the kms:GenerateDataKey action. This permission is required for buckets that use default encryption with a custom AWS KMS key.

"An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied"

Add permissions to the kms:GenerateDataKey and kms:Decrypt actions. These permissions are required for multipart uploads to a bucket with AWS KMS default encryption.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-12-21