Why can't I access a specific folder or file in my Amazon S3 bucket?

5 minute read

I can't access a certain prefix or object that's in my Amazon Simple Storage Service (Amazon S3) bucket. I can access the rest of the data in the bucket.

Short description

Check the following permissions for any settings that are denying your access to the prefix or object:

Ownership of the prefix or object
Restrictions in the bucket policy
Restrictions in your AWS Identity and Access Management (IAM) user policy
Permissions to objects that are encrypted by AWS Key Management Service (AWS KMS)

Also, note the following conditions for access:

If you encrypted the object with an AWS KMS key, then only the AWS account that encrypted the object can read it.
If you defined permissions boundaries and sessions policies, then the maximum permissions of the requester might be affected. The object access might also be affected.
Other policies, such as VPC endpoint policies and service control policies (SCPs), might specify restrictions. Therefore, check these policies and update them accordingly.
You can also control ownership of uploaded objects using Amazon S3 Object Ownership. If you set Object Ownership to BucketOwnerPreferred, then accounts with the bucket-owner-full-control canned ACL can write objects that transition to the bucket owner.

Resolution

Ownership of the prefix or object

By default, when an AWS account uploads an S3 object, the account owns that object. This is true even when another account owns the bucket. If other accounts can upload to your bucket, then follow these steps to get permissions to the object or prefix that you can't access:

To get the Amazon S3 canonical ID for your account, run this AWS Command Line Interface (AWS CLI) command:

aws s3api list-buckets --query Owner.ID

Get the Amazon S3 canonical ID of the account that owns the object that you can't access:

aws s3api list-objects --bucket DOC-EXAMPLE-BUCKET --prefix index.html

If the canonical IDs don't match, then you (the bucket owner) don't own the object. For an individual object, the object owner can grant you full control with this put-object-acl command:

aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key object-name --acl bucket-owner-full-control

For objects within a prefix, the object owner must re-copy the prefix and grant you full control of the objects as part of the operation. For example, the object owner can run this cp command with the --acl bucket-owner-full-control parameter:

aws s3 cp s3://DOC-EXAMPLE-BUCKET/abc/ s3://DOC-EXAMPLE-BUCKET/abc/ --acl bucket-owner-full-control --recursive --storage-class STANDARD

Tip: You can use a bucket policy to require that other accounts grant you ownership of objects they upload to your bucket.

Restrictions in the bucket policy

Open the Amazon S3 console.
From the list of buckets, open the bucket with the policy that you want to review.
Choose the Permissions tab.
Choose Bucket policy.

Search for statements with "Effect": "Deny". Then, review those statements for references to the prefix or object that you can't access. For example, this bucket policy denies everyone access to the abc/* prefix in DOC-EXAMPLE-BUCKET:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "StatementPrefixDeny",
      "Effect": "Deny",
      "Principal": {
        "AWS": "*"
      },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/abc/*"
    }
  ]
}

Modify the bucket policy to edit or remove any "Effect": "Deny" statements that incorrectly deny you access to the prefix or object.

Restrictions in your IAM user policy

Open the IAM console.
From the console, open the IAM user or role that you use to access the prefix or object.
In the Permissions tab of your IAM user or role, expand each policy to view its JSON policy document.

In the JSON policy documents, search for policies that relate to Amazon S3 access. Then, search those policies for any "Effect": "Deny" statements that block your access to the prefix or object.

For example, the following IAM policy has an "Effect": "Deny" statement that blocks the IAM identity's access to the prefix abc/* within DOC-EXAMPLE-BUCKET. The policy also has an "Effect": "Allow" statement that grants access to DOC-EXAMPLE-BUCKET. Despite the allow statement for the entire bucket, the explicit deny statement prevents the IAM identity from accessing the prefix abc/*:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "StatementPrefixDeny",
      "Effect": "Deny",
      "Action": "s3:GetObject",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/abc/*"
      ]
    },
    {
      "Sid": "StatementFullPermissionS3",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": [
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
        "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
      ]
    }
  ]
}

Modify the policy to edit or remove any "Effect": "Deny" statements that incorrectly deny you access to the prefix or object.

Permissions to object encrypted by AWS KMS

If an object is encrypted with an AWS KMS key, then you need permissions to both the object and the key. Check if you can't access the object because you need permissions to an AWS KMS key:

Use the Amazon S3 console to view the properties of one of the objects that you can't access. Review the object's Encryption properties.
If the object is encrypted with a custom AWS KMS key, then review the key policy. Confirm that the policy allows your IAM identity to perform the following actions:
```
"Action": ["kms:Decrypt"]
```
If your IAM identity is missing permissions to any of these actions, then modify the key policy to grant the missing permissions.

Important: If your IAM identity and AWS KMS key belong to different accounts, then verify that you have proper permissions. Both your IAM and key policies must grant you permissions to the required AWS KMS actions.

Related information

Why can't I access an object that was uploaded to my Amazon S3 bucket by another AWS account?

How can I grant a user access to a specific folder in my Amazon S3 bucket?

Do I need to specify the AWS KMS key when I download a KMS-encrypted object from Amazon S3?

Topics

Storage

Relevant content

IAM Policy for s3 bucket sub-folder access that returns a successful response from the HeadBucket endpoint
ckalima
asked a year ago
Why does my CloudFront distribution give access denied when I have any path or query params in the URL?
Accepted Answer
taxmann
asked 6 months ago
Access the S3 folder specific to particular user authenticated using Cognito
Accepted Answer
Siddhesh
asked 2 years ago
Set the access permission of objects in S3 buckets
shengxian_huang
asked 2 years ago
I have made my S3 bucket publicly accessible for my images to show up still access is denied
Sharon
asked 2 months ago
How can I grant a user Amazon S3 console access to only a certain bucket or folder?
AWS OFFICIALUpdated a year ago
A user with permission to add objects to my Amazon S3 bucket is getting Access Denied errors. Why?
AWS OFFICIALUpdated 2 years ago
How can I grant a user access to a specific folder in my Amazon S3 bucket?
AWS OFFICIALUpdated 7 months ago
Why am I getting an Access Denied error for ListObjectsV2 when I run the sync command on my Amazon S3 bucket?
AWS OFFICIALUpdated 2 years ago
Troubleshoot 403 Access Denied error in Amazon S3
EXPERT
Gayathri Krishnamoorthy
published a year ago