An AWS Identity and Access Management (IAM) user from another AWS account uploaded an object to my Amazon Simple Storage Service (Amazon S3) bucket. When I try to access the object, I receive the error "HTTP 403: Access Denied." How can I fix this?

By default, the AWS account that uploads the object owns the object, even if another account owns the bucket. To get access to the object, the object owner must explicitly grant you (the bucket owner) access. The object owner can grant the bucket owner full control of the object by updating the object's access control list (ACL). The object owner can update the object's ACL either during the put or copy operation, or after the object is added to the bucket.

Grant access during the put or copy operation

During the put or copy operation, the object owner can specify that the ACL of the object gives full control to the bucket owner.

For a put operation, the object owner can run this command:

aws s3api put-object --bucket destination_bucket --key dir-1/my_images.tar.bz2 --body my_images.tar.bz2 --acl bucket-owner-full-control

For a copy operation of a single object, the object owner can run one of these commands:

aws s3api copy-object --bucket destination_bucket --key source_bucket/myobject --acl bucket-owner-full-control

or

aws s3 cp s3://sourcebucket/myobject s3://destinationbucket/ --acl bucket-owner-full-control

For a copy operation of multiple objects, the object owner can run this command:

aws s3 cp s3://sourcebucket/ s3://destinationbucket/ --acl bucket-owner-full-control --recursive

Grant access after the object is added to the bucket

If the object is already added to the bucket in another account, the object owner can grant the bucket owner access by running a put-object-acl command, similar to the following:

aws s3api put-object-acl --bucket bucketname --key keyname --acl bucket-owner-full-control

Require that objects grant the bucket owner full control

You can use a bucket policy to require that any objects uploaded to your bucket by another account must set the ACL as "bucket-owner-full-control". The following example policy allows a specific IAM user to put objects into a bucket only when the put request sets the ACL to "bucket-owner-full-control":

Warning: This example policy doesn't support multipart uploads using the Upload Part operation.

{
    "Id": "Policy1541018284691",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1541018283275",
            "Action": [
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::testbucket /*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            },
            "Principal": {
                "AWS": [
                    "arn:aws:iam::xxxxxxxxxxxxx:user/iam"
                ]
            }
        }
    ]
}

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-02-26

Updated: 2018-12-20