I'm trying to upload a large file to my Amazon Simple Storage Service (Amazon S3) bucket. In my upload request, I'm including encryption information using an AWS Key Management Service (AWS KMS) key. However, I get an Access Denied error. Meanwhile, when I upload a smaller file with encryption information, the upload succeeds. How can I fix this? 

Confirm that you have the permission to perform kms:Decrypt actions on the AWS KMS key that you're using to encrypt the object.

Note: kms:Decrypt is only one of the actions that you must have permissions to when you upload or download an Amazon S3 object encrypted with an AWS KMS key. You must also have permissions to kms:Encrypt, kms:ReEncrypt*, kms:GenerateDataKey*, and kms:DescribeKey.

The AWS CLI (aws s3 commands), AWS SDKs, and many third-party programs automatically perform a multipart upload when the file is large. To perform a multipart upload with encryption using an AWS KMS key, the requester must have permission to the kms:Decrypt action on the key. This permission is required because Amazon S3 must decrypt and read data from the encrypted file parts before it completes the multipart upload. 

If your AWS Identity and Access Management (IAM) user or role is in the same AWS account as the AWS KMS key, then you must have permission to kms:Decrypt on the key policy. If your IAM user or role belongs to a different account than the key, then you must have permission to kms:Decrypt on both the key policy and your IAM permissions.

Key policy

Review the AWS KMS key policy by using the AWS Management Console policy view.

In the key policy, search for statements where the Amazon Resource Name (ARN) of your IAM user or role is listed as an AWS principal. The ARN is the format: arn:aws:iam::111122223333:user/john.

Then, check the list of actions allowed by the statements associated with your IAM user or role. The list of allowed actions must include kms:Decrypt for multipart uploads to work.

For example, this statement in a key policy allows the user John to perform several actions on the key, including kms:Decrypt:

  {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:user/john"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },

IAM permissions

To review your IAM permissions, open the IAM console, and then open your IAM user or role.

Review the list of permissions policies applied to your IAM user or role. Be sure that there's an applied policy that allows you to perform the kms:Decrypt action on the key that you're using to encrypt the object.

Note: kms:Decrypt is only one of the actions that you must have permissions to when you upload or download an Amazon S3 object encrypted with an AWS KMS key. You must also have permissions to kms:Encrypt, kms:ReEncrypt*, kms:GenerateDataKey*, and kms:DescribeKey.

For example, this statement grants the IAM user access to perform kms:Decrypt on the key (arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd):

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:ReEncrypt*",
      "kms:GenerateDataKey*",
      "kms:DescribeKey"
    ],
    "Resource": [
      "arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd"
    ]
  }
}

For instructions on how to update your IAM permissions, see Changing Permissions for an IAM User


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-03-12