I'm trying to upload a large file to Amazon S3 with encryption using an AWS KMS key. Why is the upload failing?

Last updated: 2020-06-18

I'm trying to upload a large file to my Amazon Simple Storage Service (Amazon S3) bucket. In my upload request, I'm including encryption information using an AWS Key Management Service (AWS KMS) key. However, I get an Access Denied error. Meanwhile, when I upload a smaller file with encryption information, the upload succeeds. How can I fix this?

Short Description

Confirm that you have the permission to perform kms:Decrypt actions on the AWS KMS key that you're using to encrypt the object.

The AWS CLI (aws s3 commands), AWS SDKs, and many third-party programs automatically perform a multipart upload when the file is large. To perform a multipart upload with encryption using an AWS KMS key, the requester must have kms:GenerateDataKey permissions to initiate the upload, and kms:Decrypt permissions to upload object parts. The requester must have kms:Decrypt permissions so that newly uploaded parts can be encrypted with the same key used for previous parts of the same object. 

Resolution

If your AWS Identity and Access Management (IAM) user or role is in the same AWS account as the AWS KMS key, then you must have permission to kms:Decrypt on the key policy. If your IAM user or role belongs to a different account than the key, then you must have permission to kms:Decrypt on both the key policy and your IAM permissions.

Key policy

Review the AWS KMS key policy by using the AWS Management Console policy view.

In the key policy, search for statements where the Amazon Resource Name (ARN) of your IAM user or role is listed as an AWS principal. The ARN is in the format: arn:aws:iam::111122223333:user/john.

Then, check the list of actions allowed by the statements associated with your IAM user or role. The list of allowed actions must include kms:Decrypt for multipart uploads to work.

For example, this statement in a key policy allows the user John to perform the kms:Decrypt and kms:GenerateDataKey actions:

  {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:user/john"
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "*"
        },

IAM permissions

To review your IAM permissions, open the IAM console, and then open your IAM user or role.

Review the list of permissions policies applied to your IAM user or role. Be sure that there's an applied policy that allows you to perform the kms:Decrypt action on the key that you're using to encrypt the object.

For example, this statement grants the IAM user access to perform kms:Decrypt and kms:GenerateDataKey on the key (arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd):

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:Decrypt",
      "kms:GenerateDataKey"
    ],
    "Resource": [
      "arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd"
    ]
  }
}

For instructions on how to update your IAM permissions, see Changing Permissions for an IAM User.


Did this article help you?

Anything we could improve?


Need more help?