How do I troubleshoot 403 Access Denied errors from an Amazon S3 bucket with public read access?

Resolution

If you can't access objects from a public S3 bucket, run the AWSSupport-TroubleshootS3PublicRead automation runbook on AWS Systems Manager. This helps you analyze permissions settings that affect the bucket and its objects, such as the bucket policy and object access control lists (ACLs).

Note: The AWSSupport-TroubleshootS3PublicRead runbook analyzes 403 errors from publicly readable objects. It doesn't evaluate permissions for private objects.

1. Open the Systems Manager console.
2. In the navigation pane, choose Automation.
3. Choose Execute automation.
4. Under Choose document, choose the Owned by Amazon tab.
5. In the Automation document search bar, enter AWSSupport-TroubleshootS3PublicRead, and then press Enter.
6. Choose AWSSupport-TroubleshootS3PublicRead.
7. Choose Execute automation.
8. Choose Simple execution.
9. (Optional) For AutomationAssumeRole, you can select an AWS Identity and Access Management (IAM) role that Systems Manager assumes to send requests to your bucket. If you leave this field blank, then Systems Manager uses your current IAM identity to set up the runbook.
   Important: The trust policy of the IAM role that you select must allow Systems Manager Automation to assume the role. Also, the IAM role must have the necessary permissions for the runbook. See the Required IAM permissions section in AWSSupport-TroubleshootS3PublicRead.
10. For S3BucketName, enter the name of the S3 bucket that you want to troubleshoot.
11. (Optional) For S3PrefixName, you can specify a prefix to analyze. If you leave this field blank, then the runbook lists the bucket and evaluates the first few objects lexicographically.
12. (Optional) For StartAfter, you can specify the key name that you want the runbook to start listing from.
13. For MaxObjects, enter the maximum number of objects that you want the runbook to evaluate. The default value is five.
14. For IgnoreBlockPublicAccess, it's a best practice to leave the value as false.
    Warning: If you change the value to true, then this ignores Amazon S3 Block Public Access settings that might block access.
15. For HttpGet, leave the value as true if you want the runbook to perform a partial HTTP GET request (the first byte) for each object. If you want the runbook to perform a full GET request, then change the value to false.
16. For Verbose, to see detailed information during the analysis, enter true. To see only warning and error messages, enter false.
17. (Optional) For CloudWatchLogGroupName, you can enter an Amazon CloudWatch log group name that you want to send the analysis results to. If you specify a name and the log group doesn't exist, then the runbook tries to create a log group with that name.
18. (Optional) For CloudWatchLogStreamName, you can enter a CloudWatch log stream name that you want to send the analysis results to. If you specify a name and the log group doesn't exist, then the runbook tries to create a log group with that name. If you leave this field blank, then the runbook uses the runbook's execution ID as the log stream name.
19. For ResourcePartition, select the partition that the S3 bucket is in. The options are aws, aws-us-gov, or aws-cn.
20. (Optional) For Tags, enter up to five key-value pair tags.
21. Choose Execute.
22. Use the Execution status to track the progress of the runbook.
23. After the status indicates a Success, review the results listed in Outputs. The results might include error codes for each object that the runbook evaluated. Use these error codes to diagnose the cause of the Access Denied errors for anonymous requests to each object.
    Tip: To review the result of an individual step in the evaluation, choose the relevant Step ID under Executed steps. The Executed Steps are below the Execution status.