How do I troubleshoot 403 Access Denied errors from an Amazon S3 bucket with public read access?

Last updated: 2020-10-21

I'm trying to access an object in my Amazon Simple Storage Service (Amazon S3) bucket that allows public read access. However, I'm getting a 403 Access Denied error. How can I troubleshoot this error? 

Resolution

Run the AWSSupport-TroubleshootS3PublicRead automation document on AWS Systems Manager to help you diagnose issues with accessing objects from a public S3 bucket. This document analyzes some permissions settings that affect the bucket and objects, such as the bucket policy and object access control lists (ACLs), among others.

Note: The AWSSupport-TroubleshootS3PublicRead document analyzes 403 errors from publicly readable objects. The document doesn't evaluate permissions for private objects. 

Follow these steps to run the AWSSupport-TroubleshootS3PublicRead automation document using the Systems Manager console:

  1. Open the Systems Manager console.
  2. In the navigation pane, choose Automation.
  3. Choose Execute automation.
  4. Under Choose document, choose the Owned by Amazon tab.
  5. In the Automation document search bar, enter S3PublicRead, and then press Enter
  6. Select AWSSupport-TroubleshootS3PublicRead, and then choose Next.
  7. For Execute automation document, choose Simple execution
  8. (Optional) For AutomationAssumeRole, you can select an AWS Identity and Access Management (IAM) role that Systems Manager can assume to send requests to the S3 bucket. If you leave this field blank, then Systems Manager uses the IAM identity that you're using to set up the document.
    Important: The trust policy of the IAM role that you select must allow Systems Manager Automation to assume the role. Additionally, the IAM role must have permissions for running the AWSSupport-TroubleshootS3PublicRead automation document
  9. For S3BucketName, enter the name of the S3 bucket that you want to troubleshoot.
  10. (Optional) For S3PrefixName, you can specify a prefix to analyze. If you leave this field blank, then the document lists the bucket and evaluates the first few objects lexicographically. 
  11. (Optional) For StartAfter, you can specify the key name that you want the document to start listing from. 
  12. For MaxObjects, enter the maximum number of objects that you want the document to evaluate. The default number is 5.
  13. For IgnoreBlockPublicAccess, it's a best practice to leave the value as false. Changing the value to true isn't a best practice, because the document then ignores Amazon S3 Block Public Access settings that might be blocking access.
  14. For HttpGet, leave the value as true if you want the document to perform a partial HTTP GET request (the first byte) of each object that's analyzed. Change the value to false if you want the document to perform a full GET request. 
  15. For Verbose, enter true if you want to see detailed information during the analysis. Enter false if you only want to see warning and error messages. 
  16. (Optional) For CloudWatchLogGroupName, you can enter an Amazon CloudWatch log group name that you want to send the analysis results to. If you specify a name in this field and there's no log group with that name, then the document tries to create a log group with that name on your behalf. 
  17. (Optional) For CloudWatchLogStreamName, you can enter a CloudWatch log stream name that you want to send the analysis results to. If you specify a name in this field and there's no log stream with that name, then the document tries to create a log stream with that name on your behalf. If you leave this field blank, then the document uses the document's execution ID as the log stream name. 
  18. For ResourcePartition, select the partition that the S3 bucket is in. The options are aws, aws-us-gov, or aws-cn
  19. (Optional) For Tags, enter up to five key-value pair tags.
  20. Choose Execute
  21. Use the Execution status to track the progress of the document.
  22. After the status is Success, review the results listed in Outputs. The results might include error codes for each object evaluated. The error codes can help diagnose the cause of the Access Denied errors for anonymous requests to each object.
    Tip: To review the result of an individual step in the evaluation, choose the relevant Step ID under Executed steps.

Did this article help?


Do you need billing or technical support?