How do I troubleshoot 403 Access Denied errors from my Amazon S3 bucket where all the resources are from the same AWS account?

Last updated: 2022-04-18

I'm trying to access my Amazon Simple Storage Service (Amazon S3) bucket. All the relevant resources are from the same AWS account. However, I'm getting a "403 Access Denied" error.

Short description

When you perform a forbidden request to your Amazon S3 bucket, the service returns a "403 Access Denied" error. To manually troubleshoot 403 Access Denied errors, see How do I troubleshoot 403 Access Denied errors from Amazon S3?

You can also use the AWSSupport-TroubleshootS3AccessSameAccount runbook from AWS Systems Manager to help you diagnose access denied issues from your S3 bucket. The runbook evaluates the access level that's granted to the requester on your S3 resource for all relevant resources from the same AWS account. This includes access, user, and resource-based policies that are associated with the S3 resource and the AWS Identity and Access Management (IAM) user or role that's specified in the input parameters.

Note: The AWSSupport-TroubleshootS3AccessSameAccount doesn't evaluate permissions for cross-account resources. Also, the requester must be in same AWS account as S3 bucket or object.

Resolution

Required steps

Follow these steps to run the AWSSupport-TroubleshootS3AccessSameAccount runbook from the Systems Manager console:

1.    Open the Systems Manager console.

2.    In the navigation pane, choose Automation.

3.    Choose Execute automation.

4.    Under Choose document, choose the Owned by Amazon tab.

5.    In the Automation document search bar, enter AWSSupport-TroubleshootS3AccessSameAccount, and then press Enter.

6.    Select AWSSupport-TroubleshootS3AccessSameAccount.

7.    Choose Execute automation.

8.    Choose Simple execution.

9.    For S3ResourceArn, enter the ARN of the S3 bucket or object that you want to troubleshoot. For example, to test for an upload or download of an object:

arn:aws:s3:::bucket_name/key_name

10.    For S3Action, choose the S3 action that you want the runbook to evaluate the access context for.

11.    For RequesterArn, enter the IAM user or role ARN that you want to find the access level for on the specific S3 resource. For example:

arn:aws:iam::123456789012:user/user_name or arn:aws:iam::123456789012:role/example-role

12.    Choose Execute.

Use the Execution status to track the progress of the document. After the status changes to Success, review the results listed in the Outputs section. The results include error codes for each object that's evaluated.

Note: To review the result of an individual step in the evaluation, choose the relevant Step ID under Executed steps.

Optional steps

The following steps are optional.

For AutomationAssumeRole, you can select an IAM role for Systems Manager to assume to send requests to your bucket. If you leave this field blank, then Systems Manager uses the IAM identity that you're using to set up the document. For more information, see the Required IAM permissions for AutomationAssumeRole section.

Important: The trust policy of the IAM role that you select must allow Systems Manager Automation to assume the role. Also, the IAM role must have permission to run the AWSSupport-TroubleshootS3AccessSameAccount runbook.

If the IAM ARN is a role and you want to provide a specific session name, then for RequesterRoleSessionName, enter the session name.

If the object has multiple versions, then for S3ObjectVersionId, enter the VersionId of the object. This parameter lets you specify the version of the object that you want to evaluate the access context for.

If it's relevant to the action, then enter the KMS Key ARN for KmsKeyArn. For example, to test the download of an object that's encrypted with a KMS key.

For VpcEndpointId, you can enter the Amazon Virtual Private Cloud (Amazon VPC) endpoint ID that's related to the access evaluation. Amazon S3 bucket policies can control access to buckets from specific Amazon VPC endpoints.

For ContextKeyList, you can enter the condition context keys list and corresponding values that relate to the policy evaluation. For example, an explicit deny for a PutObject in your bucket policy:

{"ContextKeyName":"s3:x-amz-server-side-encryption-aws-kms-key-id","ContextKeyValues”:["arn:aws:kms:us-east-1:123456789012:key/abc12345-b1e9-45a3-aa90-39ec93dd9b82”],"ContextKeyType":"string”}

If you want the runbook to compare the input with a specific AWS Organizations service control policy (SCP), then for SCPPolicy, enter the SCP. Remove any new lines, tabs, or white spaces when you input a value.

Note: If you run the runbook from the Organization's management account, then the preceding step isn't necessary.

For Tags, you can tag your automations to help you categorize.

For AWS CLI command and shareable execution link, the runbook provides an example AWS Command Line Interface (AWS CLI) command for Linux, Unix, and macOS X. The runbook also provides a shareable execution link.

Required IAM permissions for AutomationAssumeRole

The AutomationAssumeRole parameter requires certain actions to use the runbook.

The following example policy includes the required actions for the automation role:

}
  "Version": "2012-10-17",
  "Statement": [
      {
          "Action": [
              "iam:SimulateCustomPolicy",
              "iam:GetUser",
              "iam:GetPolicy",
              "iam:GetPolicyVersion",
              "iam:ListAttachedUserPolicies",
              "iam:ListUserPolicies",
              "iam:GetUserPolicy",
              "iam:ListGroupsForUser",
              "iam:ListGroupPolicies",
              "iam:GetGroupPolicy",
              "iam:ListAttachedGroupPolicies",
              "iam:GetRole",
              "iam:GetRolePolicy",
              "iam:ListAttachedRolePolicies",
              "iam:ListRolePolicies"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObjectAcl",
                "s3:GetObjectVersionAcl",
                "s3:GetObject",
                "s3:GetObjectVersion"
             ],
             "Resource": "arn:aws:s3:::bucket_name/destination-prefix",
             "Effect": "Allow"
          },
          {
             "Action": [
                 "s3:GetBucketPolicy",
                 "s3:GetBucketAcl",
                 "s3:ListBucket",
                 "s3:GetBucketAcl",
                 "s3:GetBucketLocation",
                 "s3:ListBucket"
              ],
              "Resource": "arn:aws:s3:::bucket_name",
              "Effect": "Allow"
           },
           {
              "Action": [
                  "ec2:DescribeVpcEndpoints"
                                    
              ],
              "Resource": "*",
              "Effect": "Allow"
           },
           {
              "Action": [
                  "kms:GetKeyPolicy"
              ],
              "Resource": "arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
              "Effect": "Allow"
           },
           {
              "Action": [
                  "organizations:ListPolicies",
                  "organizations:DescribePolicy"
               ],
               "Resource": "arn:aws:organizations::aws:policy/service_control_policy/*",
               "Effect": "Allow"
            },
            {
               "Action": [
                   "ssm:GetAutomationExecution",
                   "ssm:DescribeAutomationExecutions"
               ],
               "Resource": "*",
               "Effect": "Allow"
            },
            {
               "Action": "ssm:StartAutomationExecution",
               "Resource": "arn:aws:ssm:*:*:automation-definition/AWSSupport-TroubleshootS3AccessSameAccount:*",
               "Effect": "Allow",
               "Sid": "StartAutomationExecution"
            },
            {
               "Action": "access-analyzer:ValidatePolicy",
               "Resource": "*",
               "Effect": "Allow"
           }
        ]
     }

Did this article help?


Do you need billing or technical support?