How do I troubleshoot 403 Access Denied errors from Amazon S3?

Last updated: 2019-05-10

My users are trying to access objects in my Amazon Simple Storage Service (Amazon S3) bucket, but Amazon S3 is returning the 403 Access Denied error. How can I troubleshoot this error? 

Short Description

To troubleshoot Access Denied errors from Amazon S3, check the following:

  • Permissions for bucket and object owners across AWS accounts
  • Issues in bucket policy or AWS Identity and Access Management (IAM) user policies
  • Credentials to access Amazon S3
  • VPC endpoint policy
  • Block Public Access settings
  • Missing object
  • Object encryption by AWS Key Management Service (AWS KMS)
  • Requester Pays enabled on bucket
  • AWS Organizations service control policy

Resolution

Permissions for bucket and object owners across AWS accounts

By default, an S3 object is owned by the AWS account that uploaded it. This is true even when the bucket is owned by another account. If other accounts can upload objects to your bucket, then check which account owns the objects that your users can't access:

1.    Run this AWS Command Line Interface (AWS CLI) command to get the Amazon S3 canonical ID for your account:

aws s3api list-buckets --query Owner.ID 

2.    Run this command to get the Amazon S3 canonical ID of the account that owns the object that users can't access:

aws s3api list-objects --bucket awsexamplebucket --prefix exampleprefix 

Tip: You can use the list-objects command to check several objects.

3.    If the canonical IDs don't match, then you (the bucket owner) don't own the object. The object owner can grant you full control of the object by running this command:

aws s3api put-object-acl --bucket awsexamplebucket --key exampleobject.jpg --acl bucket-owner-full-control 

For ongoing cross-account permissions, you can create an IAM role in your account with permissions to your bucket. Then, you can grant another AWS account the permission to assume that IAM role. For more information, see Tutorial: Delegate Access Across AWS Accounts Using IAM Roles

Issues in the bucket policy or IAM user policies

Review the bucket policy or associated IAM user policies for any statements that might be denying access incorrectly. Check for any incorrect deny statements, missing actions, or incorrect spacing in a policy.

Check deny statements for any conditions that block access based on multi-factor authentication (MFA), encryption keys, a specific IP address, or a specific VPC endpoint. Verify that the requests to your bucket meet any conditions in the bucket policy or IAM policies. Otherwise, it’s expected that access is denied.

Note: If you require MFA and users send requests through the AWS CLI, be sure that the users configure the AWS CLI to use MFA.

For example, in the following bucket policy, Statement1 allows public access to download objects (s3:GetObject) from awsexamplebucket. However, Statement2 explicitly denies everyone access to download objects from awsexamplebucket unless the request is from the VPC endpoint vpce-1a2b3c4d. In this case, the deny statement takes precedence. This means that users who try to download objects from outside of vpce-1a2b3c4d are denied access.

{
  "Id": "Policy1234567890123",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::awsexamplebucket/*",
      "Principal": "*"
    },
    {
      "Sid": "Statement2",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::awsexamplebucket/*",
      "Condition": {
        "StringNotEquals": {
          "aws:SourceVpce": "vpce-1a2b3c4d"
        }
      },
      "Principal": "*"
    }
  ]
}

Check that the bucket policy or IAM policies allow the Amazon S3 actions that your users need. For example, the following bucket policy doesn’t include permission to the s3:PutObjectAcl action. If the IAM user tries to modify the access control list (ACL) of an object, then the user gets an Access Denied error. 

{
  "Id": "Policy1234567890123",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1234567890123",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::awsexamplebucket/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::111122223333:user/Dave"
        ]
      }
    }
  ]
}

Check that there aren’t any extra spaces in the bucket policy or IAM user policies. For example, the following IAM policy has an extra space in the Amazon Resource Name (ARN) arn:aws:s3::: awsexamplebucket/*. Because of the space, the ARN is incorrectly evaluated as arn:aws:s3:::%20awsexamplebucket/*. This means that IAM user doesn’t have permissions to the correct objects. 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1234567890123",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3::: awsexamplebucket/*"
    }
  ]
}

Block Public Access settings

If your users are getting Access Denied errors on public requests that should be allowed, check the bucket's Block Public Access settings. These settings can override permissions that allow public access. Block Public Access can apply to individual buckets or AWS accounts.

Credentials to access Amazon S3

Review the credentials that your users have configured to access Amazon S3. AWS SDKs and the AWS CLI must be configured to use the credentials of the IAM user or role with access to your bucket.

For the AWS CLI, run this command to check the configured credentials: 

aws configure list

If users access your bucket through an Amazon Elastic Compute Cloud (Amazon EC2) instance, verify that the instance is using the correct role. Connect to the instance, and then run this command: 

aws sts get-caller-identity

VPC endpoint policy

If users access your bucket with an EC2 instance routed through a VPC endpoint, check the VPC endpoint policy. Be sure that the VPC endpoint policy includes the correct permissions to access your S3 buckets and objects.

For example, the following VPC endpoint policy allows access only to awsexamplebucket. Users that send requests through this VPC endpoint can’t access any other bucket.

{
  "Id": "Policy1234567890123",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1234567890123",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::awsexamplebucket",
        "arn:aws:s3:::awsexamplebucket/*"
      ],
      "Principal": "*"
    }
  ]
}

Missing object

Check if the requested object exists in the bucket. If a user doesn’t have s3:ListBucket permissions, then the user gets Access Denied errors for missing objects instead of 404 Not Found errors. Run this AWS CLI command to check if an object exists in the bucket: 

aws s3api head-object --bucket awsexamplebucket --key exampleobject.jpg 

If the object exists in the bucket, then the Access Denied error isn't masking a 404 Not Found error. Verify other configuration requirements to resolve the Access Denied error.

If the object isn’t in the bucket, then the Access Denied error is masking a 404 Not Found error. Resolve the issue related to the missing object.

Object is encrypted by AWS KMS

If an IAM user can’t access an object that the user has full permissions to check if the object is encrypted by AWS KMS. You can use the Amazon S3 console to view the object’s properties, which include the object’s encryption information.

If the object is KMS encrypted, be sure that the KMS key policy and the IAM user policy both allow the following actions: 

"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]

Requester Pays enabled on bucket

If your bucket has Requester Pays enabled, then users from other accounts must specify the request-payer parameter when they send requests to your bucket. Otherwise, those users get an Access Denied error. To check if Requester Pays is enabled, you can use the Amazon S3 console to view your bucket’s properties.

The following example AWS CLI command includes the correct parameter to access a bucket with Requester Pays: 

aws s3 cp exampleobject.jpg s3://awsexamplebucket/exampleobject.jpg --request-payer requester

AWS Organizations service control policy

If you're using AWS Organizations, check the service control policies to be sure that access to Amazon S3 is allowed. For example, the following policy explicitly denies access to Amazon S3 and results in an Access Denied error. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

For more information on the features of AWS Organizations, see Enabling All Features in Your Organization


Did this article help you?

Anything we could improve?


Need more help?