Why am I getting a "403 Forbidden" error when I try to upload files in Amazon S3?

Last updated: 2022-04-27

I'm trying to upload files to my Amazon Simple Storage Service (Amazon S3) bucket using the Amazon S3 console. However, I'm getting a "403 Forbidden" error instead.

Short description

The "403 Forbidden" error can occur due to the following reasons:

  • Permissions are missing for s3:PutObject to add an object or s3:PutObjectAcl to modify the object's ACL.
  • You don't have permission to use an AWS Key Management Service (AWS KMS) key.
  • There is an explicit deny statement in the bucket policy.
  • Amazon S3 Block Public Access is enabled.
  • The bucket access control list (ACL) doesn't allow the AWS account root user to write objects.
  • An AWS Organizations service control policy doesn't allow access to Amazon S3.

Resolution

Check your permissions for s3:PutObject or s3:PutObjectAcl

Follow these steps:

  1. Open the AWS Identity and Access Management (IAM) console.
  2. Select the identity that's used to access the bucket policy, such as User or Role.
  3. Select the IAM identity name that you're using to access the bucket policy.
  4. Choose the Permissions tab, and expand each policy to view its JSON policy document.
  5. In the JSON policy documents, search for policies related to Amazon S3 access. Then, confirm that you have permissions for the s3:PutObject or s3:PutObjectAcl actions on the bucket.

Ask for permission to use an AWS KMS key

To access an S3 bucket that uses default encryption with a custom AWS KMS key, a key administrator must grant you permission on the key policy.

To upload an object to an encrypted bucket, your IAM user or role must have AWS KMS permissions for at least kms:Encrypt and kms:GenerateDataKey.

Check the bucket policy for explicit deny statements

Follow these steps:

  1. Open the Amazon S3 console.
  2. From the list of buckets, open the bucket you want to upload files to.
  3. Choose the Permissions tab.
  4. Choose Bucket policy.
  5. Search for statements with "Effect": "Deny".
  6. Verify that your bucket policy includes the correct URI request parameters for s3:PutObject to meet the specific conditions.

Important: Before saving a bucket policy with "Effect": "Deny", make sure to check for any statements that deny access to the S3 bucket. If you get locked out, see I accidentally denied everyone access to my Amazon S3 bucket. How do I regain access?

The following example statement explicitly denies access to s3:PutObject on awsdoc-example-bucket unless the upload request includes encryption with the AWS KMS key arn:aws:kms:us-east-1:111122223333:key:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::awsdoc-example-bucket/*",
      "Condition": {
        "StringNotLikeIfExists": {
          "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:111122223333:key/*"
        }
      },
      "Principal": "*"
    }
  ]
}

Disable S3 Block Public Access

If you're passing the public ACL in an upload request and the S3 Block Public Access feature is enabled, then disable it before uploading files.

For more information about configuring the S3 Block Public Access settings at the account level, see Configuring block public access settings for your account. For configuring settings at the bucket level, see Configuring block public access settings for your S3 buckets.

Grant the root user permission to write objects

Configure the bucket's ACL permissions to grant the root user access to write objects.

Delete service control policies for AWS Organizations

If you use AWS Organizations, delete any service control policies that explicitly deny S3 actions.