Stuck with AWS S3 403 Forbidden Error? We can help you.
Recently, one of our customers was trying to upload files to Amazon Simple Storage Service (Amazon S3) bucket using the Amazon S3 console.
However, he came across an HTTP 403 Forbidden error instead.
Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.
Today, let us see how to troubleshoot this?
AWS S3 403 Forbidden error
To troubleshoot the HTTP 403 Forbidden error from the Amazon S3 console, we need to check:
Missing permissions to s3:PutObject or s3:PutObjectAcl
We ensure that the AWS Identity and Access Management (IAM) user or role has permissions for the s3:PutObject action on the bucket.
On the other hand, not having this permission can result in HTTP 403 Forbidden error.
In addition, during the upload, if we try to modify the object’s ACL, the IAM user or role must have permissions for the s3:PutObjectAcl action.
Missing permissions to use an AWS KMS key
We need permission to access an S3 bucket that uses default encryption with a custom AWS KMS key.
To get the permission, a key administrator must grant it on the key policy.
The IAM user or role must have permissions for kms:Encrypt and kms:GenerateDataKey to upload an object to an encrypted bucket.
Explicit deny statement in the bucket policy
We need to check the bucket policy for any statements that explicitly deny permission for s3:PutObject unless it meets certain conditions.
The upload should meet the bucket policy requirements for access to the s3:PutObject action.
For example, suppose the bucket policy explicitly denies s3:PutObject. Unless the request includes server-side encryption using AWS KMS or Amazon S3 encryption keys, we need to verify we use the correct encryption header to upload objects.
Here a bucket policy explicitly denies any access to s3:PutObject on the bucket awsdoc-example-bucket unless the upload request includes encryption with the AWS KMS key arn:aws:kms:us-east-1:111122223333:key:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStmt",
"Action": [
"s3:PutObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::awsdoc-example-bucket/*",
"Condition": {
"StringNotLikeIfExists": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:111122223333:key/*"
}
},
"Principal": "*"
}
]
}
Bucket ACL doesn’t allow the root user to write objects
Suppose we use the root user account to upload objects to the S3 bucket. Then we need to verify that the bucket’s ACL grants the root user access to Write objects.
AWS Organizations service control policy doesn’t allow access to Amazon S3
If we use AWS Organizations, we check the service control policies to ensure access to Amazon S3.
For example, the following policy can result in errors if we try to access Amazon S3. Because it explicitly denies access:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "S3:*",
"Resource": "*"
}]
}[Stuck with the process? We are here for you]
Conclusion
In short, we saw how our Support Techs fix the AWS error for our customers.
0 Comments