Wondering how to resolve cross-account Amazon S3 bucket 403 errors? We can help you.
Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.
Today, let us see how our Support Techs perform this task.
How to resolve cross-account Amazon S3 bucket 403 errors?
Usually, cross-account users can get Access Denied errors for below reasons:
- Firstly, the user’s IAM policy doesn’t grant access to the bucket.
- Next, the object is encrypted by AWS Key Management Service (AWS KMS), and the user doesn’t have access to the KMS key.
- A deny statement in the bucket policy or IAM policy is blocking the user’s access.
- The Amazon Virtual Private Cloud (Amazon VPC) endpoint policy is blocking access to the bucket.
- Then, the AWS Organizations service control policy is blocking access to the bucket.
- The object doesn’t belong to the AWS account that owns the bucket.
- Requester Pays is enabled on the bucket.
Today, let us see the steps followed by our Support Techs to resolve it.
The user’s IAM policy doesn’t grant access to the bucket
For cross-account access, the user must be granted bucket access in both the IAM policy in Account A and the bucket policy in Account B.
Follow these steps to check the user’s IAM policy in Account A:
1.Firstly, open the IAM console.
2.From the console, open the IAM user or role that should have access to the bucket.
3.Then, in the Permissions tab of the IAM user or role, expand each policy to view its JSON policy document.
4.In the JSON policy documents, look for policies with the bucket’s name.
Then, confirm that those policies allow the correct S3 actions on the bucket.
5.If the IAM user or role doesn’t grant access to the bucket, add a policy that grants the correct permissions.
The object is encrypted by AWS KMS, and the user doesn’t have access to the KMS key
If both the IAM policy in Account A and the bucket policy in Account B grant cross-account access, then check the bucket for default encryption with AWS KMS.
Or, check the object’s properties for AWS KMS encryption. If an object is encrypted by an AWS KMS key, then the user also needs permissions to use the key.
To grant an IAM user the permissions to download and upload to a bucket while using a KMS key for encryption, follow these steps:
1.Firstly, edit the KMS key policy to add a statement similar to the following:
Note: Enter the IAM user’s Amazon Resource Name (ARN) as the Principal.
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:user/Jane",
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
2.If the KMS key belongs to the same account as the IAM user, then the statement in the key policy is enough to grant the user access to the key.
If the KMS key belongs to a different account than the IAM user, then you must also update the IAM user’s permissions.
Add an IAM policy similar to the following:
Note: Enter the KMS key’s ARN as the Resource.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStmt3",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:ReEncrypt*"
],
"Resource": "arn:aws:kms:example-region-1:123456789098:key/a1b2c3d4-e5f6-7890-g1h2-123456789abc"
}
]
}
A deny statement in the bucket policy or IAM policy is blocking the user’s access
Check both the bucket policy and the user’s IAM policies for any statements that explicitly deny the user’s access to the bucket.
Follow these steps to check the bucket policy:
1.Firstly, open the Amazon S3 console.
2.From the list of buckets, open the bucket with the bucket policy that you want to check.
3.Then, choose the Permissions tab.
4.Next, choose Bucket policy.
5.Look for statements with “Effect”: “Deny”.
6.Modify the bucket policy to edit or remove any “Effect”: “Deny” statements that are denying the user’s access to the bucket.
Follow these steps to check the user’s IAM policies:
1.Firstly, open the IAM console.
2.From the console, open the IAM user or role that can’t access the bucket.
3.In the Permissions tab of the IAM user or role, expand each policy to view the JSON policy documents.
4.In the JSON policy documents, look for policies related to the S3 bucket with statements that contain “Effect”: “Deny”.
5.Modify the user’s IAM permissions policies to edit or remove any “Effect”: “Deny” statements that are incorrectly denying the user’s access to the bucket.
The VPC endpoint policy is blocking access to the bucket
If users access the bucket with an Amazon Elastic Compute Cloud (Amazon EC2) instance routed through a VPC endpoint, check the VPC endpoint policy.
Confirm that the VPC endpoint policy includes the correct permissions to access the S3 bucket.
For example, the following VPC endpoint policy allows access to DOC-EXAMPLE-BUCKET:
{
"Id": "Policy1234567890123",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1234567890123",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
],
"Principal": "*"
}
]
}
Warning: The element “Principal”: “*” grants everyone using the VPC endpoint access to the bucket.
Make sure to scope down the Principal value as appropriate for your use case.
The AWS Organizations service control policy is blocking access to the bucket
If the user’s account has AWS Organizations enabled, check the service control policies to be sure that access to Amazon S3 is allowed.
For example, the following policy explicitly denies access to Amazon S3 and results in an Access Denied error.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*"
}
]
}
The object doesn’t belong to the AWS account that owns the bucket
By default, an S3 object is owned by the AWS account that uploaded it.
This is true even when the bucket is owned by another account.
The bucket’s permissions don’t automatically apply to an object when the object is owned by a different account.
This can happen with service logs that are sent to a bucket in another account.
Examples of service logs include AWS CloudTrail logs or Amazon Virtual Private Cloud (Amazon VPC) flow logs.
To resolve Access Denied errors from object ownership:
1. The object owner must explicitly grant the bucket owner full control of the object.
2. Then, to apply the ownership change, the bucket owner must copy the object over itself.
To do this, the bucket owner can run the cp command using the AWS Command Line Interface (AWS CLI), similar to the following:
aws s3 cp s3://DOC-EXAMPLE-BUCKET/awsexampleobject s3://DOC-EXAMPLE-BUCKET/awsexampleobject --metadata-directive REPLACE
After the bucket owner copies the object over itself, the object belongs to the bucket owner’s account.
Requester Pays enabled on bucket
If your bucket has Requester Pays enabled, then users from other accounts must specify the request-payer parameter when they send requests to your bucket.
Otherwise, those users get an Access Denied error.
For GET, HEAD, or POST requests, the user must include the x-amz-request-payer parameter in the header.
Then for REST requests, the user must include the x-amz-request-payer parameter in the request.
For AWS CLI commands, the user must include the –request-payer parameter, similar to the following:
aws s3 cp exampleobject.jpg s3://DOC-EXAMPLE-BUCKET/exampleobject.jpg --request-payer requester
[Need help with the fix? We’d be happy to assist you]
Conclusion
In short, we saw how our Support Techs resolve cross-account Amazon S3 bucket 403 errors.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
0 Comments