Fix 403 Access Denied errors – Amazon S3

Fix 403 Access Denied errors - Amazon S3

Dose Amazon S3 is returning the 403 Access Denied errors while you try to access objects. Then, you can try these below troubleshooting to fix 403 Access Denied errors.

GetObject / HeadObject requests:

When you experience access denied from object request, then you got to check the object ownership. Then, verify that the bucket owner has full control access control list (ACL) permissions.
An S3 object is owned by the AWS account by default, that uploaded it and this will remain same even when the bucket is owned by another account. If other accounts can upload objects to your bucket, then check which account with the object that your users couldn’t access.

To get the Amazon S3 canonical ID for your account, you need to run the list-buckets AWS Command Line Interface (AWS CLI) command.

aws s3api list-buckets --query Owner.ID

Note: You may face error while running this command if you are not using the most recent version of the AWS CLI.

Once you have run the command for list buckets, use the command for list-objects to get the account’s Amazon S3 canonical ID:

aws s3api list-objects --bucket DOC-EXAMPLE-BUCKET --prefix exampleprefix

If you don’t own the object, the canonical Ids won’t match. The object owner grants the command: put-object-acl command and you get full control of the object.

aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key exampleobject.jpg --acl bucket-owner-full-control

When the object owner changes the object’s ACL to bucket-owner-full-control, the bucket owner will be able to access the object, this alone is not enough. In order to change the object owner to the bucket’s account, you need to run the cp command from the bucket’s account to copy the object over itself.

  • Set a bucket policy that requires objects to be uploaded with the bucket-owner-full-control ACL, to copy all the new objects to a bucket in another account.
  • Now, enable and set S3 Object Ownership to bucket owner in the AWS Management Console. The object owner will automatically get’s updated once the object is uploaded with the bucket-owner-full-control ACL.

IAM permissions boundaries

Before trying to access the bucket just make sure to examine the IAM permissions boundaries on the IAM identities. Ascertain that the IAM permissions boundaries permit access to Amazon S3.

Block Public Access settings – Amazon S3

Check the bucket’s Amazon S3 Block Public Access settings if you’re receiving Access Denied errors on public read requests that are authorized. Examine the S3 Block Public Access settings for the account and bucket. Permissions that enable public read access can be overridden by these settings. Amazon S3 Block Public Access may be given to individual buckets or AWS accounts.

Credentials to access Amazon S3

Verify the credentials that your users have set up to access Amazon S3. AWS SDKs and the AWS CLI must set up to utilize the credentials of the IAM user or role that has access to your bucket.
To check the configured credentials for the AWS CLI, use the configure command:

 aws configure list 

If users access your bucket using an Amazon Elastic Compute Cloud (Amazon EC2) instance, make sure the instance is configured with the suitable role. Connect to the instance, then execute the get-caller-identity command:

aws sts get-caller-identity
Temporary credentials security

If users get Access Denied errors as a result of temporary security credentials issued via AWS Security Token Service (AWS STS). An administrator can optionally pass session-specific policies when creating temporary security credentials with the AssumeRole API call or the assume-role command. A session’s permissions are the result of the intersection of session policies and identity-based policies for the IAM entity (user or role) that created the session.

Now look for AssumeRole events in the AWS CloudTrail event log to determine the session policies linked with the Access Denied issues from Amazon S3. Ensure AssumeRole events in the same timeframe as the rejected Amazon S3 access requests. Then, check for any policy or policyArns parameters in the requestParameters field of the appropriate CloudTrail logs. Confirm that the related policy or policy ARN provides Amazon S3 rights.

Consider the following CloudTrail log snippet show that the temporary credentials have an inline session policy that enables access s3:GetObject permissions to DOC-EXAMPLE-BUCKET:

"requestParameters":
{

"roleArn":
"arn:aws:iam::123412341234:role/S3AdminAccess",


"roleSessionName":
"s3rolesession",

"policy": "{\n  

\"Version\":
\"2012-10-17\",\n \"Statement\": [\n {\n

\"Effect\": \"Allow\",\n
         
\"Action\": [\n

\"s3:GetObject\"\n ],\n  

\"Resource\": [\n
\"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*\"\n ]\n

} }\n ]\n}\n"

  }
Amazon VPC – Endpoint policy

Let verify the VPC endpoint policy if users access your bucket using an EC2 instance routed through a VPC endpoint. Then, check this policy provides the appropriate rights to access your S3 buckets and objects. For instance, consider the following VPC endpoint policy that restricts access to DOC-EXAMPLE-BUCKET. Users that submit queries over this VPC endpoint are unable to access any other bucket.

{
"Id":
"Policy1234567890123",
"Version": "2012-10-17",
"Statement": [
{
"Sid":
"Stmt1234567890123",
"Action": [
   "s3:GetObject",
   "s3:PutObject",
   "s3:ListBucket"],
"Effect":
"Allow",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"],
"Principal": "*"
}
]
}
Access point policy – Amazon S3

If you use an Amazon S3 access point to manage access to your bucket, and then the permissions given in an access point policy are only valid. If the underlying bucket policy also grants the same access.

Items with or without a special character

Examine the bucket to see if the desired item exists. It is also important to note that retrieving an item with a special character (such as a space) necessitates additional care. Otherwise, the request fails to locate the item, and Amazon S3 concludes that it does not exist. As a result, if you don’t have the right s3:ListBucket permissions, you’ll get an Access Denied error. To find out if an item exists in the bucket, use the AWS CLI command head-object:

aws s3api head-object--bucket DOC-EXAMPLE-BUCKET --key exampleobject.jpg
  • If the item exists in the bucket, the Access Denied error isn’t hiding a 404 Not Found error. Check for other configuration needs to solve the Access Denied problem.
  • If the object isn’t in the bucket, the Access Denied message is a 404 Not Found error. Resolve the issue with the missing item.
AWS KMS encryption

Few points on AWS KMW encryption:

  • Whether an IAM user is unable to access an item to which they have full access. Check ans see if the object is encrypted with SSE-KMS. You may view the object’s properties, including server-side encryption information, via the Amazon S3 interface.
  • If the item is SSE-KMS encrypted, ensure that the KMS key policy provides the IAM user the minimum needed key-usage rights. Such as, if the IAM user is just downloading an S3 object with the key. The IAM user must have kms:Decrypt rights.
  • When the IAM identity and key are both in the same account. The key policy should used to provide kms:Decrypt rights. The key policy and the IAM policy must both use the same IAM identity.
  • If the IAM user is associated with a different account than the AWS KMS key, these rights must also be given on the IAM policy. Let’s say to download SSE-KMS encrypted items. The kms:Decrypt rights must be given in both the key policy and the IAM policy.

If you activate Requester Pays in your bucket, users from other accounts must provide the request-payer argument. Otherwise, these users will receive an Access Denied error. The right argument for accessing a cross-account bucket using Requester Pays is

aws s3 cp exampleobject.jpg s3://DOC-EXAMPLE-BUCKET/exampleobject.jpg --request-payer requester

If you’re using AWS Organizations, be sure that access to Amazon S3 permits you in the service control policies. The maximum permissions for the affected accounts are specified in control policies. This policy restricts access to Amazon S3 and generates an Access Denied error.

{
"Version":
"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*"
}
]
}

If you are still experiencing the same error, then we can provide assistance to fix 403 Access Denied errors.

To get more updates you can follow us on Facebook, Twitter, LinkedIn

Subscribe to get free blog content to your Inbox