How to troubleshoot an issue where a user with permission to put object or upload receives Access Denied errors from Amazon Simple Storage Service.
Image credit: Jovan S Hernandez - Medium

How to troubleshoot an issue where a user with permission to put object or upload receives Access Denied errors from Amazon Simple Storage Service.

How to troubleshoot an issue where a user with permission to put object or upload receives Access Denied errors from Amazon Simple Storage Service. 

Let's get started. 

There are multiple reasons why an AWS Identity and Access Management identity or IAM Identity that has s3:PutObject permission in the IAM policy runs into errors when trying to upload a file. 

Let's look at some of the common reasons for the access denied error message when uploading an object using the AWS Command Line Interface: 

Does the IAM policy include the s3:PutObjectAcl permission? 

Does the bucket policy include any conditional statements? 

Does the Amazon Virtual Private Cloud Endpoint policy allow access to the s3 bucket? 

Does the bucket have AWS kms encryption?

The first step is to check whether the access control lists are being passed with the upload request. If that's the case, then additional permissions such as s3:PutObjectAcl might be required. 

In a cross account scenario, the IAM policy of the uploading identity must have that action listed against the respective s3 bucket. 

Note that the bucket policy must also allow the user to perform this action. After the permission is added, you can upload successfully. 

Next, check whether the bucket policy has any conditions that restrict access to the bucket. There might be a policy for example, that denies the upload action unless certain criteria are met. 

Let's look at examples of policies that have conditional deny statements. Based on specifications such as source IP storage class, ACL passed, and encryption key or encryption type passed with the request. 

In the AWS Management Console, when an IP address condition is used in the policy, the requesting identity must make a request from the listed IP address. For example, if I'm making a request from an Amazon Elastic Compute Cloud instance or a NAT gateway, I can check the public IP of the instance from the EC2 console to confirm that it is also listed in the bucket policy. If the bucket policy uses a storage class condition, then the upload request must include the storage class specified in the condition for the request to be successful. 

If you are making a request using the AWS CLI, then you can tweak the put object command to include the --storage-class parameter, and then specify the appropriate storage class based on the condition in the bucket policy. When using ACLs, such as public read that grant public access to the objects, verify that the block public access settings are disabled on the account and on the specific bucket before you upload an object. 

Note: It's not a best practice to grant public access to your bucket unless you have a specific use case for it. 

Let's take a look at a bucket policy that allows upload requests only when full control on the objects is granted to the bucket owner. Assuming a scenario that uses the canonical ID of the bucket owner as the value to upload an object. The user must pass an ACL with a bucket owner full control as the value.

In the next scenario, I want the objects in the bucket to be encrypted with AWS Key Management Service keys. The bucket policy enforces this by allowing users to upload only when the KMS key ID is passed along with the request. To satisfy the condition, the command must include the --ssekms-key-id parameter along with the KMS key as the value. You might have a situation where the bucket policy allows uploads only if objects are encrypted with a certain type of encryption. 

In this example, objects are allowed to be uploaded only when the encryption type is aes 256. 

No alt text provided for this image

To fulfill this requirement, the uploading identity must pass the --server-side-encryption parameter with "AES256" as the value after you verify that the bucket policy conditions are met, or that the bucket policy is not restricting the upload action, then if the request is going through an Amazon VPC endpoint, verifying that the Amazon VPC endpoint policy allows the put object action to the relevant s3 resources. By default, the VPC endpoint policy allows all actions to all services. If a custom policy is put in place, then there must be an explicit allow to perform the put object action to the s3 bucket. 

Finally, there might be a situation where none of these scenarios are causing the issue because the access denied error is the result of insufficient AWS kms permissions. If this is true, then modify the IAM policy to include AWS kms actions and in a cross account scenario, then you must also modify the KMS key policy to grant access to the user. 

Komolafe Temitope

Enterprise Multi-Cloud Infrastructure Engineer || Docker || Ansible || Linux || MySQL || System administration || Python || Github || Zendesk ||Computer networking

2y

Very helpful :)

To view or add a comment, sign in

More articles by Taiwo Amao

Insights from the community

Others also viewed

Explore topics