Why am I getting the "S3 error: Access Denied" error message in CloudFormation?

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Troubleshoot the IAM role or user policy

Review the AWS Identity and Access management (IAM) identity that you used with CreateChangeSet or CreateStack. Make sure that the IAM user or role has the necessary permissions. If required, attach a policy that provides the GetObject permission to the IAM identity. The following example policy includes the GetObject permission:

{  
   "Version":"2012-10-17",  
   "Statement":[  
      {  
         "Principal":{  
            "AWS":"arn:aws:iam::111122223333:role/IDENTITY"  
         },  
         "Effect":"Allow",  
         "Action":[  
            "s3:GetObject",  
            "s3:GetObjectVersion"  
         ],  
         "Resource":"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"  
      }  
   ]  
}

Verify that the template file exists and doesn't contain typos

To check whether the template file exists and doesn't contain typos, complete the following steps:

1. Verify that the template URL that's specified for the nested stack is valid. Run the list-objects AWS CLI command to list the object:

   aws s3 list-objects --bucket DOC-EXAMPLE-BUCKET --prefix file-path/template-file.json

2. Make sure that the template URL doesn't contain any additional spaces. Typos can cause the S3 Access Denied error.

Check the S3 bucket policy for explicit Deny statements

To check whether the S3 bucket has an explicit Deny statement for the IAM role, complete the following steps:

1. Open the Amazon S3 console.
2. From the list of buckets, open the bucket that contains the template file.
3. Choose the Permissions tab.
4. Navigate to the bucket policy segment.
5. Search for statements with "Effect": "Deny".
6. Edit the bucket policy to update any "Effect": "Deny" statements that deny the IAM role access to s3:GetObject or s3:GetObjectVersion. 
7. Remove the IAM role that you're using with CloudFormation.
8. Choose Save.
9. Create or update the stack again.

For more information on S3 bucket policies, see Bucket policy examples.

Validate encryption settings on the S3 bucket and activate KMS access for the IAM role

You might see the S3 Access Denied error when the bucket uses a customer managed AWS Key Management Service (KMS) key to activate encryption. If the bucket is encrypted, then update the key policy to allow the IAM identity to access the KMS key.

Complete the following steps:

1. Open the AWS KMS console.

2. Find the key that's used to encrypt the objects in the S3 bucket, and then choose the Key Policy tab.

3. Use the following statement to update the policy:

   {  
     "Action": [  
       "kms:Decrypt",  
       "kms:GenerateDataKey"  
     ],  
     "Effect": "Allow",  
     "Principal": {  
       "AWS": "arn:aws:iam::111122223333:user/IDENTITY"  
     },  
     "Resource": "arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd"  
   }

   Note: If the IAM identity is in another AWS account, then see My Amazon S3 bucket has default encryption using a custom AWS KMS key. How can I allow users to download from and upload to the bucket?

Check the object ACL permissions for the template file

Sometimes, a template file might be uploaded from a different account, but the source account owns the file. This action denies the user in the target account access to the template in the source account. To resolve this issue, copy the template file to the S3 bucket to give the bucket owner full access to the template.

Run the following put-object AWS CLI command to give access to the bucket:

aws s3api put-object --bucket DOC-EXAMPLE-BUCKET --key key-name --body path-to-file --acl bucket-owner-full-control

For more information on access control lists (ACLs), see Controlling ownership of objects and disabling ACLs for your bucket.