Why am I getting a "403 Forbidden" error when I try to upload files in Amazon S3?

4 minute read

I'm trying to upload files to my Amazon Simple Storage Service (Amazon S3) bucket through the Amazon S3 console. However, I'm getting a "403 Forbidden" error.

Short description

The "403 Forbidden" error can occur because of the following reasons:

Permissions are missing for s3:PutObject to add an object or s3:PutObjectAcl to modify the object's Access Control List (ACL).
You don't have permission to use an AWS Key Management Service (AWS KMS) key.
There's an explicit deny statement in the bucket policy.
Amazon S3 Block Public Access is turned on.
An AWS Organizations service control policy doesn't allow access to Amazon S3.

Resolution

Check your permissions for s3:PutObject or s3:PutObjectAcl

Follow these steps:

Open the AWS Identity and Access Management (IAM) console.
Navigate to the identity that's used to access the bucket, such as User or Role. Choose the name of the identity.
Choose the Permissions tab, and then expand each policy to view its JSON policy document.
In the JSON policy documents, search for policies related to Amazon S3 access. Then, confirm that you have permissions for the s3:PutObject or s3:PutObjectAcl actions on the bucket.

Ask for permission to use an AWS KMS key

To upload objects that are encrypted with AWS KMS, you must have permissions to perform AWS KMS actions. You must be able to perform kms:Decrypt and kms:GenerateDataKey actions at a minimum.

Important: If you upload an object to a bucket in a different AWS account, then you can't use the AWS managed key aws/S3 as the default encryption key. This is because you can't modify the AWS managed key policy.

Check the bucket policy for explicit deny statements

Follow these steps:

Open the Amazon S3 console.
From the list of buckets, open the bucket that you want to upload files to.
Choose the Permissions tab.
Choose Bucket policy.
Search for statements with "Effect": "Deny".
Review these statements and make sure that they don't prevent uploads to the bucket.

Important: Before you save a bucket policy with "Effect": "Deny", make sure to check for any statements that deny access to the S3 bucket. If you get locked out, then see How do I regain access to my Amazon S3 after I accidentally denied everyone access?

The following example statement explicitly denies access to s3:PutObject on example-bucket unless the upload request encrypts the object with the AWS KMS key whose ARN matches arn:aws:kms:us-east-1:111122223333:key:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringNotLikeIfExists": {
          "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:111122223333:key/*"
        }
      },
      "Principal": "*"
    }
  ]
}

Remove the public ACL from your request or turn off S3 Block Public Access

If you're passing a public ACL, such as public-read or authenticated-read in your PUT request, then the public ACL makes the S3 object public. If the S3 Block Public Access feature is turned on for this account or bucket, then your upload request is denied.

Note: It's a best practice to only make an object public if your use case requires it.

To successfully upload the object as a publicly available object, modify the S3 Block Access feature as required. If your use case doesn't require making the object publicly available, then remove the mentioned public ACL from the PUT request.

To configure the S3 Block Public Access settings at the account level, see Configuring block public access settings for your account. To configure settings at the bucket level, see Configuring block public access settings for your S3 buckets. Also, for more information about public access settings, see The meaning of "public".