Why can't I access a specific folder or file in my Amazon S3 bucket?

5 minute read
0

I can't access a certain prefix or object that's in my Amazon Simple Storage Service (Amazon S3) bucket. I can access the rest of the data in the bucket.

Short description

Check the following permissions for any settings that are denying your access to the prefix or object:

  • Ownership of the prefix or object
  • Restrictions in the bucket policy
  • Restrictions in your AWS Identity and Access Management (IAM) user policy
  • Permissions to objects that are encrypted by AWS Key Management Service (AWS KMS)

Also, note the following conditions for access:

  • If you encrypted the object with an AWS KMS key, then only the AWS account that encrypted the object can read it.
  • If you defined permissions boundaries and sessions policies, then the maximum permissions of the requester might be affected. The object access might also be affected.
  • Other policies, such as VPC endpoint policies and service control policies (SCPs), might specify restrictions. Therefore, check these policies and update them accordingly.
  • You can also control ownership of uploaded objects using Amazon S3 Object Ownership. If you set Object Ownership to BucketOwnerPreferred, then accounts with the bucket-owner-full-control canned ACL can write objects that transition to the bucket owner.

Resolution

Ownership of the prefix or object

By default, when an AWS account uploads an S3 object, the account owns that object. This is true even when another account owns the bucket. If other accounts can upload to your bucket, then follow these steps to get permissions to the object or prefix that you can't access:

  1. To get the Amazon S3 canonical ID for your account, run this AWS Command Line Interface (AWS CLI) command:

    aws s3api list-buckets --query Owner.ID
  2. Get the Amazon S3 canonical ID of the account that owns the object that you can't access:

    aws s3api list-objects --bucket DOC-EXAMPLE-BUCKET --prefix index.html
  3. If the canonical IDs don't match, then you (the bucket owner) don't own the object. For an individual object, the object owner can grant you full control with this put-object-acl command:

    aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key object-name --acl bucket-owner-full-control

    For objects within a prefix, the object owner must re-copy the prefix and grant you full control of the objects as part of the operation. For example, the object owner can run this cp command with the --acl bucket-owner-full-control parameter:

    aws s3 cp s3://DOC-EXAMPLE-BUCKET/abc/ s3://DOC-EXAMPLE-BUCKET/abc/ --acl bucket-owner-full-control --recursive --storage-class STANDARD

    Tip: You can use a bucket policy to require that other accounts grant you ownership of objects they upload to your bucket.

Restrictions in the bucket policy

  1. Open the Amazon S3 console.

  2. From the list of buckets, open the bucket with the policy that you want to review.

  3. Choose the Permissions tab.

  4. Choose Bucket policy.

  5. Search for statements with "Effect": "Deny". Then, review those statements for references to the prefix or object that you can't access. For example, this bucket policy denies everyone access to the abc/* prefix in DOC-EXAMPLE-BUCKET:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "StatementPrefixDeny",
          "Effect": "Deny",
          "Principal": {
            "AWS": "*"
          },
          "Action": "s3:*",
          "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/abc/*"
        }
      ]
    }
  6. Modify the bucket policy to edit or remove any "Effect": "Deny" statements that incorrectly deny you access to the prefix or object.

Restrictions in your IAM user policy

  1. Open the IAM console.

  2. From the console, open the IAM user or role that you use to access the prefix or object.

  3. In the Permissions tab of your IAM user or role, expand each policy to view its JSON policy document.

  4. In the JSON policy documents, search for policies that relate to Amazon S3 access. Then, search those policies for any "Effect": "Deny" statements that block your access to the prefix or object.

    For example, the following IAM policy has an "Effect": "Deny" statement that blocks the IAM identity's access to the prefix abc/* within DOC-EXAMPLE-BUCKET. The policy also has an "Effect": "Allow" statement that grants access to DOC-EXAMPLE-BUCKET. Despite the allow statement for the entire bucket, the explicit deny statement prevents the IAM identity from accessing the prefix abc/*:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "StatementPrefixDeny",
          "Effect": "Deny",
          "Action": "s3:GetObject",
          "Resource": [
            "arn:aws:s3:::DOC-EXAMPLE-BUCKET/abc/*"
          ]
        },
        {
          "Sid": "StatementFullPermissionS3",
          "Effect": "Allow",
          "Action": "s3:GetObject",
          "Resource": [
            "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
            "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
          ]
        }
      ]
    }
  5. Modify the policy to edit or remove any "Effect": "Deny" statements that incorrectly deny you access to the prefix or object.

Permissions to object encrypted by AWS KMS

If an object is encrypted with an AWS KMS key, then you need permissions to both the object and the key. Check if you can't access the object because you need permissions to an AWS KMS key:

  1. Use the Amazon S3 console to view the properties of one of the objects that you can't access. Review the object's Encryption properties.

  2. If the object is encrypted with a custom AWS KMS key, then review the key policy. Confirm that the policy allows your IAM identity to perform the following actions:

    "Action": ["kms:Decrypt"]
  3. If your IAM identity is missing permissions to any of these actions, then modify the key policy to grant the missing permissions.

Important: If your IAM identity and AWS KMS key belong to different accounts, then verify that you have proper permissions. Both your IAM and key policies must grant you permissions to the required AWS KMS actions.

Related information

Why can't I access an object that was uploaded to my Amazon S3 bucket by another AWS account?

How can I grant a user access to a specific folder in my Amazon S3 bucket?

Do I need to specify the AWS KMS key when I download a KMS-encrypted object from Amazon S3?

AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago