My bucket policy grants full access to another AWS account. Why are IAM users from that account still getting Access Denied errors?
The policy of my Amazon Simple Storage Service (Amazon S3) bucket grants full access to another AWS account. But when AWS Identity and Access Management (IAM) users from that account try to access my bucket, they get an Access Denied error. How can I fix this?
Short description
If your bucket policy already grants access to the other account, then cross-account users can get Access Denied errors for these reasons:
- The user's IAM policy doesn't grant access to the bucket.
- The object is encrypted by AWS Key Management Service (AWS KMS), and the user doesn't have access to the KMS key.
- A deny statement in the bucket policy or IAM policy is blocking the user's access.
- The Amazon Virtual Private Cloud (Amazon VPC) endpoint policy is blocking access to the bucket.
- The AWS Organizations service control policy is blocking access to the bucket.
- The object doesn't belong to the AWS account that owns the bucket.
- Requester Pays is enabled on the bucket.
Resolution
The user's IAM policy doesn't grant access to the bucket
For cross-account access, the user must be granted bucket access in both the IAM policy in Account A and the bucket policy in Account B.
Follow these steps to check the user's IAM policy in Account A:
1. Open the IAM console.
2. From the console, open the IAM user or role that should have access to the bucket.
3. In the Permissions tab of the IAM user or role, expand each policy to view its JSON policy document.
4. In the JSON policy documents, look for policies with the bucket's name. Then, confirm that those policies allow the correct S3 actions on the bucket.
5. If the IAM user or role doesn't grant access to the bucket, then add a policy that grants the correct permissions. For example, the following IAM policy grants a user access to download objects (s3:GetObject) from DOC-EXAMPLE-BUCKET:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStmt",
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
]
}
]
}
The object is encrypted by AWS KMS, and the user doesn't have access to the KMS key
If both the IAM policy (Account A) and bucket policy (Account B_ grant cross-account access, then check the bucket for default encryption with AWS KMS. Or, check the object's properties for AWS KMS encryption. If an object is encrypted by an AWS KMS key, then the user also needs permissions to use the key.
To grant an IAM user the permissions to download and upload to a bucket while using a KMS key for encryption, follow these steps:
1. Edit the KMS key policy to add a statement similar to the following:
Note: Enter the IAM user's Amazon Resource Name (ARN) as the Principal.
{
"Sid": "ExampleStmt",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/Jane"
},
"Resource": "*"
}
2. If the KMS key belongs to the same account as the IAM user, then the key policy does not need to be updated. If the KMS key belongs to a different account than the IAM user, then you must also update the IAM user's permissions. Add an IAM policy statement similar to the following:
Note: Enter the KMS key's ARN as the Resource.
{
"Sid": "KMSAccess",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Effect": "Allow",
"Resource": "arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd"
}
A deny statement in the bucket policy or IAM policy is blocking the user's access
Check both the bucket policy and the user's IAM policies for any statements that explicitly deny the user's access to the bucket.
Follow these steps to check the bucket policy:
1. Open the Amazon S3 console.
2. From the list of buckets, open the bucket with the bucket policy that you want to check.
3. Choose the Permissions tab.
4. Choose Bucket policy.
5. Look for statements with "Effect": "Deny".
6. Modify the bucket policy to edit or remove any "Effect": "Deny" statements that are denying the user's access to the bucket.
Follow these steps to check the user's IAM policies:
1. Open the IAM console.
2. From the console, open the IAM user or role that can't access the bucket.
3. In the Permissions tab of the IAM user or role, expand each policy to view the JSON policy documents.
4. In the JSON policy documents, look for policies related to the S3 bucket with statements that contain "Effect": "Deny".
5. Modify the user's IAM permissions policies to edit or remove any "Effect": "Deny" statements that are incorrectly denying the user's access to the bucket.
The VPC endpoint policy is blocking access to the bucket
If users access the bucket with an Amazon Elastic Compute Cloud (Amazon EC2) instance routed through a VPC endpoint, then check the VPC endpoint policy. Confirm that the VPC endpoint policy includes the correct permissions to access the S3 bucket.
For example, the following VPC endpoint policy allows access to DOC-EXAMPLE-BUCKET:
{
"Id": "Policy1234567890123",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1234567890123",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
],
"Principal": "*"
}
]
}
Warning: The element "Principal": "*" grants everyone using the VPC endpoint access to the bucket. Make sure to restrict the scope of the Principal value as appropriate for your use case.
The AWS Organizations service control policy is blocking access to the bucket
If the user's account has AWS Organizations enabled, then check the service control policies to be sure that access to Amazon S3 is allowed. For example, the following policy explicitly denies access to Amazon S3 and results in an Access Denied error.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*"
}
]
}
For more information on the features of AWS Organizations, see Enabling all features in your organization.
The object doesn't belong to the AWS account that owns the bucket
By default, an S3 object is owned by the AWS account that uploaded it. This is true even when the bucket is owned by another account. The bucket's permissions don't automatically apply to an object when the object is owned by a different account. This can happen with service logs that are sent to a bucket in another account. Examples of service logs include AWS CloudTrail logs or Amazon Virtual Private Cloud (Amazon VPC) flow logs.
To resolve Access Denied errors from object ownership:
1. The object owner must explicitly grant the bucket owner full control of the object.
2. Apply the ownership change using the cp command. The bucket owner must copy the object over itself, like this:
aws s3 cp s3://DOC-EXAMPLE-BUCKET/awsexampleobject s3://DOC-EXAMPLE-BUCKET/awsexampleobject --metadata-directive REPLACE
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent version.
After the bucket owner copies the object over itself, the object belongs to the bucket owner's account.
Requester Pays is enabled on the bucket
If your bucket has Requester Pays enabled, then users from other accounts must specify the request-payer parameter when sending requests to your bucket. Otherwise, those users get an Access Denied error.
For GET, HEAD, or POST requests, the user must include the x-amz-request-payer parameter in the header. For REST requests, the user must include the x-amz-request-payer parameter in the request.
For AWS CLI commands, the user must include the --request-payer parameter, similar to the following:
aws s3 cp exampleobject.jpg s3://DOC-EXAMPLE-BUCKET/exampleobject.jpg --request-payer requester
Related information
How do I troubleshoot 403 Access Denied errors from Amazon S3?
Relevant content
- Accepted Answerasked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
