Why can't I generate an Amazon S3 Inventory report?

5 minute read
0

I configured an Amazon Simple Storage Service (Amazon S3) Inventory report, but it didn't get delivered and I received an "Access Denied" error.

Short description

You receive the following error message:

"Access denied Inventory export for 2021-02-19 failed because S3 doesn't have access to the destination bucket or KMS key. Ask the owner of the destination bucket or KMS key to grant the necessary access and then try again."

To generate an Amazon S3 Inventory report and prevent the preceding error message, you must meet the following requirements:

  • Allow the source bucket to upload the Amazon S3 Inventory report to the destination bucket.
  • Keep the destination bucket and the source bucket in the same AWS Region where you set up the Amazon S3 Inventory.
  • Grant Amazon S3 access to the AWS Key Management Service (AWS KMS) key that's used to encrypt the Inventory report file.

Note: It can take up to 48 hours for Amazon S3 to deliver the first Inventory report.

Resolution

Allow the source bucket to upload the Amazon S3 Inventory report to the destination bucket

Confirm that your bucket policy allows the source bucket to upload to the destination bucket.

Example bucket policy that includes the PutObject action:

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId",
    "Statement": [
        {
            "Sid": "InventoryAndAnalyticsExamplePolicy",
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::destinationbucket/*"
            ],
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:s3:::sourcebucket"
                },
                "StringEquals": {
                    "aws:SourceAccount": "123456789012",
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

Exclude s3.amazonaws.com from every Deny statement that might affect a PutObject action. An explicit Deny takes precedence over Allow statements. 

The following example bucket policy denies access to s3.amazonaws.com and only allows access to a specified IP address range:

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::destinationbucket",
                "arn:aws:s3:::destinationbucket/*"
            ],
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "54.240.143.0/24"
                }
            }
        }
    ]
}

The following is updated version of the preceding bucket policy that allows s3.amazonaws.com access:

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Action": "s3:*",
            "Effect": "Deny",
            "Resource": [
                "arn:aws:s3:::destinationbucket",
                "arn:aws:s3:::destinationbucket/*"
            ],
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "54.240.143.0/24"
                },
                "ArnNotLike": {
                    "aws:SourceArn": "arn:aws:s3:::sourcebucket"
                }
            },
            "Principal": "*"
        },
        {
            "Sid": "InventoryAndAnalyticsExamplePolicy",
            "Action": [
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::destinationbucket/*"
            ],
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:s3:::sourcebucket"
                },
                "StringEquals": {
                    "aws:SourceAccount": "123456789012",
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            },
            "Principal": {
                "AWS": [
                    "s3.amazonaws.com"
                ]
            }
        }
    ]
}

Confirm that your destination bucket is in the same Region as the source bucket

Open the Amazon S3 console. Navigate to your bucket list, and check the Regions column to determine whether your destination bucket and source bucket are in the same Region. 

If your source and destination bucket are in different Regions, then create or choose a new bucket. 

Note: Until you transfer objects, the objects that belong to the bucket remain in the Region where you created the bucket. For more information, see Buckets overview.

Grant access to the AWS KMS key that's used to encrypt the Inventory report file

If you encrypted your Amazon S3 bucket with an AWS KMS key, then grant Amazon S3 access to your AWS KMS key.

Complete the following steps:

  1. Open the AWS KMS console.
    Note: Use the AWS account that owns the AWS KMS key to sign in.

  2. In the navigation pane, choose Customer managed keys.

  3. Under Customer managed keys, select the AWS KMS key that you use to encrypt the Inventory report file.

  4. Under Key policy, choose Switch to policy view.

  5. Choose Edit.

  6. Under Edit key policy, add the following key policy to the existing key policy:

    {
        "Sid": "Allow Amazon S3 use of the KMS key",
        "Effect": "Allow",
        "Principal": {
            "Service": "s3.amazonaws.com"
        },
        "Action": [
            "kms:GenerateDataKey"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "aws:SourceAccount": "source-account-id"
            },
            "ArnLike": {
                "aws:SourceARN": "arn:aws:s3:::source-bucket-name"
            }
        }
    }
  7. Choose Save changes.

Note: Check the Last export column under Inventory configurations in the Amazon S3 console. An empty Last export column can show that Amazon S3 didn't deliver the Inventory report. If Amazon S3 delivered the Inventory report, then you can find the Inventory report in the specified path in the destination bucket.

Review your server access logs and CloudTrail history

Check your server access logs to determine whether changes were made to your bucket policies that stopped the delivery. For examples of log formats, see Amazon S3 server access log format.

The following is an example of a log entry that shows that a change was made to your bucket policy:

REST.PUT.BUCKETPOLICY

You can also search for the PutBucketPolicy API action in your AWS CloudTrail Event history. If the PutBucketPolicy action was performed more than 90 days ago, then you must query the CloudTrail logs in Amazon S3. For information, see Amazon S3 information in CloudTrail on the AWS Docs GitHub website.

Check the prefix filter for the Inventory scope

If you configured a prefix filter and your Inventory report isn't delivered after 48 hours, then check your prefix configuration. Make sure that the prefix filter matches an existing prefix within the bucket that's inventoried. Remove blank spaces, typos, and leading forward slashes.

Related information

Enabling CloudTrail event logging for S3 buckets and objects

Managing permissions for S3 Inventory, S3 analytics, and S3 Inventory reports

AWS OFFICIAL
AWS OFFICIALUpdated a month ago