How do I troubleshoot 403 Access Denied errors from an Amazon S3 bucket with public read access?

Resolution

To diagnose issues with accessing objects from a public S3 bucket, run the AWSSupport-TroubleshootS3PublicRead automation document (on AWS Systems Manager). This article analyzes some permissions settings that affect the bucket and objects, such as the bucket policy and object access control lists (ACLs).

Note: The AWSSupport-TroubleshootS3PublicRead document analyzes 403 errors from publicly readable objects. The document doesn't evaluate permissions for private objects.

Follow these steps to run the AWSSupport-TroubleshootS3PublicRead automation document using the Systems Manager console:

1.    Open the Systems Manager console.

2.    In the navigation pane, choose Automation.

3.    Choose Execute automation.

4.    Under Choose document, choose the Owned by Amazon tab.

5.    In the Automation document search bar, enter AWSSupport-TroubleshootS3PublicRead, and then press Enter.

6.    Select AWSSupport-TroubleshootS3PublicRead.

7.    Select Execute automation.

8.    Choose Simple execution.

9.    (Optional) For AutomationAssumeRole, you can select an AWS Identity and Access Management (IAM) role that Systems Manager can assume to send requests to your bucket. If you leave this field blank, then Systems Manager uses the IAM identity that you're using to set up the document.

Important: The trust policy of the IAM role that you select must allow Systems Manager Automation to assume the role. Additionally, the IAM role must have permissions for running the AWSSupport-TroubleshootS3PublicRead automation document.

10.    For S3BucketName, enter the name of the S3 bucket that you want to troubleshoot.

11.    (Optional) For S3PrefixName, you can specify a prefix to analyze. If you leave this field blank, then the document lists the bucket and evaluates the first few objects lexicographically.

12.    (Optional) For StartAfter, you can specify the key name that you want the document to start listing from.

13.    For MaxObjects, enter the maximum number of objects that you want the document to evaluate. The default number is 5.

14.    For IgnoreBlockPublicAccess, it's a best practice to leave the value as false.

Warning: Changing the value to true ignores Amazon S3 Block Public Access settings that might be blocking access.

15.    For HttpGet, leave the value as true if you want the document to perform a partial HTTP GET request (the first byte) for each object. Change the value to false if you want the document to perform a full GET request.

16.    For Verbose, enter true if you want to see detailed information during the analysis. Enter false if you only want to see warning and error messages.

17.    (Optional) For CloudWatchLogGroupName, you can enter an Amazon CloudWatch log group name that you want to send the analysis results to. If you specify a name and the log group doesn't exist, then the document will try to create a log group with that name.

18.    (Optional) For CloudWatchLogStreamName, you can enter a CloudWatch log stream name that you want to send the analysis results to. If you specify a name and the log group doesn't exist, then the document tries to create a log group with that name. If you leave this field blank, then the document uses the document's execution ID as the log stream name.

19.    For ResourcePartition, select the partition that the S3 bucket is in. The options are aws, aws-us-gov, or aws-cn.

20.    (Optional) For Tags, enter up to five key-value pair tags.

21.    Choose Execute.

22.    Use the Execution status to track the progress of the document.

23.    After the status indicates a Success, review the results listed in Outputs. The results might include error codes for each object evaluated. The error codes can help diagnose the cause of the Access Denied errors for anonymous requests to each object.

Tip: To review the result of an individual step in the evaluation, choose the relevant Step ID under Executed steps. The Executed Steps are listed below the Execution status.

---