AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

S3 presigned url access Denied

0

Hi Team,

I have an app IAM user that has S3FullAccess permission

I used the access key and secret access key of my IAM app user to create an s3 resigned URL for getObject, when I copy the generated pre-signed URL on a browser I get an error message :

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>HFDGssffscSDQ4DEF</RequestId>
<HostId>OXsT4/6tYWsdssyo0dxtFa7sdsdsThdFqsdsd4L+9CmiKP2tFyGsdsL8Pr0E0rkDgzHsddsMjdsdsdwc=</HostId>
</Error>

I'm not sure why I have access denied even though my user has the right permissions?

Default encryption (Enabled) = AWS Key Management Service key (SSE-KMS)

any ideas, Thanks

주제
관리 및 거버넌스보안, 신원 및 규정 준수스토리지
태그
AWS 계정 관리IAM 정책사전 서명된 URLS3 객체 잠금
언어
English
Jess
질문됨 2년 전12560회 조회
2개 답변
1
수락된 답변

I resolved this by adding those permissions about km key used to encrypt the files to my app-user :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*"
            ],
            "Resource": "arn:aws:kms:ca-region:12457989948784:key/abcde1111-7b212154-xdxsddxzsdf545sz",
            "Effect": "Allow"
        }
    ]
}
Jess
답변함 2년 전
profile picture
전문가
Antonio_Lagrotteria
검토됨 2달 전
  • sugin
    2년 전

    I'm glad the problem is solved. Thanks for sharing.

1

Do you have an S3 bucket policy that denies access to the target files?
You need to allow s3:GetObject in your IAM policy or S3 bucket policy.

How do I troubleshoot 403 Access Denied errors from Amazon S3? https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/?nc1=h_ls

Limiting presigned URL capabilities https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html#PresignedUrlUploadObject-LimitCapabilities

sugin
답변함 2년 전
  • Jess
    2년 전

    the issue comes from the KMS key used to encrypt s3 objects: the key policy accepts only the root user as a principal, my app IAM user has all access rights to the KMS key. Should I also add him as principal on the key policy?

    because I'm able to upload and able to decrypt messages from SQS with no problem without modifying the key policy, not sure why doesn't work for pre-signedURL (access denied)?

    Thank you.

  • sugin
    2년 전

    Thank you for your comment. As a test, I encrypted S3 with the following KMS policy in my environment.

    {
    "Id": "key-consolepolicy",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::xxxxxxxxxxx:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}

    I then issued a URL from CloudShell with the following command, and was able to access the file. (not root user)

    aws s3 presign s3://xxxxxxxxxxxxxx/testimage.png

    Protecting data using server-side encryption https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html

    if you share your objects using a presigned URL, that URL works the same way for both encrypted and unencrypted objects.

    Therefore, it does not seem to be a KMS policy issue. If possible, could you tell me what your S3 bucket policy is?

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠