S3 presigned url access Denied

0

Hi Team,

I have an app IAM user that has S3FullAccess permission

I used the access key and secret access key of my IAM app user to create an s3 resigned URL for getObject, when I copy the generated pre-signed URL on a browser I get an error message :

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>HFDGssffscSDQ4DEF</RequestId>
<HostId>OXsT4/6tYWsdssyo0dxtFa7sdsdsThdFqsdsd4L+9CmiKP2tFyGsdsL8Pr0E0rkDgzHsddsMjdsdsdwc=</HostId>
</Error>

I'm not sure why I have access denied even though my user has the right permissions?

Default encryption (Enabled) = AWS Key Management Service key (SSE-KMS)

any ideas, Thanks

2 Answers
2
Accepted Answer

I resolved this by adding those permissions about km key used to encrypt the files to my app-user :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*"
            ],
            "Resource": "arn:aws:kms:ca-region:12457989948784:key/abcde1111-7b212154-xdxsddxzsdf545sz",
            "Effect": "Allow"
        }
    ]
}
Jess
answered 3 years ago
profile picture
EXPERT
reviewed 3 months ago
profile picture
EXPERT
reviewed 4 months ago
profile picture
EXPERT
reviewed 7 months ago
  • I'm glad the problem is solved. Thanks for sharing.

1

Do you have an S3 bucket policy that denies access to the target files?
You need to allow s3:GetObject in your IAM policy or S3 bucket policy.

How do I troubleshoot 403 Access Denied errors from Amazon S3? https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/?nc1=h_ls

Limiting presigned URL capabilities https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html#PresignedUrlUploadObject-LimitCapabilities

sugin
answered 3 years ago
  • the issue comes from the KMS key used to encrypt s3 objects: the key policy accepts only the root user as a principal, my app IAM user has all access rights to the KMS key. Should I also add him as principal on the key policy?

    because I'm able to upload and able to decrypt messages from SQS with no problem without modifying the key policy, not sure why doesn't work for pre-signedURL (access denied)?

    Thank you.

  • Thank you for your comment. As a test, I encrypted S3 with the following KMS policy in my environment.

    {
        "Id": "key-consolepolicy",
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Enable IAM User Permissions",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::xxxxxxxxxxx:root"
                },
                "Action": "kms:*",
                "Resource": "*"
            }
        ]
    }
    

    I then issued a URL from CloudShell with the following command, and was able to access the file. (not root user)

    aws s3 presign s3://xxxxxxxxxxxxxx/testimage.png
    

    Protecting data using server-side encryption https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html

    if you share your objects using a presigned URL, that URL works the same way for both encrypted and unencrypted objects.

    Therefore, it does not seem to be a KMS policy issue. If possible, could you tell me what your S3 bucket policy is?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions