Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Why do I get the "S3 error: Access Denied" error in CloudFormation?

4 minute read
0

I want to resolve the Amazon Simple Storage Service (Amazon S3) "Access Denied" error that I get when I create or update stacks in AWS CloudFormation.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Troubleshoot the IAM role or user policy

Make sure that the AWS Identity and Access management (IAM) user or role that you used with CreateChangeSet or CreateStack has the necessary permissions. You might need to attach a policy that provides the GetObject permission to the IAM identity. The following example policy includes the GetObject permission:

{   "Version":"2012-10-17",
     "Statement":[
        {
           "Effect":"Allow",
           "Action":[
              "s3:GetObject",
              "s3:GetObjectVersion"
           ],
           "Resource":"arn:aws:s3:::amzn-s3-demo-bucket/*"
        }
     ]
  }

Note: Replace amzn-s3-demo-bucket with your bucket.

Verify that the template file exists and doesn't contain typos

To check whether the template file exists and doesn't contain typos, run the list-objects AWS CLI command:

aws s3 list-objects --bucket amzn-s3-demo-bucket --prefix file-path/template-file.json

Note: Replace amzn-s3-demo-bucket with your bucket and file-path/template-file.json with your file path and template file. Make sure that the template URL doesn't contain additional spaces. Typos might cause the "S3 Access Denied" error.

Verify that the template file isn't empty

If the template file exists but is empty, then you might get the "S3 Access Denied" error. To check if the template file is empty, run the get-object AWS CLI command:

aws s3api get-object --bucket amzn-s3-demo-bucket --key key-name template-file.txt

Note: Replace amzn-s3-demo-bucket with your bucket, key-name with your key name, and template-file.txt with your template file.

Then, open the template file.

Check the S3 bucket policy for explicit Deny statements

To check whether the S3 bucket has an explicit Deny statement for the IAM role, complete the following steps:

  1. Open the Amazon S3 console.
  2. In the navigation pane, choose Buckets.
  3. On the Buckets dropdown list, select the bucket that contains the template file.
  4. Choose the Permissions tab.
  5. Under Bucket policy, choose Edit.
  6. Search for statements that have "Effect": "Deny" in them.
  7. Update "Effect": "Deny" statements that deny the IAM role access to s3:GetObject or s3:GetObjectVersion.
  8. Remove the IAM role that you use with CloudFormation.
  9. Choose Save changes.
  10. Create or update the stack again.

For more information, see Examples of Amazon S3 bucket policies.

Validate encryption settings on the S3 bucket and activate KMS access for the IAM role

You might get the "S3 Access Denied" error when the bucket uses a customer managed AWS Key Management Service (KMS) key to activate encryption. If you encrypted your bucket, then update the key policy to allow the IAM identity to access the KMS key.

Complete the following steps:

  1. Open the AWS KMS console.
  2. In the navigation pane, choose Customer managed keys.
  3. In the list of KMS keys, select the alias or key ID of the key that encrypts the s3 objects, and then choose the Key Policy tab.
  4. Use the following statement to update the policy:
{    "Action": [
      "kms:Decrypt",
      "kms:GenerateDataKey"
    ],
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::111122223333:user/IDENTITY"
    },
    "Resource": "arn:aws:kms:aa-example-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd"
}

Note: Replace arn:aws:iam::111122223333:user/IDENTITY with your IAM user Amazon Resource Name (ARN) and arn:aws:kms:aa-example-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd with your KMS ARN. If the IAM identity is in another AWS account, then see My Amazon S3 bucket has default encryption using a custom AWS KMS key. How can I allow users to download from and upload to the bucket?

Check the object ACL permissions for the template file

When a target account uploads a template file that the source account owns, the user in the target account can't access the template in the source account. To resolve this issue, copy the template file to the S3 bucket to give the bucket owner full access to the template.

To give access to the bucket, run the following put-object AWS CLI command:

aws s3api put-object --bucket amzn-s3-demo-bucket --key key-name --body path-to-file --acl bucket-owner-full-control

Note: Replace amzn-s3-demo-bucket with your bucket, key-name with your key name, and path-to-file with the path to your file.

For more information about access control lists (ACLs), see Controlling ownership of objects and deactivating ACLs for your bucket.

Topics
Management & Governance
Tags
AWS CloudFormation
Language
English
AWS OFFICIALUpdated 7 months ago
1 Comment

We will post this error if we have a empty template [blank template] in s3 bucket. Reproduce steps:

  1. Create a blank template
  2. Upload file into s3 bucket
  3. Get the s3 object url to create a stack
  4. Try to create a stack through console or cli
  5. you will post An error occurred (ValidationError) when calling the CreateStack operation: S3 error: Access Denied
replied a year ago

Relevant content