I'm trying to upload files to my Amazon Simple Storage Service (Amazon S3) bucket using the Amazon S3 console. However, I'm getting a "403 Forbidden" error.
Short description
The "403 Forbidden" error can occur due to the following reasons:
Resolution
Check your permissions for s3:PutObject or s3:PutObjectAcl
Follow these steps:
- Open the AWS Identity and Access Management (IAM) console.
- Navigate to the identity that's used to access the bucket, such as User or Role. Choose the name of the identity.
- Choose the Permissions tab, and expand each policy to view its JSON policy document.
- In the JSON policy documents, search for policies related to Amazon S3 access. Then, confirm that you have permissions for the s3:PutObject or s3:PutObjectAcl actions on the bucket.
Ask for permission to use an AWS KMS key
To upload objects that are encrypted with AWS KMS, you must have permissions to perform AWS KMS actions. You must be able to perform kms:Decrypt and kms:GenerateDataKey actions at minimum.
Important: If you're uploading an object to a bucket in a different account, you can't use the AWS managed key aws/S3 as the default encryption key. This is because the AWS managed key policy can't be modified.
Check the bucket policy for explicit deny statements
Follow these steps:
- Open the Amazon S3 console.
- From the list of buckets, open the bucket you want to upload files to.
- Choose the Permissions tab.
- Choose Bucket policy.
- Search for statements with "Effect": "Deny".
- Review these statements and make sure that they don't prevent uploads to the bucket.
Important: Before saving a bucket policy with "Effect": "Deny", make sure to check for any statements that deny access to the S3 bucket. If you get locked out, see I accidentally denied everyone access to my Amazon S3 bucket. How do I regain access?
The following example statement explicitly denies access to s3:PutObject on example-bucket unless the upload request encrypts the object with the AWS KMS key whose ARN matches arn:aws:kms:us-east-1:111122223333:key:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStmt",
"Action": [
"s3:PutObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"StringNotLikeIfExists": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:111122223333:key/*"
}
},
"Principal": "*"
}
]
}
Remove the public ACL from your request or disable S3 Block Public Access
If you're passing a public ACL, such as public-read or authenticated-read in your PUT request, it makes the S3 object public. If the S3 Block Public Access feature is turned on for this account or bucket, then your upload request is denied.
Note: It's not a best practice to make an object public unless your use case requires it.
To successfully upload the object as a publicly available object, modify the S3 Block Access feature as required. If your use case doesn't require making the object publicly available, then remove the mentioned public ACL from the PUT request.
For configuring the S3 Block Public Access settings at the account level, see Configuring block public access settings for your account. For configuring settings at the bucket level, see Configuring block public access settings for your S3 buckets. Also, see The meaning of "public".
Review service control policies for AWS Organizations
If you use AWS Organizations, check if the service control policies explicitly deny S3 actions. If so, modify the policy as desired.
Related information
How do I troubleshoot 403 Access Denied errors from Amazon S3?
How do I troubleshoot the error "You don't have permissions to edit bucket policy" when I try to modify a bucket policy in Amazon S3?