Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I troubleshoot Access Denied errors when IAM users from another AWS account try to access my Amazon S3 bucket?

7 minute read

My Amazon Simple Storage Service (Amazon S3) bucket policy grants full access to another AWS account. However, when AWS Identity and Access Management (IAM) users from the other account try to access my bucket, they get an "Access Denied" error.

Short description

If your bucket policy already grants access to another account, then cross-account users can get Access Denied errors for the following reasons:

The user's IAM policy doesn't grant access to the bucket.
You encrypted the object with AWS Key Management Service (AWS KMS), and the user doesn't have access to the AWS KMS key.
A Deny statement in the bucket policy or IAM policy blocks the user's access.
The Amazon Virtual Private Cloud (Amazon VPC) endpoint policy blocks access to the bucket.
The AWS Organizations service control policy (SCP) blocks access to the bucket.
The object doesn't belong to the account that owns the bucket.
You turned on Requester Pays for the Amazon S3 bucket.
You passed a session policy that blocked access to the bucket.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

The user's IAM policy doesn't grant access to the bucket

For cross-account access, make sure that you grant bucket access in the IAM policy in the users' account and the bucket policy in your account.

To add bucket permissions to the IAM policy in the users' account, complete the following steps:

Open the IAM console.
In the navigation pane, select the IAM users or roles that can't access the bucket.
In Permissions policies, expand each policy to view its JSON policy document.
In the JSON policy documents that contain the bucket's name, confirm that the policies allow the correct S3 actions on the bucket.

If the IAM user or role doesn't grant access to the bucket, then add a policy that grants the correct permissions.
The following example IAM policy grants a user access to download objects in the GetObject request from DOC-EXAMPLE-BUCKET:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ExampleStmt",
            "Action": "s3:GetObject",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ]
        }
    ]
}

Note: If you use instance profiles or assume a role, then make sure that your policy has the correct permissions.

You encrypted the object with AWS KMS

If both the IAM policy and bucket policy grant cross-account access, then check the bucket for default encryption with AWS KMS. Or, check the object's properties for AWS KMS encryption. If you encrypted the object with a KMS key, then the user must also have permissions to use the key.

To grant an IAM user the permissions to download and upload to a bucket and use the AWS KMS key, complete the following steps:

Edit the KMS key policy to add the following statement:

{
    "Sid": "ExampleStmt",
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::111122223333:user/Jane"
    },
    "Resource": "*"
}

Note: Replace the example ARN with your principal's ARN.

If the AWS KMS key belongs to the IAM user's account, then you don't need to update the key policy. If the AWS KMS key belongs to your account, then you must update the IAM user's permissions to add the following IAM policy statement:

{
    "Sid": "KMSAccess",
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:kms:example-region-1:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd"
}

Note: Replace the example KMS key's ARN with your KMS key's ARN.

For more information, see Why do cross-account users receive Access Denied errors when they try to access my S3 objects that I encrypted with an AWS KMS customer managed key?

A Deny statement in the policy blocks the users' access

Check the bucket policy and the users' IAM policies for statements that explicitly deny the user's access to the bucket.

To check the bucket policy, complete the following steps:

Open the Amazon S3 console.
In the list of buckets, select the bucket with the policy that you want to check.
Choose the Permissions tab.
In Bucket policy, check for statements with "Effect": "Deny".
Modify the bucket policy to remove any "Effect": "Deny" statements that deny the user's access to the bucket.

To check the users' IAM policies, complete the following steps:

Open the IAM console.
In the navigation pane, select the IAM users or roles that can't access the bucket.
In Permissions policies, expand each policy to view the JSON policy documents.
In the JSON policy documents that are related to the S3 bucket, check for statements that contain "Effect": "Deny".
Modify the user's IAM permissions policies to remove "Effect": "Deny" statements that deny the user's access to the bucket.

The VPC endpoint policy blocks access to the bucket

If users access the bucket with an Amazon Elastic Compute Cloud (Amazon EC2) instance through a VPC endpoint, then check the VPC endpoint policy. Confirm that the VPC endpoint policy includes the correct permissions to access the S3 bucket.

The following example VPC endpoint policy allows access to DOC-EXAMPLE-BUCKET:

{
    "Id": "Policy1234567890123",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1234567890123",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
            ],
            "Principal": "*"
        }
    ]
}

Warning: The element "Principal": "*" grants everyone that uses the VPC endpoint access to the bucket. Make sure to restrict the scope of the Principal value for your use case.

The Organizations SCP blocks access to the bucket

If the user's account uses Organizations, then check the SCPs for Deny statements that block access to the bucket.

The following example policy explicitly denies access to Amazon S3:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}

The object doesn't belong to the account that owns the bucket

By default, the account that uploads the object owns the object, even when another account owns the bucket. The bucket's permissions don't automatically apply to an object that a different account owns.

To resolve Access Denied errors from S3 Object Ownership, use the following best practices:

Apply the bucket owner enforced setting for S3 Object Ownership to turn off access control lists (ACLs) for your buckets.
If you don't want to turn off ACLs to enforce object ownership for new objects, then apply the bucket owner preferred setting. Make sure that you update your bucket policy to require the bucket-owner-full-control canned ACL for all PUT requests to your bucket. The object owner can run the following put-object-acl to grant access to the bucket owner:
```
aws s3api put-object-acl --bucket examplebucket --key keyname --acl bucket-owner-full-control
```
Note: To access the object, the object owner must explicitly grant access to the bucket owner. Use the object owner account to run the preceding command.

You turned on Requester Pays

If you turned on Requester Pays for your bucket, then users from other accounts must specify the x-amz-request-payer parameter.

The users must take the following actions:

For DELETE, GET, HEAD, POST, and PUT requests, include x-amz-request-payer : requester in the header.
For signed URLs, include x-amz-request-payer=requester in the request.

For AWS CLI commands, include the --request-payer parameter:

aws s3 cp exampleobject.jpg s3://DOC-EXAMPLE-BUCKET/exampleobject.jpg --request-payer requester

A session policy blocked access to the bucket

Make sure that the session policy that you passed doesn't block access to the S3 bucket.

Related information

How do I troubleshoot 403 Access Denied errors from Amazon S3?

A user with permission to add objects to my Amazon S3 bucket is getting Access Denied errors. Why?

Topics

Storage

Relevant content

s3 bucket access denied
Accepted Answer
sadel
asked a year ago
AWS CDK Deployment Fails with "Access Denied" Error for S3 Bucket
Charu
asked 2 years ago
how can i make s3 bucket make public for single iam user or root user or owner of bucket
rePost-User-0457294
asked 3 years ago
S3 presigned url access Denied
Accepted Answer
Jess
asked 3 years ago
Access Denied Exception while accessing Cross Region S3 bucket from EMR.
Joswa Thomas
asked a year ago
How do I troubleshoot 403 Access Denied errors from Amazon S3?
AWS OFFICIALUpdated 7 months ago
How do I troubleshoot access denied issues for my account root user or an IAM entity that has admin permissions?
AWS OFFICIALUpdated 4 months ago
A user with permission to add objects to my Amazon S3 bucket is getting Access Denied errors. Why?
AWS OFFICIALUpdated 8 months ago
Why do cross-account users receive Access Denied errors when they try to access my S3 objects that I encrypted with an AWS KMS customer managed key?
AWS OFFICIALUpdated a year ago
Troubleshoot 403 Access Denied error in Amazon S3
EXPERT
Gayathri Krishnamoorthy
published 2 years ago