Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

Why did I get an "Access Denied" error when I used the Amazon S3 static website hosting endpoint?

6 minute read

I used an Amazon Simple Storage Service (Amazon S3) bucket to host a static website with the S3 static website hosting endpoint. I want to troubleshoot the "Access Denied" error that I received from the S3 static website hosting endpoint.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Objects in the bucket must be publicly accessible

An S3 static website endpoint supports only publicly accessible content. To verify whether an object in your S3 bucket is publicly accessible, open the object's URL in a web browser. Or, you can run a curl command on the URL.

The following is an example URL of an S3 object:

http://doc-example-bucket.s3-website-us-east-1.amazonaws.com/index.html

If the web browser or curl command returns the Access Denied error, then the object isn't publicly accessible. To resolve this issue, create a bucket policy that allows public read access for all objects in the bucket.

The S3 bucket policy must allow access to the s3:GetObject action

Check whether your bucket policy contains Deny statements that block public read access to the s3:GetObject action. Even when you have an explicit Allow statement for s3:GetObject in your bucket policy, an explicit deny statement always overrides an explicit allow statement.

To check your bucket policy, complete the following steps:

Open the Amazon S3 console, and then select your bucket.
Choose the Permissions tab.
Review the bucket policy for statements with "Action": "s3:GetObject" or "Action": "s3:*".
If a statement blocks public read access to s3:GetObject, then modify the bucket policy.

The account that owns the bucket must also own the objects

To allow public read access to objects, the AWS account that owns the bucket must also own the objects. The account of the AWS Identity and Access Management (IAM) identity that created the bucket or object owns the bucket or object.

Note: S3 Object Ownership doesn't apply to public read access that the object's access control list (ACL) grants.

You can use the Amazon S3 console to check the bucket and object owners. You can find the owners in the Permissions tab of the bucket or object.

To use the AWS CLI to check whether the same account owns your Amazon S3 bucket and objects, complete the following steps:

To retrieve the S3 canonical ID of the bucket owner, run the list-buckets command:

aws s3api list-buckets --query Owner.ID

To retrieve the S3 canonical ID of the object owner, run the list-objects command:

aws s3api list-objects --bucket DOC-EXAMPLE-BUCKET --prefix index.html

Note: The preceding command returns a single object. To check several objects, run the list command.

If the canonical IDs of the bucket and object owner don't match, then change the object's owner to the bucket owner. From the object owner's account, run the get-object-acl command to retrieve the ACL permissions that are assigned to the object:
```
aws s3api get-object-acl --bucket DOC-EXAMPLE-BUCKET --key object-name
```

If the object doesn't have bucket-owner-full-control ACL permissions, then run the put-object-acl command from the object owner's account:

aws s3api put-object-acl --bucket DOC-EXAMPLE-BUCKET --key object-name --acl bucket-owner-full-control

If the object has bucket-owner-full-control ACL permissions, then run the following command from the bucket owner's account:

aws s3 cp s3://DOC-EXAMPLE-BUCKET/index.html s3://DOC-EXAMPLE-BUCKET/index.html --storage-class STANDARD

Note: The preceding command copies the object over itself and changes the owner of the object.

You can also use S3 Object Ownership to grant the bucket owner automatic ownership of any objects that anonymous users or other accounts upload.

You can't use AWS KMS encryption for the objects

AWS Key Management Service (AWS KMS) doesn't support anonymous requests. As a result, Amazon S3 buckets that allow anonymous or public access don't apply to objects that you encrypt with AWS KMS. To delete AWS KMS encryption from the objects, you must use the Amazon S3 static website endpoint.

Note: Instead of AWS KMS encryption, use server-side encryption with Amazon S3 managed keys to encrypt your objects.

To check whether you used KMS encryption on your objects, you can use the Amazon S3 console. On the Object overview page, check whether AWS-KMS is selected in the Encryption dialog box. You can also run the head-object AWS CLI command. If the command returns server-side encryption as aws:kms, then the object is AWS KMS encrypted.

To use the Amazon S3 console to change the object's encryption settings, see Specifying server-side encryption with Amazon S3 managed keys (SSE-S3).

To use the AWS CLI to change the object's encryption settings, verify that the object's bucket doesn't have default encryption. If the bucket doesn't have default encryption, then run the following command to copy the object over itself to remove the object's encryption:

aws s3 cp s3://DOC-EXAMPLE-BUCKET/index.html s3://DOC-EXAMPLE-BUCKET/index.html --storage-class STANDARD --sse AES256

Warning: Amazon S3 removes the settings for storage-class and website-redirect-location when you copy the object over itself. To maintain these settings in the new object, make sure to explicitly specify storage-class or website-redirect-location values in the copy request.

If you activated versioning on your bucket, then the default encryption creates a new version of the object when you change the encryption.

Requested Objects must exist in the S3 bucket

If a user that performs the request doesn't have s3:ListBucket permissions, then the user gets an Access Denied error for missing objects.

To check whether the object exists in the bucket, run the head-object AWS CLI command.

Note: S3 object names are case sensitive. If the request doesn't have a valid object name, then Amazon S3 reports that the object is missing.

If the object exists in the bucket, then the Access Denied error doesn't mask a 404 Not Found error. To resolve the Access Denied error, verify other configuration requirements.

If the object doesn't exist in the bucket, then the Access Denied error masks a 404 Not Found error. Resolve the issue that's related to the missing object.

Note: It's a security best practice not to activate public s3:ListBucket access. Public s3:ListBucket access allows users to see and list all objects in a bucket. This access exposes object metadata details, such as key and size, to users even when the users don't have permission to download the object.

Turn off Amazon S3 Block Public Access on the bucket

Amazon S3 Block Public Access can override permissions that allow public read access. Confirm that you didn't configure Amazon S3 Block Public Access settings to either your S3 bucket or account.