By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

"Access Denied" exception while making GET and DELETE requests to Amazon S3 buckets

0

I am currently facing an issue while making GET and DELETE requests to Amazon S3 buckets. I am receiving an API response with a status code of 500 and the following error message: Amazon.S3.AmazonS3Exception: Access Denied

My objective is to retrieve a complete list of buckets using a GET request and delete a specific bucket using a DELETE request.

BUT When I perform these operations, I consistently encounter an "Access Denied" exception with the mentioned error message.

I have verified that I have the necessary permissions in my AWS Identity and Access Management (IAM) policies. Specifically, I have confirmed that the relevant IAM user or role has the required permissions to perform these actions. I have reviewed my IAM policies and ensured that the s3:ListAllMyBuckets and s3:DeleteBucket actions are granted explicitly. However, despite these permissions being in place, I am still experiencing the "Access Denied" error.

  • secondabhi_aws EXPERT
    10 months ago

    Were you able to find the issue based on the suggestions provided here? Please let us know if you are still facing the issue, if my answer helped you to isolate the issue, please accept the answer. Thank you!

Topics
StorageSecurity, Identity, & Compliance.NET on AWS
Tags
Amazon Simple Storage ServiceIAM Policies.NET on AWS
Language
English
rePost-User-4255628
asked 10 months ago316 views
3 Answers
0

How do you perform Get and Delete requests?
If you are using Lambda or EC2, make sure that the required IAM policies are set for the IAM roles.
It is also possible that the S3 bucket policy is causing the problem, so please make sure the settings are correct.
If the bucket policy has a deny section, the API execution will fail even if the IAM policy allows it.

Incidentally, the "s3:GetObject" action is required to perform S3 get objects.

By the way, would it be possible for you to share what policy you are using?

profile picture
EXPERT
Riku_Kobayashi
answered 10 months ago
  • rePost-User-4255628
    10 months ago

    I am using the AWS SDK to perform Get and Delete requests on S3 buckets. Sure, I can show you my policy

  • Riku_Kobayashi EXPERT
    10 months ago

    Where is the SDK running? Is it Lambda or EC2? In such cases, set the necessary policies for IAM roles, not IAM users.

  • secondabhi_aws EXPERT
    10 months ago

    Please attach the policy doc after redacting account, resource info, also confirm if there is any SCP/permission boundary attached to the role.

0

here's my policy: my policy By the way, I checked the bucket policy section, there was an "Access" value

rePost-User-4255628
answered 10 months ago
  • secondabhi_aws EXPERT
    9 months ago

    Hi, Were you able to figure out if there is anything blocking at permission boundary or SCP. Please post here if you are still facing the issue, happy to help.

  • secondabhi_aws EXPERT
    9 months ago

    Did you check permission boundary and service control policy attached? Let me know if you are still stuck, glad to help.

0

Hi,

Please check following to make sure you are not missing these things:

  1. If you are seeing access issues while getting the objects from S3 bucket then check following:

    Is S3 bucket is encrypted with SSE-KMS CMK, if:

             Yes, then does IAM role have access to this KMS Key, if:

                       Yes, does KMS key have any explicit denied policy, if:

                                  No, you are good for KMS key part.

                                  Yes, then add IAM role to allowed role list in KMS key policy.

                       No, add KMS key permissions in IAM role.

         No, check S3 bucket has explicit deny policy, if,

                     Yes, then add IAM role to allowed role list in bucket policy.

                     No, check if there is any SCP, which is blocking you to access/delete the bucket, if:

                                Yes, SCP may need to be revised.

                                No, you are good for bucket policy part as well.

  2. If you are only seeing access issues while listing all S3 buckets or deleting a bucket, then:

    Check if there is any service control policy(SCP) attached to your AWS account and permission boundary attached to your role, which is not letting you list buckets or delete the bucket

profile pictureAWS
EXPERT
secondabhi_aws
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content