Recently, one of our customers was trying to upload files to Amazon Simple Storage Service (Amazon S3) bucket using the Amazon S3 console.

However, he came across an HTTP 403 Forbidden error instead.

If you are getting the 403 Forbidden error when connecting to Amazon S3 storage check if your access key ID has permission to list the available buckets.

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related AWS queries.

In this context, we shall look into methods to troubleshoot this AWS error.

How to fix AWS S3 403 Forbidden error ?

To troubleshoot the HTTP 403 Forbidden error from the Amazon S3 console, we need to check:

1. Missing permissions to s3:PutObject or s3:PutObjectAcl

• We ensure that the AWS Identity and Access Management (IAM) user or role has permissions for the s3:PutObject action on the bucket.
• On the other hand, not having this permission can result in HTTP 403 Forbidden error.
• In addition, during the upload, if we try to modify the object’s ACL, the IAM user or role must have permissions for the s3:PutObjectAcl action.

2. Missing permissions to use an AWS KMS key

• We need permission to access an S3 bucket that uses default encryption with a custom AWS KMS key.
• To get the permission, a key administrator must grant it on the key policy.
• The IAM user or role must have permissions for kms:Encrypt and kms:GenerateDataKey to upload an object to an encrypted bucket.

3. Explicit deny statement in the bucket policy

We need to check the bucket policy for any statements that explicitly deny permission for s3:PutObject unless it meets certain conditions.

The upload should meet the bucket policy requirements for access to the s3:PutObject action.

For example, suppose the bucket policy explicitly denies s3:PutObject. Unless the request includes server-side encryption using AWS KMS or Amazon S3 encryption keys, we need to verify we use the correct encryption header to upload objects.

Here a bucket policy explicitly denies any access to s3:PutObject on the bucket awsdoc-example-bucket unless the upload request includes encryption with the AWS KMS key arn:aws:kms:us-east-1:111122223333:key:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::awsdoc-example-bucket/*",
      "Condition": {
        "StringNotLikeIfExists": {
          "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:111122223333:key/*"
        }
      },
      "Principal": "*"
    }
  ]
}

4. Bucket ACL doesn't allow the root user to write objects

Suppose we use the root user account to upload objects to the S3 bucket. Then we need to verify that the bucket's ACL grants the root user access to Write objects.

5. AWS Organizations service control policy doesn’t allow access to Amazon S3

If we use AWS Organizations, we check the service control policies to ensure access to Amazon S3.

For example, the following policy can result in errors if we try to access Amazon S3. Because it explicitly denies access:

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "S3:*",
"Resource": "*"
}]
}

[Trying to fix AWS error? We are here for you. ]