Recently, one of our customers was trying to upload files to Amazon Simple Storage Service (Amazon S3) bucket using the Amazon S3 console.
However, he came across an HTTP 403 Forbidden error instead.
If you are getting the 403 Forbidden error when connecting to Amazon S3 storage check if your access key ID has permission to list the available buckets.
Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related AWS queries.
In this context, we shall look into methods to troubleshoot this AWS error.
To troubleshoot the HTTP 403 Forbidden error from the Amazon S3 console, we need to check:
1. Missing permissions to s3:PutObject or s3:PutObjectAcl
2. Missing permissions to use an AWS KMS key
3. Explicit deny statement in the bucket policy
We need to check the bucket policy for any statements that explicitly deny permission for s3:PutObject unless it meets certain conditions.
The upload should meet the bucket policy requirements for access to the s3:PutObject action.
For example, suppose the bucket policy explicitly denies s3:PutObject. Unless the request includes server-side encryption using AWS KMS or Amazon S3 encryption keys, we need to verify we use the correct encryption header to upload objects.
Here a bucket policy explicitly denies any access to s3:PutObject on the bucket awsdoc-example-bucket unless the upload request includes encryption with the AWS KMS key arn:aws:kms:us-east-1:111122223333:key:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExampleStmt",
"Action": [
"s3:PutObject"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::awsdoc-example-bucket/*",
"Condition": {
"StringNotLikeIfExists": {
"s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:111122223333:key/*"
}
},
"Principal": "*"
}
]
}
4. Bucket ACL doesn't allow the root user to write objects
Suppose we use the root user account to upload objects to the S3 bucket. Then we need to verify that the bucket's ACL grants the root user access to Write objects.
5. AWS Organizations service control policy doesn’t allow access to Amazon S3
If we use AWS Organizations, we check the service control policies to ensure access to Amazon S3.
For example, the following policy can result in errors if we try to access Amazon S3. Because it explicitly denies access:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "S3:*",
"Resource": "*"
}]
}
This article covers methods to fix HTTP 403 Forbidden error for our customers.
To troubleshoot the HTTP 403 Forbidden error from the Amazon S3 console, check the following: