S3 File Permissions

/ AWS EC2, SprUng / 4 minutes of reading

https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-file-folder/

Why can’t I access a specific folder or file in my Amazon S3 bucket?

Last updated: 2019-05-28

I can’t access a certain prefix or object that’s in my Amazon Simple Storage Service (Amazon S3) bucket. I can access the rest of the data in the bucket. How can I fix this?

Short Description

Check the following permissions for any settings that are denying your access to the prefix or object:

  • Ownership of the prefix or object
  • Restrictions in the bucket policy
  • Restrictions in your AWS Identity and Access Management (IAM) user policy
  • Permissions to object encrypted by AWS Key Management Service (AWS KMS)

Resolution

Ownership of the prefix or object

By default, an S3 object is owned by the AWS account that uploaded it. This is true even when the bucket is owned by another account. If other accounts can upload to your bucket, follow these steps to get permissions to the object or prefix that you can’t access:

1.    Run this AWS Command Line Interface (AWS CLI) command to get the Amazon S3 canonical ID for your account:

aws s3api list-buckets --query Owner.ID

2.    Run this command to get the Amazon S3 canonical ID of the account that owns the object you can’t access:

aws s3api list-objects --bucket awsexamplebucket --prefix index.html

3.    If the canonical IDs don’t match, then you (the bucket owner) don’t own the object. For an individual object, the object owner can grant you full control by running this put-object-acl command: 

aws s3api put-object-acl --bucket bucket-name --key object-name --acl bucket-owner-full-control

For objects within a prefix, the object owner must re-copy the prefix and grant you full control of the objects as part of the operation. For example, the object owner can run this cp command with the –acl bucket-owner-full-control parameter: 

aws s3 cp s3://awsexamplebucket/abc/ s3://awsexamplebucket/abc/ --acl bucket-owner-full-control --recursive --storage-class STANDARD

Tip: You can use a bucket policy to require that other accounts grant you ownership of objects they upload to your bucket.

Restrictions in the bucket policy

1.    Open the Amazon S3 console.

2.    From the list of buckets, open the bucket with the policy that you want to review.

3.    Choose the Permissions tab.

4.    Choose Bucket policy.

5.    Search for statements with “Effect”: “Deny”. Then, review those statements for references to the prefix or object that you can’t access.

For example, this bucket policy denies everyone access to the abc/* prefix in awsexamplebucket: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "StatementPrefixDeny",
            "Effect": "Deny",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::awsexamplebucket/abc/*"
        }
    ]
}

6.    Modify the bucket policy to edit or remove any “Effect”: “Deny” statements that are incorrectly denying you access to the prefix or object.

Restrictions in your IAM user policy

1.    Open the IAM console.

2.    From the console, open the IAM user or role that you’re using to access the prefix or object.

3.    In the Permissions tab of your IAM user or role, expand each policy to view its JSON policy document.

4.    In the JSON policy documents, search for policies related to Amazon S3 access. Then, search those policies for any “Effect”: “Deny” statements that are blocking your access to the prefix or object.

For example, the following IAM policy has an “Effect”: “Deny” statement that blocks the IAM identity’s access to the prefix abc/* within awsexamplebucket. Then, the policy also has an “Effect”: “Allow” statement that grants access to awsexamplebucket. Despite the allow statement for the entire bucket, the explicit deny statement prevents the IAM identity from accessing the prefix abc/*.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "StatementPrefixDeny",
            "Effect": "Deny",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::awsexamplebucket/abc/*"
            ]
        },
        {
            "Sid": "StatementFullPermissionS3",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::awsexamplebucket",
                "arn:aws:s3:::awsexamplebucket/*"
            ]
        }
    ]
}

5.    Modify the policy to edit or remove any “Effect”: “Deny” statements that are incorrectly denying you access to the prefix or object.

Permissions to object encrypted by AWS KMS

If an object is encrypted with an AWS KMS key, then you need permissions to both the object and the key. Follow these steps to check if you can’t access the object because you need permissions to an AWS KMS key:

1.    Use the Amazon S3 console to view the properties of one of the objects that you can’t access. Review the object’s Encryption properties.

2.    If the object is encrypted with a custom AWS KMS customer master key (CMK), then 

"Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
],

3.    If your IAM identity is missing permissions to any of these actions, modify the key policy to grant the missing permissions.

Important: If your IAM identity and the KMS key belong to different accounts, then both your IAM policy and the key policy must grant you permissions to the required KMS actions.

Why can’t I access an object that was uploaded to my Amazon S3 bucket by another AWS account?

How can I grant a user access to a specific folder in my Amazon S3 bucket?

Do I need to specify the AWS KMS key when I download a KMS-encrypted object from Amazon S3? 

Scroll to Top