Access Denied (Service: Amazon S3; Status Code: 403; error Code: AccessDenied proxy null)

I am trying to access my s3 bucket using a application deployed on my tomcat running on ec2.

I could see lots of posts related to this, but look like most of them complaint about not having proper access. I have proper access to all buckets, I am able to upload the file from another application using different application like jenkins s3 plugin without any issues. I am clueless why this should happen only for a java web application deployed on tomcat. I have confirmed below things.

1. The ec2 instance was created with an IAM role.
2. The IAM role has write access to bucket. The puppet scripts is able to write to bucket.
3. Tried with other application to check the IAM role and it is working fine with out any issues.

As per my understanding if I do not specify any credentials while creating the S3 bucket client(AmazonS3Client ),it will take the IAM role authentication as default.

This is a sample function which I wrote to test the permission.

public boolean checkWritePermission(String bucketName) { AmazonS3Client amazonS3Client=new AmazonS3Client(); LOG.info("Checking bucket write permission....."); boolean hasWritePermissions = false; final ObjectMetadata metadata = new ObjectMetadata(); metadata.setContentLength(0); // Create empty content final InputStream emptyContent = new ByteArrayInputStream(new byte[0]); // Create a PutObjectRequest with test object final PutObjectRequest putObjectRequest = new PutObjectRequest(bucketName, "TestDummy.txt", emptyContent, metadata); try { if (amazonS3Client.putObject(putObjectRequest) != null) { LOG.info("Permissions validated!"); // User has write permissions, TestPassed. hasWritePermissions = true; } } catch (AmazonClientException s3Ex) { LOG.warn("Write permissions not available!", s3Ex.getMessage()); LOG.error("Write permissions not available!", s3Ex); } return hasWritePermissions; }

com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: xxxxxxxxxxxxxx).

Why am I getting a "403 Access Denied" error when I try to modify a bucket policy in Amazon S3?

Last updated: 2022-05-16

I keep getting a "403 Access Denied" error when I try to modify the bucket policy of my Amazon Simple Storage Service (Amazon S3) bucket.

Short description

The "403 Access Denied" error can occur due to the following reasons:

• Your AWS Identity and Access Management (IAM) user or role doesn't have permissions for both s3:GetBucketPolicy and s3:PutBucketPolicy.
• The bucket policy denies your IAM identity permission for s3:GetBucketPolicy and s3:PutBucketPolicy.
• Amazon S3 Block Public Access is enabled.
• AWS Organizations service control policies don't allow Amazon S3 access.

To resolve these issues:

• Check that the IAM user or role has s3:Get:BucketPolicy permission to view the bucket policy and s3:PutBucketPolicy permission to edit it. Add an IAM user policy to grant you access if one doesn't exist.
• If you're denied permissions, then use another IAM identity that has bucket access, and edit the bucket policy. Or, delete and recreate the bucket policy if no one has access to it.
• If you're trying to add a public read policy, then disable the bucket's S3 Block Public Access.
• If you use AWS Organizations, then verify that you don't have any service control policies that explicitly deny S3 actions. Also, confirm that you can add exceptions for your operation.

Resolution

Check your permissions for s3:GetBucketPolicy and s3:PutBucketPolicy

Follow these steps:

1.    Open the IAM console.

2.    Select the identity that's used to access the bucket policy, such as User or Role.

3.    Select the IAM identity name that you're using to access the bucket policy.

4.    In the Permissions tab of your IAM identity, expand each policy to view its JSON policy document.

5.    In the JSON policy documents, search for policies related to Amazon S3 access. Then, confirm that you have permissions for the s3:GetBucketPolicy and s3:PutBucketPolicy actions on the bucket.

The following example IAM policy allows the IAM identity to perform the s3:GetBucketPolicy and s3:PutBucketPolicy actions on DOC-EXAMPLE-BUCKET:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ModifyBucketPolicy", "Action": [ "s3:GetBucketPolicy", "s3:PutBucketPolicy" ], "Effect": "Allow", "Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET" }, { "Sid": "AccessS3Console", "Action": [ "s3:GetBucketLocation", "s3:ListAllMyBuckets" ], "Effect": "Allow", "Resource": "arn:aws:s3:::*" } ] }

Note: The AccessS3Console statement in the preceding IAM policy grants Amazon S3 console access. It isn't specific to modifying a bucket policy.

6.    In the JSON policy documents, search for statements with "Effect": "Deny". Then, confirm that these statements don't deny your IAM identity access to s3:GetBucketPolicy or s3:PutBucketPolicy.

Add a bucket policy if it doesn't exist

If you can't find policies that grant s3:GetBucketPolicy or s3:PutBucketPolicy permissions, then add a policy to grant them to your IAM identity. If you find policies that deny access to s3:GetBucketPolicy or s3:PutBucketPolicy, then remove these policies. For instructions on modifying your IAM permissions, see Changing permissions for an IAM user.

Use another IAM identity that has bucket access and modify the bucket policy

Follow these steps to modify the bucket policy:

1.    Open the Amazon S3 console.

2.    From the list of buckets, open the bucket with the bucket policy that you want to change.

3.    Choose the Permissions tab.

4.    Choose Bucket policy.

5.    Search for statements with "Effect": "Deny".

6.    Edit the bucket policy to update any "Effect": "Deny" statements that deny the IAM identity access to s3:GetBucketPolicy or s3:PutBucketPolicy.

Delete and recreate the bucket policy if it denies everyone access

If the bucket policy denies everyone access to s3:GetBucketPolicy, s3:PutBucketPolicy, or all Amazon S3 actions (s3:*), then delete the bucket policy. If you can't delete the bucket policy, then try deleting the policy as the AWS account root user. After the policy is deleted, you can create a new bucket policy.

Disable S3 Block Public Access

If your bucket policy grants public access, then check if S3 Block Public Access is enabled on the bucket and disable it. To prevent future denied access to S3 buckets that you make public, confirm that you don't have S3 Block Public Access enabled for the account.

Note: Before disabling S3 Block Public Access at the account level, confirm that it's enabled at the bucket level for private buckets to prevent unwanted public access.

For AWS Organizations, delete service control policies that don't allow Amazon S3 access

If you're using AWS Organizations, then check the service control policies for any statements that explicitly deny the s3:PutBucketPolicy action or any other S3 action. Delete the service control policies that explicitly deny S3 actions in accordance to your organization's security policies.

For example, the following policy denies access to all S3 actions:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "s3:*", "Resource": "*" } ] }

---

Did this article help?

---

Do you need billing or technical support?

AWS support for Internet Explorer ends on 07/31/2022. Supported browsers are Chrome, Firefox, Edge, and Safari. Learn more »

How do I fix 403 forbidden on AWS s3?

How do I fix an AWS s3 bucket policy and Public permissions access denied error?

Why is s3 object URL Access Denied?