How can I troubleshoot an S3AccessDenied error from my file gateway's CloudWatch health logs?

Resolution

To resolve an S3AccessDenied error, review the permissions policies that are associated with your file share. Then, add any required permissions that are missing. Identify the permissions that you must review based on when you get the Access Denied error:

• Creating the file share and the file share is stuck in the creating or unavailable state
• Writing files to the file share
• Reading files from the file share

Creating the file share and the file share is stuck in the creating or unavailable state

You can receive the Access Denied error when you create the file share and it gets stuck in the creating or unavailable state. The CloudWatch log looks similar to the following example:

{
"severity": "ERROR",
"bucket": "AWSDOC-EXAMPLE-BUCKET",
"prefix": "",
"roleArn": "arn:aws:iam::123456789:role/service-role/StorageGatewayBucketAccessRolec6914add-b232-40dc-abef-4a9eeaaed8",
"source": "share-ABCD1234",
"type": "S3AccessDenied",
"operation": "s3:ListObjects",
"gateway": "sgw-ABCD1234",
"timestamp": "1597486809991"
}

Review the following permissions settings:

1.    Check the AWS Identity and Access Management (IAM) role that's associated with your file share. It must have the following permissions for the associated Amazon Simple Storage Service (Amazon S3) bucket:

• s3:GetBucketLocation
• s3:ListBucket

2.    Review the bucket policy of the associated bucket. Confirm that there are no explicit deny statements ("Effect": "Deny") that block the access needed for the following permissions:

• s3:GetBucketLocation
• s3:ListBucket

3.    If the Amazon Virtual Private Cloud (Amazon VPC) that the file gateway is in uses an Amazon S3 VPC endpoint, then review the endpoint policy. Confirm that the policy allows your file gateway to access the S3 bucket and objects.

Writing files to the file share

If you get the Access Denied error when you write files to the file share, then the CloudWatch log looks similar to the following example:

{
  "severity": "ERROR",
  "bucket": "AWSDOC-EXAMPLE-BUCKET",
  "prefix": "/test1",
  "roleArn": "arn:aws:iam::123456789:role/service-role/StorageGatewayBucketAccessRole0617b6ee-4809-48bc-b646-8dda9e9c32",
  "source": "share-ABCD1234",
  "type": "S3AccessDenied",
  "operation": "S3Upload",
  "gateway": "sgw-ABCD1234",
  "timestamp": "1597493322178"
}

Review the following permissions settings:

1.    Check the IAM role that's associated with your file share. Confirm that it has the following permissions for the associated Amazon S3 bucket:

• s3:PutObject
• s3:PutObjectAcl

2.    Review the bucket policy of the associated bucket. Confirm that there are no explicit deny statements ("Effect": "Deny") that block the access that you need for the following permissions:

• s3:PutObject
• s3:PutObjectAcl

3.    If the Amazon VPC that the file gateway is in uses an Amazon S3 VPC endpoint, then review the VPC endpoint policy. Confirm that the policy allows your file gateway to access the S3 bucket and objects.

4.    If the associated S3 bucket is encrypted with AWS Key Management Service (AWS KMS), then review the encryption key's policy. The key policy must grant the following permissions to the IAM role that's associated with your file share:

• kms:Decrypt
• kms:Encrypt
• kms:ReEncryptFrom
• kms:ReEncryptTo
• kms:GenerateDataKey
• kms:DescribeKey

Review the file share's IAM role and the AWS KMS key. If they belong to different AWS accounts, then these permissions must be set within both the key policy and the IAM role's policy.

Reading files from the file share

If you get the Access Denied error when you read files from the file share, the CloudWatch log looks similar to the following example:

{
  "severity": "ERROR",
  "bucket": "AWSDOC-EXAMPLE-BUCKET",
  "prefix": "/test1",
  "roleArn": "arn:aws:iam::123456789:role/service-role/StorageGatewayBucketAccessRole0617b6ee-4809-48bc-b646-8dda9e9c32",
  "source": "share-ABCD1234",
  "type": "S3AccessDenied",
  "operation": "s3:HeadObject",
  "gateway": "sgw-ABCD12347",
  "timestamp": "1597488260202"
}

Review the following permissions settings:

1.    Check the IAM role that's associated with your file share. Confirm that it has the following permissions for the associated Amazon S3 bucket:

• s3:GetObject
• s3:GetObjectAcl

2.    Review the bucket policy of the associated bucket. Confirm that there are no explicit deny statements ("Effect": "Deny") that block the access that you need for the following permissions:

• s3:GetObject
• s3:GetObjectAcl

3.    If the Amazon VPC that the file gateway is in uses an Amazon S3 VPC endpoint, then review the VPC endpoint policy. Confirm that the policy allows your file gateway to access the S3 bucket and objects. 4.    If the associated S3 bucket is encrypted with AWS KMS, then review the encryption key's policy. The key policy must grant the following permissions to the IAM role that's associated with your file share:

• kms:Decrypt
• kms:Encrypt
• kms:ReEncryptFrom
• kms:ReEncryptTo
• kms:GenerateDataKey
• kms:DescribeKey

Review the file share's IAM role and the AWS KMS key. If they belong to different AWS accounts, then these permissions must be set within both the key policy and the IAM role's policy. Note: The following is an example IAM policy. It grants your file share the required permissions for listing a bucket, as well as uploading, downloading, and deleting objects from the bucket (AWSDOC-EXAMPLE-BUCKET):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Action": ["s3:GetAccelerateConfiguration", "s3:GetBucketLocation", "s3:GetBucketVersioning", "s3:ListBucket", "s3:ListBucketVersions", "s3:ListBucketMultipartUploads"],
    "Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET",
    "Effect": "Allow"
  }, {
    "Action": ["s3:AbortMultipartUpload", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:ListMultipartUploadParts", "s3:PutObject", "s3:PutObjectAcl"],
    "Resource": "arn:aws:s3:::AWSDOC-EXAMPLE-BUCKET/*",
    "Effect": "Allow"
  }]
}

Related information

Understanding CloudWatch Alarms