Why am I getting a "403 Forbidden" error when I try to upload files in Amazon S3?

4 minute read

I'm trying to upload files to my Amazon Simple Storage Service (Amazon S3) bucket using the Amazon S3 console. However, I'm getting a "403 Forbidden" error.

Short description

The "403 Forbidden" error can occur due to the following reasons:

Permissions are missing for s3:PutObject to add an object or s3:PutObjectAcl to modify the object's ACL.
You don't have permission to use an AWS Key Management Service (AWS KMS) key.
There is an explicit deny statement in the bucket policy.
Amazon S3 Block Public Access is turned on.
An AWS Organizations service control policy doesn't allow access to Amazon S3.

Resolution

Check your permissions for s3:PutObject or s3:PutObjectAcl

Follow these steps:

Open the AWS Identity and Access Management (IAM) console.
Navigate to the identity that's used to access the bucket, such as User or Role. Choose the name of the identity.
Choose the Permissions tab, and expand each policy to view its JSON policy document.
In the JSON policy documents, search for policies related to Amazon S3 access. Then, confirm that you have permissions for the s3:PutObject or s3:PutObjectAcl actions on the bucket.

Ask for permission to use an AWS KMS key

To upload objects that are encrypted with AWS KMS, you must have permissions to perform AWS KMS actions. You must be able to perform kms:Decrypt and kms:GenerateDataKey actions at minimum.

Important: If you're uploading an object to a bucket in a different account, you can't use the AWS managed key aws/S3 as the default encryption key. This is because the AWS managed key policy can't be modified.

Check the bucket policy for explicit deny statements

Follow these steps:

Open the Amazon S3 console.
From the list of buckets, open the bucket you want to upload files to.
Choose the Permissions tab.
Choose Bucket policy.
Search for statements with "Effect": "Deny".
Review these statements and make sure that they don't prevent uploads to the bucket.

Important: Before saving a bucket policy with "Effect": "Deny", make sure to check for any statements that deny access to the S3 bucket. If you get locked out, see I accidentally denied everyone access to my Amazon S3 bucket. How do I regain access?

The following example statement explicitly denies access to s3:PutObject on example-bucket unless the upload request encrypts the object with the AWS KMS key whose ARN matches arn:aws:kms:us-east-1:111122223333:key:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ExampleStmt",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringNotLikeIfExists": {
          "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:111122223333:key/*"
        }
      },
      "Principal": "*"
    }
  ]
}

Remove the public ACL from your request or disable S3 Block Public Access

If you're passing a public ACL, such as public-read or authenticated-read in your PUT request, it makes the S3 object public. If the S3 Block Public Access feature is turned on for this account or bucket, then your upload request is denied.

Note: It's not a best practice to make an object public unless your use case requires it.

To successfully upload the object as a publicly available object, modify the S3 Block Access feature as required. If your use case doesn't require making the object publicly available, then remove the mentioned public ACL from the PUT request.

For configuring the S3 Block Public Access settings at the account level, see Configuring block public access settings for your account. For configuring settings at the bucket level, see Configuring block public access settings for your S3 buckets. Also, see The meaning of "public".