Why am I getting an Access Denied error message when I upload files to my Amazon S3 bucket that has AWS KMS default encryption?

4 minute read
0

My Amazon Simple Storage Service (Amazon S3) bucket has AWS Key Management Service (AWS KMS) default encryption. I'm trying to upload files to the bucket, but Amazon S3 returns an Access Denied error message. How can I fix this?

Resolution

First, confirm:

Then, update the AWS KMS permissions of your IAM user or role based on the error message that you receive.

Important:

  • If the AWS KMS key and IAM role belong to different AWS accounts, then the IAM policy and KMS key policy must be updated. Make sure to add the KMS permissions to both the IAM policy and KMS key policy.
  • To use an IAM policy to control access to a KMS key, the key policy for the KMS key must give the account permission to use IAM policies.

"An error occurred (AccessDenied) when calling the PutObject operation: Access Denied"

This error message indicates that your IAM user or role needs permission for the kms:GenerateDataKey action.

Follow these steps to add permission for kms:GenerateDataKey:

1.    Open the IAM console.

2.    Choose the IAM user or role that you're using to upload files to the Amazon S3 bucket.

3.    In the Permissions tab, expand each policy to view its JSON policy document.

4.    In the JSON policy documents, look for policies related to AWS KMS access. Review statements with "Effect": "Allow" to check if the user or role has permissions for the kms:GenerateDataKey action on the bucket's AWS KMS key.

5.    If this permission is missing, then add the permission to the appropriate policy. For instructions, see Adding permissions to a user (console) or Modifying a role permissions policy (console).

6.    In the JSON policy documents, look for statements with "Effect": "Deny". Confirm that those statements don't deny the s3:PutObject action on the bucket. The statements must not deny the IAM user or role access to the kms:GenerateDataKey action on the key used to encrypt the bucket. Also, the required KMS and S3 permissions must not be restricted when using VPC endpoint policies, service control policies, permissions boundaries, or session policies.

"An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied"

This error message indicates that your IAM user or role needs permission for the kms:GenerateDataKey and kms:Decrypt actions.

Follow these steps to add permissions for kms:GenerateDataKey and kms:Decrypt:

1.    Open the IAM console.

2.    Choose the IAM user or role that you're using to upload files to the Amazon S3 bucket.

3.    In the Permissions tab, expand each policy to view its JSON policy document.

4.    In the JSON policy documents, look for policies related to AWS KMS access. Review statements with "Effect": "Allow" to check if the role has permissions for kms:GenerateDataKey and kms:Decrypt on the bucket's AWS KMS key.

5.    If these permissions are missing, then add the permissions to the appropriate policy. For instructions, see Adding permissions to a user (console) or Modifying a role permissions policy (console).

6.    In the JSON policy documents, look for statements with "Effect": "Deny". Then, confirm that those statements don't deny the s3:PutObject action on the bucket. The statements must not deny the IAM user or role access to the kms:GenerateDataKey and kms:Decrypt actions on the key used to encrypt the bucket. Also, the required KMS and S3 permissions must not be restricted when using VPC endpoint policies, service control policies, permissions boundaries, or session policies.


Related information

Setting default server-side encryption behavior for Amazon S3 buckets

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago