Amazon S3 bucket returning 403 Forbidden

I know this is an old thread, but I just encountered the same problem. I had everything working for months and it just suddenly stopped working giving me a 403 Forbidden error. It turns out the system clock was the real culprit. I think s3 uses some sort of time-based token that has a very short lifespan. And in my case I just ran:

ntpdate pool.ntp.org

And the problem went away. I'm running CentOS 6 if it's of any relevance. This was the sample output:

19 Aug 20:57:15 ntpdate[63275]: step time server ip_address offset 438.080758 sec

Hope in helps!

It could also be that a proper policy needs to be set according to the AWS docs.

Give the bucket in question this policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicReadGetObject",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*"
    }
  ]
}

I had same problem just adding * at end of policy bucket resource solved it

{
  "Version":"2012-10-17",
  "Statement":[{
    "Sid":"PublicReadGetObject",
        "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::example-bucket/*"
      ]
    }
  ]
}

Here's the Bucket Policy I used to make index.html file inside my S3 Bucket accessible from the internet:

I also needed to go to Permissions -> "Block Public Access" and remove the block public access rules for the bucket. Like so:

Also make sure the access permissions for the individual Objects inside each bucket is open to the public. Check that here:

Another "solution" here: I was using Buddy to automate uploading a github repo to an s3 bucket, which requires programmatic write access to the bucket. The access policy for the IAM user first looked like the following: (Only allowing those 6 actions to be performed in the target bucket).

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": ""arn:aws:s3:::<bucket_name>/*"
        }
    ]
}

My bucket access policy was the following: (allowing read/write access for the IAM user).

{
"Version": "2012-10-17",
"Id": "1234",
"Statement": [
    {
        "Sid": "5678",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::<IAM_user_arn>"
        },
        "Action": [
            "s3:DeleteObject",
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:PutObject"
        ],
        "Resource": "arn:aws:s3:::<bucket_name>/*"
    }

However, this kept giving me the 403 error.

My workaround solution was to give the IAM user access to all s3 resources:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "*"
        }
    ]
}

This got me around the 403 error, although clearly it doesn't sound like how it should be.

Since August the end of June 2023, TLS 1.2 or later is enforced on S3. https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/

If your application connects to S3 over HTTPS, make sure it is configuered to use TLS 1.2.
Applications that use older TLS versions will get the 403 error (Could happen with .Net 4.5 and lower for example).

For .Net applications an easy solution would be to set the application to use .Net 4.6.2 at least in the app or web config.

One weird thing that fixed this for me after already setting up the correct permissions, was I removed the extension from the filename. So I had many items in the bucket all with the same permissions and some worked find and some returned 403. The only difference was the ones that didn't work had .png at the end of the filename. When I removed that they worked fine. No idea why.

For me, none of the other answers worked. File permissions, bucket policies, and clock were all fine. For me, the issue was intermittent, and while it may sound trite, the following have both worked for me previously:

1. Log out and log back in.
2. If you are trying to upload a single file, try to do a bulk upload. Conversely, if trying to upload a single file, try to do a bulk upload.

Just found the same issue on my side on my iPhone app. It was working completely fine with Android with same configuration and S3 setup but iPhone app was throwing an error. I reached Amazon support team with this issue, after checking logs on their end; they told me your iPhone has date and time. Then I went to settings of my iPhone and just adjusted correct date and time. Then I tried to upload new image and it worked as expected.

If you are having same issue and you have wrong date or time in your iphone or simulator; this may help you.

Thanks!

For me it was the Public access under Access Control tab.

just ensure the read and write permission under public access is Yes by default its - which means No.

Happy coding.

JFYI: am using flutter for my android development.

Make sure you use the correct AWS Profile!!!! (dev \ prod etc...)

I hit this error when trying to PUT a file to S3 from JavaScript using a URL presigned in Python. Turns out my Python needed the ContentType attribute.

Once I added that, the following worked:

import boto3
import requests

access_key_id = 'AKIA....'
secret_access_key = 'LfNHsQ....'
bucket = 'images-dev'
filename = 'pretty.png'

s3_client = boto3.client(
  's3',
  aws_access_key_id=access_key_id,
  aws_secret_access_key=secret_access_key
)

# sign url
response = s3_client.generate_presigned_url(
  ClientMethod = 'put_object',
  Params = {
    'Bucket': bucket,
    'Key': filename,
    'ContentType': 'image/png',
  }
)

print(" * GOT URL", response)

# NB: to run the PUT command in Python, one must remove the ContentType attr above!
# r = requests.put(response, data=open(filename, 'rb'))
# print(r.status_code)

Then one can PUT that image to S3 using that url from the client:

var xhr = new XMLHttpRequest();
xhr.open('PUT', url);
xhr.onreadystatechange = () => {
  if (xhr.readyState === 4) {
    if (xhr.status !== 200) {
      console.log('Could not upload file.');
    }
  }
};

xhr.send(file);

In my case, I was generating a signed url for upload and was receiving a 403 error.

The API to generate the signed url was on running on an ECS cluster which had task role assigned. The task role did not have access to PutObjectAcl for public read of the file and hence was receiving a 403 error.

Updating the task role for the cluster fixed the issues.

TLDR: For public read, check if credentials/Role/policy have PutObjectAcl permissions.

I'm not sure if this will help anyone, but we started getting "Access Forbidden" last week on code that had been working for months. I upgraded aws-sdk to v3 and had to create some new functions, and it started to work again.

If nothing here helps you just synchronize date and time on Windows. I also had the same error because the time is always wrong on my windows pc until I press the button Time > synchronize time.

Please also note: if your bucket has Server-side Encryption enabled with KMS, you will need to grant your role access to the relevant actions on that KMS key. This should work:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::${bucket_id}/*",
                "arn:aws:s3:::${bucket_id}"
            ]
        },
        {
            "Sid": "AllowKMS",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:kms:${region}:${account_id}:key/${key_id}"
        }
    ]
}

This error can be tricky sometimes, as the error message, even when using --debug, does not always tell you the root cause. In my case, it was because I set the option 'requestor pays' on the S3 bucket. Took hours to figure that out. Here is a really good reference for S3 cross-account access denied errors https://repost.aws/knowledge-center/s3-cross-account-access-denied

The reasons it you can get an access denied are:

• The user's IAM policy doesn't grant access to the bucket.
• The object is encrypted by AWS Key Management Service (AWS KMS), and the user doesn't have access to the AWS KMS key.
• A deny statement in the bucket policy or IAM policy is blocking the user's access.
• The Amazon Virtual Private Cloud (Amazon VPC) endpoint policy is blocking access to the bucket.
• The AWS Organizations service control policy is blocking access to the bucket.
• The object doesn't belong to the AWS account that owns the bucket.
• You turned on Requester Pays for the bucket.
• You passed a session policy that's blocking access to the bucket.