AWS - Server side encryption Access denied- Change encryption failure for root user

5
votes

I have read/write/admin access to an S3 bucket I created. I can create object in there and delete them as expected. Other folders exist on the bucket that were transferred there from another AWS account. I can't download any items from these folders. When I click on the files there is info stating "Server side encryption Access denied". When I attempt to remove this encryption it fails with the message:

Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: 93A26842904FFB2D; S3 Extended Request ID: OGQfxPPcd6OonP/CrCqfCIRQlMmsc8DwmeA4tygTGuEq18RbIx/psLiOfEdZHWbItpsI+M1yksQ=)

I'm confused as to what the issue is. I am the root user/owner of the bucket and would have though I would be able to change the permissions/encryption of this material?

Thanks

2
amazon-web-servicesencryptionamazon-s3

2 Answers

4
votes

This is a interesting problem. I've seen this before when the KMS key that is required to decrypt the files isn't available/accessible. You can try moving the KMS key from the old account to the new account or making the key accessible from the old account.

https://aws.amazon.com/blogs/security/share-custom-encryption-keys-more-securely-between-accounts-by-using-aws-key-management-service/

5
votes

You must ensure that you remain the owner of the files in the S3 bucket and not the other AWS accounts that upload to it.

Example S3 bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "allowNewDataToBeUploaded",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::$THE_EXTERNAL_ACCOUNT_NUMBER:root"
            },
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::$THE_BUCKET_NAME/*"
        },{
            "Sid": "ensureThatWeHaveOwnershipOfAllDataUploaded",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::$THE_EXTERNAL_ACCOUNT_NUMBER:root"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::$THE_BUCKET_NAME/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}

The external account must also use the x-amz-acl header in their request:

ObjectMetadata metaData = new ObjectMetadata();
metaData.setContentLength(byteArrayLength);
metaData.setHeader("x-amz-acl", "bucket-owner-full-control");

s3Client.putObject(new PutObjectRequest(bucketNameAndFolder, fileKey, fileContentAsInputStream, metaData));

Additional reading:

https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html

AWS S3 Server side encryption Access denied error

https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-owner-access/

https://docs.aws.amazon.com/cli/latest/reference/s3api/put-object.html

https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUT.html

https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUTacl.html