AWS S3 Server side encryption Access denied error

7
votes
  • I have A and B AWS accounts and I am syncing S3 bucket from A account SoruceS3Bucket to B account DestinationS3Bucket.
  • Following is the bucket policy which is applied on Destination bucket and it is allowing Source AWS account to sync the content with DestinationS3Bucket.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionsToAAccount",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXX:root"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::DestinationS3Bucket",
                "arn:aws:s3:::DestinationS3Bucket/*"
            ]
        }
    ]
}
  • Here the sync was working perfectly since long time and it is still working but from last few days at the DestinationS3Bucket files are not accessible with the Server side encryption Access denied error.
  • I have verified there no encryption(Default encryption, none) on SourceS3Bucket and DestinationS3Bucket and I am using Source AWS account secret and access key to sync the content. Thanks in advance.
3
amazon-web-servicesencryptionamazon-s3
When you get this error, are you using credentials as the source account or the destination account? The file owner is the source account. Check the S3 ACL on a problem file.John Hanley
The credentials are used from source AWS account. The error was showing in AWS S3 console at file level under "Server side encryption" as Access denied instead of None, AES-256 and AWS-KMS. The file owner was source account. Yes, The issue was with ACL. It worked with "--acl bucket-owner-full-control" flag. Thanks John :)Nitin
Thanks @Nitin. I created an answer based upon this solution.John Hanley

3 Answers

25
votes

When you copy files from one S3 bucket in account A using credentials of account A to a bucket in account B, the owner of the files in the destination bucket will be account A. (Account A is the principal that created the files in account B's bucket).

During the file copy from source to destination bucket, add the --acl bucket-owner-full-control option so that account B can control the files. Otherwise you might have files in account B's bucket that account B cannot access or control.

Another option is to use the credentials of account B to copy from the source to the destination bucket. This way the owner of the copied files is account B.

2
votes

Solution provided by John Hanely works, but that does not immediately change the ownership. You would need to execute a separate command to change it

First Step:

aws s3 cp s3://yourbucket s3://yourbucket --recursive --acl bucket-owner-full-control

Second Step:

aws s3 cp s3://yourbucket s3://yourbucket --recursive --metadata-directive REPLACE

Notice --meta-directive REPLACE

2
votes

You should replace the files and the metadata together this way --

aws s3 cp s3://yourbucket s3://yourbucket --recursive --acl bucket-owner-full-control --metadata-directive REPLACE