AWS S3- Denying upload of non-encrypted objects

0
votes

I am logged-in with a non-root user to my company AWS account.

The default encryption for the S3 bucket is AWS KMS with custom ARN.

However, when I try to upload a file and choose "NONE" encryption, it fails with a FORBIDDEN error. The same file can be uploaded if I use AES-256 or AWS-KMS encryption.

As far as I know the bucket has to have a DENY policy for upload of non-encrypted objects but all I can see in the bucket-policy is a DENY policy for "aws:SecureTransport": "false", which I believe is to restrict the access from non HTTPS sources.

Can anyone explain how the upload is restricted?

1
amazon-web-servicesamazon-s3encryption

1 Answers

0
votes

There are lots of places in the AWS IAM process that can cause the deny. It could be in the organization policy, the S3 bucket policy, the S3 ACL, IAM inline policy, an IAM group policy, etc.

There are 2 tools that can help you track down where the deny is occuring.

Start with the Policy Simulator to check your IAM policies for the user or role. And the Policy Simulator Documentation

Also, if you have Cloudtrails setup you can search the logs in Cloudwatch Insights to see what is causing the deny.