Access Denied error when uploading an encrypted large file to S3 bucket

  • If you are getting an Access Denied error when trying to upload a large file to your S3 bucket with an upload request that includes an KMS key:

    • Confirm that you have the permission to perform kms:Decrypt actions on the KMS key that you're using to encrypt the object.

  • kms:Decrypt is only one of the actions that you must have permissions to when you upload or download an S3 object encrypted with an KMS key. You must also have permissions to kms:Encrypt, kms:ReEncrypt*, kms:GenerateDataKey*, and kms:DescribeKey actions.

  • The AWS CLI (aws s3 commands), AWS SDKs, and many third-party programs automatically perform a multipart upload when the file is large. To perform a multipart upload with encryption using an KMS key, the requester must have permission to the kms:Decrypt action on the key. This permission is required because S3 must decrypt and read data from the encrypted file parts before it completes the multipart upload.

PreviousCognito User Pool GroupsNextKinesis Data Analytics

Last updated