Resolve "Access Denied" Error for Uploading Large Files to AWS S3 Bucket
Question
A large IT firm is using an Amazon S3 bucket for storing all project documents regularly.
As per security guidelines, all these files need to be encrypted using the AWS KMS key.
A user from a different account can successfully upload small project files to the S3 bucket.
But when the same user tries to upload a large file, he receives the "Access Denied" error.
Which of the following check needs to be performed so that the user can upload all files?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - B.
For large-size files, Amazon S3 automatically performs multipart uploads.
While performing multipart uploads, Amazon S3 performs decryption of files & read data from encrypted files to complete multipart uploads.
To perform this decryption, IAM users (from a different account)must have kms:Decrypt permission along with other permissions.
Option A is incorrect as even though the user is sending encryption information, the user needs to have additional permission for kms:Decrypt to upload large files successfully.
Options C & D are incorrect as users need to have kms:Decrypt permission in both key policy & IAM policy.
For more information on Amazon S3 encryption, refer to the following URL-
https://aws.amazon.com/premiumsupport/knowledge-center/s3-large-file-encryption-kms-key/The correct answer is B. Check if the user has permission to perform kms:Decrypt action in both key policy and IAM policy for files above 100 Mb.
The user is receiving an "Access Denied" error when trying to upload large files to the S3 bucket, which indicates that there might be a permission issue related to the KMS key used for encrypting the files. The user is able to upload small files, which suggests that the encryption process is working correctly for files under a certain size, but not for larger files.
To solve this issue, we need to ensure that the user has permission to perform the kms:Decrypt action for the KMS key used to encrypt the files. The permission to decrypt the files needs to be granted in both the key policy and the IAM policy.
The key policy defines who can access and manage the KMS key, while the IAM policy defines who can access and manage the S3 bucket.
Since the user is able to upload small files, it is likely that the IAM policy is configured correctly, so we need to focus on the key policy.
We need to check whether the key policy allows the user to perform the kms:Decrypt action for files larger than 100 Mb. If the key policy does not allow this action, we need to modify it to grant the required permission to the user.
In addition to the key policy, we also need to check the IAM policy to ensure that the user has permission to perform the kms:Decrypt action for files larger than 100 Mb.
Therefore, option B is the correct answer.
