We’re experiencing AccessDenied errors when our Lambda function tries to upload files larger than 100MB to S3. The function works fine for smaller files but consistently fails on large uploads. I’ve verified the IAM role has s3:PutObject permission and the bucket policy allows writes from our Lambda execution role. The error occurs during what appears to be multipart upload operations. We’re using the AWS SDK default settings for uploads.
Error snippet:
An error occurred (AccessDenied) when calling PutObject
Access Denied for multipart upload initiation
Status Code: 403
This is blocking our batch processing pipeline and causing significant data sync delays. Has anyone encountered similar issues with Lambda S3 uploads?
Jen, that’s interesting! We do have default encryption enabled on the bucket. I’ll check the KMS permissions next. The bucket policy does have conditions around VPC endpoints, and our Lambda is configured to run in the VPC. I’m going to review both the IAM role and bucket policy side by side to see where the gap is.
I’ve seen this before. The issue is likely that your IAM role has s3:PutObject but is missing the multipart upload permissions. For files over 100MB, the SDK automatically switches to multipart uploads which require additional permissions: s3:PutObjectAcl, s3:AbortMultipartUpload, and s3:ListMultipartUploadParts. Check your role policy and ensure these are included.
Yes, VPC endpoint conditions can definitely cause this. If your bucket policy has aws:SourceVpce conditions, you need to ensure your Lambda is running inside the VPC with access to that endpoint. Also, some bucket policies have separate conditions for different S3 actions. Check if your policy explicitly allows s3:InitiateMultipartUpload and s3:CompleteMultipartUpload actions, not just s3:PutObject.