Introduction

AWS CLI S3 Access Denied means the request reached S3, but one of the authorization layers rejected it. With the AWS CLI this is often easier to debug than in application code because you can see the exact operation, bucket, and caller identity. The most common misses are IAM scope, bucket policy conditions, KMS permissions, object ownership, or a CLI profile pointing at the wrong credentials.

Symptoms

  • aws s3 ls, cp, or sync returns AccessDenied
  • Some buckets or prefixes work while others fail
  • The same command works with one profile or role but not another
  • Upload succeeds until server-side encryption or cross-account ownership is involved

Common Causes

  • The active IAM user or role lacks the required S3 action
  • The bucket policy has a deny condition that overrides IAM allow
  • KMS-encrypted objects require additional kms:Decrypt or kms:GenerateDataKey permissions
  • The CLI is using the wrong profile, region, or account context

Step-by-Step Fix

  1. 1.Confirm which identity the AWS CLI is using
  2. 2.Before changing policies, verify the current caller identity and CLI profile.
bash
aws sts get-caller-identity
aws configure list
  1. 1.Identify the exact failing S3 operation
  2. 2.ListBucket, GetObject, and PutObject are authorized separately, so the denied action matters.
  3. 3.Check IAM policy and bucket policy together
  4. 4.S3 authorization is a combination of identity policy, bucket policy, ACL or ownership, and explicit denies.
  5. 5.If encryption is involved, check KMS permissions
  6. 6.S3 may allow the object operation while KMS still blocks the underlying key usage.

Prevention

  • Keep CLI profiles and target accounts explicit in operational runbooks
  • Review bucket policy denies alongside IAM allows during incident response
  • Test encrypted object access after KMS or bucket ownership changes
  • Prefer role-based access and least-privilege policies over shared static credentials