AWS S3 403 AccessDenied Error on Bucket Operations

Introduction A 403 AccessDenied error from S3 blocks all bucket and object operations. This error is notoriously difficult to debug because AWS returns the same 403 response regardless of whether the denial comes from IAM policies, bucket policies, ACLs, KMS key policies, or Service Control Policies.

Symptoms - `aws s3 ls s3://my-bucket/` returns: `An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied` - Application receives HTTP 403 from S3 API - CloudTrail shows `s3:ListBucket` or `s3:GetObject` as `AccessDenied` - No useful error details beyond "AccessDenied"

Common Causes - IAM policy missing s3:GetObject, s3:ListBucket, or s3:PutObject permissions - Bucket policy explicitly denying access (explicit deny overrides allow) - KMS key policy not allowing the IAM principal to use the encryption key - S3 Block Public Access settings blocking the operation - VPC endpoint policy restricting S3 access - Organization SCP denying S3 actions

Step-by-Step Fix 1. **Check IAM policy for the user/role**: ```bash aws iam list-attached-user-policies --user-name my-user aws iam get-policy-version --policy-arn <arn> --version-id v1 ``` Verify these actions are allowed: s3:GetObject, s3:PutObject, s3:ListBucket.

1. 1.Check the bucket policy:
2. 2.```bash
3. 3.aws s3api get-bucket-policy --bucket my-bucket --output text
4. 4.`
5. 5.Look for any Statement with "Effect": "Deny" that matches your principal.
6. 6.Verify KMS key permissions (if bucket uses SSE-KMS):
7. 7.```bash
8. 8.aws s3api get-bucket-encryption --bucket my-bucket
9. 9.aws kms get-key-policy --key-id <key-id> --policy-name default
10. 10.`
11. 11.The key policy must grant kms:Decrypt and kms:GenerateDataKey to your principal.
12. 12.Use the IAM policy simulator to debug:
13. 13.```bash
14. 14.aws iam simulate-principal-policy \
15. 15.--policy-source-arn arn:aws:iam::<account>:user/my-user \
16. 16.--action-names s3:GetObject s3:ListBucket s3:PutObject \
17. 17.--resource-arns arn:aws:s3:::my-bucket arn:aws:s3:::my-bucket/*
18. 18.`
19. 19.This shows exactly which permission is denied and which policy statement causes it.
20. 20.Check VPC endpoint policy (if accessing S3 via VPC endpoint):
21. 21.```bash
22. 22.aws ec2 describe-vpc-endpoints --filters Name=service-name,Values=com.amazonaws.us-east-1.s3
23. 23.`

Prevention - Use AWS Access Analyzer for S3 to audit bucket policies - Apply least-privilege IAM policies using Access Advisor - Set up CloudWatch metric alarms for S3 4xx error rates - Use S3 Access Points for fine-grained access control - Document bucket access patterns in infrastructure as code