# AWS S3 Access Denied

Common Error Patterns

When S3 access is denied, you typically see:

bash
An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
bash
403 Forbidden when accessing S3 bucket
bash
User: arn:aws:iam::123456789012:user/test is not authorized to perform: s3:PutObject on resource: arn:aws:s3:::my-bucket/*

Root Causes and Solutions

1. IAM User/Role Missing Permissions

The IAM principal lacks necessary S3 permissions.

Solution:

Add appropriate permissions to the IAM policy:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}

2. Bucket Policy Restricting Access

The bucket policy explicitly denies access.

Solution:

Review and update the bucket policy:

bash
aws s3api get-bucket-policy --bucket my-bucket

Ensure your IAM principal is included in the Principal or NotPrincipal field:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:user/test"
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}

3. KMS Encryption Without Permissions

Objects encrypted with KMS require additional permissions.

Solution:

Add KMS permissions to the IAM policy:

json
{
  "Effect": "Allow",
  "Action": [
    "kms:Decrypt",
    "kms:GenerateDataKey"
  ],
  "Resource": "arn:aws:kms:us-east-1:123456789012:key/key-id"
}

Check object encryption:

bash
aws s3api head-object --bucket my-bucket --key my-object

4. Object ACL Restrictions

Object-level ACLs may override bucket settings.

Solution:

Check and update object ACL:

```bash aws s3api get-object-acl --bucket my-bucket --key my-object

# Update ACL to grant access aws s3api put-object-acl --bucket my-bucket --key my-object --acl bucket-owner-full-control ```

5. S3 Block Public Access Enabled

Block Public Access settings prevent public access.

Solution:

If public access is intended:

bash
aws s3api put-public-access-block \
  --bucket my-bucket \
  --public-access-block-configuration BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false

6. VPC Endpoint Policy Restrictions

If using VPC endpoints, the endpoint policy may restrict access.

Solution:

Check VPC endpoint policy:

bash
aws ec2 describe-vpc-endpoints --vpc-endpoint-ids vpce-0123456789abcdef0

Troubleshooting Steps

  1. 1.Verify IAM permissions:
  2. 2.```bash
  3. 3.aws iam get-user-policy --user-name test --policy-name S3Access
  4. 4.`
  5. 5.Test access with AWS CLI:
  6. 6.```bash
  7. 7.aws s3 ls s3://my-bucket/
  8. 8.aws s3 cp test.txt s3://my-bucket/
  9. 9.`
  10. 10.Use IAM Policy Simulator:
  11. 11.- Navigate to IAM Console > Policy Simulator
  12. 12.- Select user/role and test S3 actions
  13. 13.Check CloudTrail logs:
  14. 14.```bash
  15. 15.aws cloudtrail lookup-events \
  16. 16.--lookup-attributes AttributeKey=EventName,AttributeValue=AccessDenied
  17. 17.`

Quick Reference Table

Error MessageLikely CauseSolution
AccessDenied on GetObjectMissing s3:GetObject permissionUpdate IAM/bucket policy
AccessDenied with KMSMissing KMS permissionsAdd kms:Decrypt permission
AccessDenied on public objectBlock Public Access enabledDisable Block Public Access
AccessDenied cross-accountBucket policy missingAdd cross-account permission

Prevention Tips

  1. 1.Use AWS IAM Access Analyzer to identify unintended access
  2. 2.Implement least-privilege permissions
  3. 3.Enable S3 server access logging for audit trails
  4. 4.Use S3 Object Ownership to simplify ACL management
  • [AWS IAM Permission Denied](#)
  • [AWS EC2 Instance Not Reachable](#)
  • [Troubleshooting S3 Bucket Policies](#)