Access DeniedAWS S3

How to Fix Access Denied (AWS S3)

Quick Answer

The 'Access Denied' error in AWS S3 indicates that the user or role attempting to access an S3 resource lacks the necessary permissions. The fastest fix often involves reviewing and adjusting the IAM user/role policies or the S3 bucket policy to grant the required actions.

What Causes This Error

  • Incorrect IAM user or role permissions (e.g., missing s3:GetObject, s3:PutObject)
  • S3 bucket policy explicitly denies access to the user or role
  • Object ownership conflicts, especially when objects are uploaded by different accounts
  • Missing or incorrect S3 Block Public Access settings
  • AWS Key Management Service (KMS) encryption key policy denies access
  • Virtual Private Cloud (VPC) endpoint policy restricts S3 access

Step-by-Step Fixes

1Verify IAM User/Role Permissions for S3 Access Denied

  1. Navigate to the IAM console in AWS.
  2. In the navigation pane, choose 'Users' or 'Roles', then select the principal experiencing the 'Access Denied' error.
  3. Review the 'Permissions' tab to identify attached policies (managed and inline).
  4. Examine each policy for explicit 'Deny' statements that might override 'Allow' statements for S3 actions (e.g., s3:GetObject, s3:PutObject, s3:ListBucket).
  5. Ensure that the user or role has 'Allow' permissions for the specific S3 actions being attempted on the target bucket and objects (e.g., 's3:GetObject' for downloading, 's3:PutObject' for uploading, 's3:ListBucket' for listing contents). If permissions are missing, attach a new policy or modify an existing one to include the necessary S3 actions and resource ARNs.

2Inspect S3 Bucket Policy

  1. Open the Amazon S3 console.
  2. Select the bucket that is returning the 'Access Denied' error.
  3. Navigate to the 'Permissions' tab and then select 'Bucket policy'.
  4. Review the bucket policy for any 'Deny' statements that explicitly block the user or role's access. Pay close attention to the 'Principal' element and the 'Action' element.
  5. If a 'Deny' statement is found that incorrectly restricts access, modify or remove the statement. Alternatively, add an 'Allow' statement with a higher precedence (e.g., by ensuring the 'Deny' condition is not met or by making the 'Allow' more specific).

3Check S3 Block Public Access Settings

  1. Access the Amazon S3 console.
  2. Select the bucket in question.
  3. Go to the 'Permissions' tab and locate 'Block public access (bucket settings)'.
  4. Review the settings for 'Block public access to buckets and objects'. If any of these settings are enabled, they might be preventing access, even if other policies allow it.
  5. If public access is intended and required for the specific use case, disable the relevant 'Block public access' settings. Confirm the change to apply the updated configuration.

4Resolve Object Ownership and ACLs

  1. Open the Amazon S3 console and navigate to the bucket containing the object.
  2. Select the object that is returning the 'Access Denied' error.
  3. Go to the 'Permissions' tab for the object and review its 'Object ownership' and 'Access control list (ACL)' settings.
  4. If the object was uploaded by a different AWS account, the original owner might still control access. Modify the object's ACLs to grant 'Read' or 'Write' permissions to the intended user or account, or configure the bucket to enforce 'Bucket owner preferred' or 'Bucket owner enforced' object ownership.
  5. For new uploads, ensure that the uploading entity grants full control to the bucket owner during the upload process, or configure the bucket's Object Ownership setting to 'Bucket owner enforced' to automatically take ownership of all new objects.

Advanced Fixes

Review AWS KMS Key Policy for Encrypted Objects

  1. If the S3 object is encrypted using an AWS Key Management Service (KMS) key, navigate to the KMS console.
  2. Select the customer managed key (CMK) used for encryption.
  3. Go to the 'Key policy' tab.
  4. Examine the key policy for any 'Deny' statements or missing 'Allow' statements that prevent the IAM user or role from performing KMS actions (e.g., 'kms:Decrypt', 'kms:GenerateDataKey') on the key. The IAM principal must have permissions to use the KMS key in addition to S3 permissions.
  5. Modify the key policy to grant the necessary KMS permissions to the principal experiencing the 'Access Denied' error.

Examine VPC Endpoint Policy

  1. If accessing S3 from within a Virtual Private Cloud (VPC) using a VPC endpoint, navigate to the VPC console.
  2. In the navigation pane, choose 'Endpoints'.
  3. Select the S3 VPC endpoint being used.
  4. Review the 'Policy' tab for the endpoint. This policy can restrict access to specific S3 buckets or actions.
  5. Ensure the VPC endpoint policy allows the necessary S3 actions (e.g., 's3:GetObject', 's3:PutObject') for the target S3 bucket and the IAM principal.

Frequently Asked Questions

What is the difference between an IAM policy and a bucket policy?

An IAM policy is attached to an IAM user, group, or role and defines what actions that principal can perform on AWS resources. A bucket policy is attached directly to an S3 bucket and defines what principals can perform actions on that specific bucket and its objects, regardless of their IAM policies. Both must grant permission for access to be successful.

Why would I get 'Access Denied' even if my IAM policy allows access?

An 'Access Denied' error can still occur due to several reasons even with an allowing IAM policy. These include an explicit 'Deny' statement in the S3 bucket policy, S3 Block Public Access settings overriding permissions, object ownership conflicts, or a KMS key policy denying access if the object is encrypted.

How do I check who owns an S3 object?

In the S3 console, navigate to the object, select it, and then go to the 'Permissions' tab. Under 'Object ownership', you will see the AWS account that owns the object. This is crucial when objects are uploaded by different accounts.

Can S3 Block Public Access settings cause 'Access Denied' for authenticated users?

Yes, S3 Block Public Access settings are designed to prevent public access. If you have a bucket policy that grants public access (e.g., to an anonymous user or a specific AWS account that you consider 'public' for certain operations), and Block Public Access is enabled, it will override the bucket policy and result in an 'Access Denied' error for those 'public' access attempts, even if they are technically authenticated by AWS.

Related Errors

A reference system for real error codes and troubleshooting guides. Clear, factual, step-by-step fixes for software, devices, and systems.

Browse

Categories

Company

© 2026 Error Fixer Hub. All rights reserved.

Information provided for educational purposes. Always back up your data before making system changes.

This website uses cookies to improve your experience and analyze traffic. By continuing to use this site, you agree to our Privacy Policy.