AWS S3 Access DeniedAmazon S3

How to Fix AWS S3 Access Denied (Amazon S3)

Quick Answer

The "AWS S3 Access Denied" error indicates that the requesting identity lacks the necessary permissions to perform an action on an Amazon S3 resource. The fastest fix often involves reviewing and adjusting the IAM user or role policies, or the S3 bucket policy, to grant the required access.

What Causes This Error

  • Incorrect IAM user or role policies: The identity attempting the action does not have the necessary permissions defined in its attached IAM policies.
  • S3 bucket policies: The bucket policy explicitly denies the action or does not grant sufficient permissions to the requesting identity.
  • Object ACLs (Access Control Lists): For individual objects, ACLs can override bucket policies and deny access.
  • Block Public Access settings: The S3 bucket has Block Public Access settings enabled, preventing public or cross-account access.
  • Missing or incorrect KMS key permissions: If the S3 object is encrypted with AWS Key Management Service (KMS), the requesting identity might lack permissions to use the KMS key.
  • VPC endpoint policies: When accessing S3 from within a VPC, the VPC endpoint policy might restrict access.

Step-by-Step Fixes

1Verify IAM User/Role Permissions for AWS S3 Access Denied

  1. Log in to the AWS Management Console and navigate to the IAM service.
  2. In the navigation pane, select 'Users' or 'Roles' depending on the identity experiencing the issue.
  3. Locate and select the specific user or role.
  4. Review the 'Permissions' tab to identify attached policies. Expand each policy to view its JSON document.
  5. Ensure that the policies explicitly allow the required S3 actions (e.g., 's3:GetObject', 's3:PutObject', 's3:ListBucket') on the target S3 bucket or objects (e.g., 'arn:aws:s3:::your-bucket-name' or 'arn:aws:s3:::your-bucket-name/*').

2Review and Adjust S3 Bucket Policy

  1. Navigate to the Amazon S3 service in the AWS Management Console.
  2. Select the bucket that is returning the 'Access Denied' error.
  3. Go to the 'Permissions' tab and then select 'Bucket policy'.
  4. Examine the JSON policy document for any 'Deny' statements that might be blocking the intended action or for missing 'Allow' statements for the specific principal (user/role) and actions.
  5. Modify the policy to grant the necessary permissions. After making changes, save the policy.

3Check S3 Block Public Access Settings

  1. In the AWS Management Console, go to the Amazon S3 service.
  2. Select the affected S3 bucket.
  3. Navigate to the 'Permissions' tab and locate 'Block public access (bucket settings)'.
  4. Review the settings for 'Block all public access', 'Block public access to buckets and objects granted through new access control lists (ACLs)', 'Block public access to buckets and objects granted through any access control lists (ACLs)', and 'Block public and cross-account access to buckets and objects through new public bucket policies'.
  5. If public or cross-account access is intended, ensure that the relevant Block Public Access settings are not preventing it. Adjust settings as required, understanding the security implications of public access.

4Inspect S3 Object ACLs

  1. Access the Amazon S3 service in the AWS Management Console.
  2. Navigate to the specific bucket and then to the object that is returning the 'Access Denied' error.
  3. Select the object and go to the 'Permissions' tab.
  4. Review the 'Access control list (ACL)' section. ACLs can grant or deny specific permissions to individual AWS accounts or predefined groups.
  5. Ensure that the requesting identity or its associated account has the necessary 'Read' or 'Write' permissions granted via the object's ACL. Modify the ACL if required.

Advanced Fixes

Evaluate KMS Key Policy for Encrypted Objects

  1. If the S3 objects are encrypted with a customer-managed KMS key, navigate to the AWS Key Management Service (KMS) in the AWS Management Console.
  2. Select the specific KMS key used for encryption.
  3. Go to the 'Key policy' tab.
  4. Verify that the IAM user or role attempting to access the S3 object has 'kms:Decrypt' and 'kms:GenerateDataKey' permissions on this KMS key. Add the necessary permissions to the key policy if they are missing.
  5. Ensure the IAM policy attached to the user/role also allows 'kms:Decrypt' on the key.

Review VPC Endpoint Policies

  1. If S3 access originates from an Amazon Virtual Private Cloud (VPC) via a VPC endpoint, navigate to the VPC service in the AWS Management Console.
  2. Select 'Endpoints' from the navigation pane.
  3. Locate the S3 VPC endpoint and select it.
  4. Review the 'Policy' tab to examine the endpoint policy. This policy can restrict which S3 buckets can be accessed or which actions can be performed.
  5. Ensure the VPC endpoint policy explicitly allows access to the target S3 bucket and permits the required S3 actions for the requesting identity.

Frequently Asked Questions

What is the difference between IAM policies and S3 bucket policies?

IAM policies are attached to IAM users, groups, or roles and define what actions those identities can perform across AWS services. S3 bucket policies are attached directly to an S3 bucket and define who can access the bucket and its objects, and what actions they can perform, regardless of their IAM policies. Both must grant permission for an action to succeed.

How do I know if my S3 object is encrypted with KMS?

When viewing an object in the S3 console, check the 'Properties' tab. Under the 'Server-side encryption' section, it will indicate if encryption is enabled and which type (e.g., SSE-S3, SSE-KMS, SSE-C) is used. If SSE-KMS is used, the specific KMS key ID will be listed.

Can an S3 bucket policy override an IAM policy?

Yes, an explicit 'Deny' statement in either an IAM policy or an S3 bucket policy will always take precedence over an 'Allow' statement. For an action to be allowed, there must be an 'Allow' statement in both the IAM policy (if applicable to the principal) and the S3 bucket policy, and no explicit 'Deny' statement in either.

What does 'Block Public Access' mean for S3?

'Block Public Access' is a set of security settings for S3 buckets that helps prevent unintended public exposure of your data. It can block public access granted through ACLs, bucket policies, or both, at account or bucket level. Enabling these settings is a best practice for most use cases.

Related Errors

A reference system for real error codes and troubleshooting guides. Clear, factual, step-by-step fixes for software, devices, and systems.

Browse

Categories

Company

© 2026 Error Fixer Hub. All rights reserved.

Information provided for educational purposes. Always back up your data before making system changes.

This website uses cookies to improve your experience and analyze traffic. By continuing to use this site, you agree to our Privacy Policy.