AccessDenied

Amazon S3IAM PolicyHigh PriorityLast updated: June 29, 2026Tested on:AWS CLI v2Amazon S3June 2026

This error occurs when Amazon S3 rejects a bucket or object request due to insufficient S3 bucket policies, ACLs, or KMS key permissions.

AccessDenied Quick Fix⏱️ Est. Fix Time: 3 minutes

Usually happens because:

  • IAM identity lacks read/write rights on S3 bucket path (s3:GetObject/s3:PutObject)
  • Target object is encrypted using custom SSE-KMS, and caller lacks kms:Decrypt
  • S3 Block Public Access configurations override public ACL directives

🔍 Quick Checklist:

What is AccessDenied?

An 'AccessDenied' error is returned by Amazon S3 when a request lacks authorization. S3 evaluates a combination of identity-based policies (IAM policies), resource-based policies (S3 Bucket Policies, S3 Access Points), Access Control Lists (ACLs), and KMS key policies. In modern AWS environments, S3 Object Ownership defaults to 'Bucket owner enforced', which disables ACLs entirely and consolidates control inside IAM and Bucket policies.

Common Causes

  • Bucket Policy Restriction: S3 Bucket Policies explicitly deny public or cross-account access, overriding IAM rules.
  • KMS Key Decryption Block: The target object is encrypted with a custom KMS key, and the calling user lacks 'kms:Decrypt' permissions on that KMS key.
  • S3 Block Public Access is enabled: Attempts to read or write objects using public ACLs are blocked by active bucket-level Block Public Access settings.
CauseFrequency
Missing Object-Level read permission (s3:GetObject on bucket/*)⭐⭐⭐⭐⭐
Missing kms:Decrypt permissions on target SSE-KMS key⭐⭐⭐⭐
Block Public Access configuration overrides active public ACLs⭐⭐⭐

Common Mistakes

  • Attaching wide IAM policies but neglecting to configure KMS Key Policies when using custom SSE-KMS keys, causing S3 to return AccessDenied on object reads.
  • Attempting to upload objects using legacy public-read ACLs when S3 Object Ownership is set to 'BucketOwnerEnforced' (which disables ACLs and rejects the upload).

How to Fix

1Verify S3 Bucket Policy: Review S3 bucket policies and ensure the calling role ARN is permitted.
2Configure KMS policy delegation: Add the caller role to the KMS Key policy under 'Allow' for 'kms:Decrypt' / 'kms:GenerateDataKey'.
3Audit S3 Block Public Access configurations: Turn off Block Public Access settings only if public read/write access is explicitly required.

AWS Operations & Verification

Configure an S3 Bucket Policy to explicitly authorize a cross-account IAM role to read objects.

S3 Bucket Policy Fix Example
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CrossAccountRead",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:role/application-execution-role"
      },
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-secure-bucket",
        "arn:aws:s3:::my-secure-bucket/*"
      ]
    }
  ]
}

Platform Specific Fixes

Retrieve S3 bucket policy and block public access settings using S3API commands.

Linux Config
# 1. Inspect bucket policy configuration
aws s3api get-bucket-policy --bucket my-secure-bucket

# 2. Check S3 Block Public Access configuration status
aws s3api get-public-access-block --bucket my-secure-bucket

Best Practices

  • Disable ACLs entirely (use BucketOwnerEnforced) and rely solely on IAM and Bucket Policies for access control.
  • Adopt AWS S3 access analyzer tools to continuously audit bucket exposure risks.

Frequently Asked Questions (FAQ)

Q: What is the difference between AccessDeniedException and AccessDenied?

AccessDenied is the specific XML-based error code returned by Amazon S3. AccessDeniedException is the JSON-based exception code returned by newer AWS services like DynamoDB, Lambda, and IAM.

Q: Why do I get AccessDenied when downloading an S3 object even though my IAM policy allows s3:GetObject?

This is usually caused by KMS encryption. If the object was encrypted using a custom AWS KMS Key (SSE-KMS), you must also have permissions to call 'kms:Decrypt' on that specific KMS key. Lacking KMS permissions results in an S3 AccessDenied error.

Q: What is S3 Object Ownership and how does it affect access?

By default, AWS disables ACLs for new S3 buckets, enforcing 'Bucket Owner Enforced'. This means access is managed solely by IAM and S3 Bucket Policies. Legacy applications attempting to upload objects using public ACLs (like 'public-read') will fail with AccessDenied unless they disable ACL parameters or modify S3 Object Ownership settings.

Q: How do I test my bucket policy configuration using the CLI?

You can retrieve the policy using the AWS CLI command: 'aws s3api get-bucket-policy --bucket <bucket-name>'. Ensure the JSON policy does not contain explicit 'Deny' statements targeting your role or IP address range.

Still having this problem?

Didn't solve your problem?

SuggestRequest Error