AccessDeniedException

AWS IAMSecurity ErrorHigh PriorityLast updated: June 29, 2026Tested on:AWS CLI v2Amazon S3June 2026

This error occurs when your authenticated AWS credentials do not have the required IAM permissions to perform the requested API operation.

AccessDeniedException Quick Fix⏱️ Est. Fix Time: 4 minutes

Usually happens because:

  • Target IAM identity-based policy lacks allow rule for the specific API Action
  • Service Control Policies (SCP) or permission boundaries explicitly deny the action
  • Resource-based policies (S3 bucket policy, KMS key policy) restrict access

🔍 Quick Checklist:

What is AccessDeniedException?

An 'AccessDeniedException' is returned by AWS API services (such as DynamoDB, Lambda, S3, or IAM) when the request caller has valid authentication credentials (meaning who they are is verified) but lacks the required IAM policy authorizations (what they are allowed to do is rejected). In modern AWS IAM, authorization failures can be decrypted using the AWS STS 'DecodeAuthorizationMessage' API to inspect the exact failing policy rules.

Common Causes

  • Missing IAM Policy permissions: The calling IAM User or Role has no identity-based policy statement allowing the specific action (e.g. 'dynamodb:PutItem').
  • Explicit Deny in Policy: A Service Control Policy (SCP), IAM Boundary, or Resource-based policy explicitly denies the action, which overrides all allow rules.
  • Resource-based Policy limits: A target resource policy (like an S3 Bucket Policy or KMS Key Policy) blocks access from the calling IAM entity.
CauseFrequency
Missing Action (e.g. lambda:InvokeFunction) in IAM Policy⭐⭐⭐⭐⭐
Resource-based policy (S3/KMS) explicitly blocks calling entity⭐⭐⭐⭐
Service Control Policy (SCP) or Boundary restriction⭐⭐⭐

Common Mistakes

  • Assuming AdministratorAccess bypasses KMS key policy restrictions (KMS keys must explicitly delegate authority to IAM or list the calling role in the key policy).
  • Confusing Authentication (invalid keys) with Authorization (AccessDeniedException).

How to Fix

1Attach the required IAM permission: Add an IAM Policy statement with 'Allow' effect on the target action and resource ARN.
2Decode authorization failure message: Use the AWS CLI command 'aws sts decode-authorization-message' to identify the exact blocking policy.
3Inspect Resource-based policies: Ensure target KMS key policies or S3 bucket policies grant permissions to the calling role.

AWS Operations & Verification

Attach an IAM Policy to the user or execution role authorizing the specific API action on the target resource ARN.

IAM Policy Fix Example
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:PutItem",
        "dynamodb:GetItem"
      ],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/ProductTable"
    }
  ]
}

Platform Specific Fixes

Decode encrypted AWS authorization messages using the AWS CLI tool.

Linux Config
# Decode encrypted message (requires sts:DecodeAuthorizationMessage permission)
aws sts decode-authorization-message --encoded-message "ENCRYPTED_STRING_GOES_HERE"

Best Practices

  • Adopt the principle of least privilege, mapping explicit Action rules to target resource ARNs.
  • Adopt AWS IAM Access Analyzer to detect unused or excessive resource-based access pathways.

Frequently Asked Questions (FAQ)

Q: What is an AccessDeniedException in AWS?

It is an authorization failure. It means AWS verified your identity (AccessKey/SecretKey), but your IAM user or role does not have the policy permissions required to perform the action.

Q: How do I decode an encoded authorization failure message?

When an API call fails, AWS often returns an encrypted string in the error message. If your user has permission to decode, run: 'aws sts decode-authorization-message --encoded-message <message-string>'. This returns a JSON payload showing exactly which policy block (like an SCP or boundary) caused the deny.

Q: Why does my API call fail even though my IAM user has AdministratorAccess?

Check if the resource (like an S3 bucket or KMS key) has a resource-based policy that explicitly denies your account. Explicit denies always override allows. Also, check if you are restricted by a Service Control Policy (SCP) at the AWS Organization level.

Q: Why do KMS keys trigger AccessDeniedException?

If your application reads an encrypted S3 object, it must have permission to both 's3:GetObject' and 'kms:Decrypt' on the key used for encryption. Lacking KMS permissions triggers an AccessDeniedException.

Still having this problem?

Didn't solve your problem?

SuggestRequest Error