AccessDeniedException
This error occurs when your authenticated AWS credentials do not have the required IAM permissions to perform the requested API operation.
Usually happens because:
- ☑ Target IAM identity-based policy lacks allow rule for the specific API Action
- ☑ Service Control Policies (SCP) or permission boundaries explicitly deny the action
- ☑ Resource-based policies (S3 bucket policy, KMS key policy) restrict access
🔍 Quick Checklist:
What is AccessDeniedException?
An 'AccessDeniedException' is returned by AWS API services (such as DynamoDB, Lambda, S3, or IAM) when the request caller has valid authentication credentials (meaning who they are is verified) but lacks the required IAM policy authorizations (what they are allowed to do is rejected). In modern AWS IAM, authorization failures can be decrypted using the AWS STS 'DecodeAuthorizationMessage' API to inspect the exact failing policy rules.
Common Causes
- Missing IAM Policy permissions: The calling IAM User or Role has no identity-based policy statement allowing the specific action (e.g. 'dynamodb:PutItem').
- Explicit Deny in Policy: A Service Control Policy (SCP), IAM Boundary, or Resource-based policy explicitly denies the action, which overrides all allow rules.
- Resource-based Policy limits: A target resource policy (like an S3 Bucket Policy or KMS Key Policy) blocks access from the calling IAM entity.
| Cause | Frequency |
|---|---|
| Missing Action (e.g. lambda:InvokeFunction) in IAM Policy | ⭐⭐⭐⭐⭐ |
| Resource-based policy (S3/KMS) explicitly blocks calling entity | ⭐⭐⭐⭐ |
| Service Control Policy (SCP) or Boundary restriction | ⭐⭐⭐ |
Common Mistakes
- Assuming AdministratorAccess bypasses KMS key policy restrictions (KMS keys must explicitly delegate authority to IAM or list the calling role in the key policy).
- Confusing Authentication (invalid keys) with Authorization (AccessDeniedException).
How to Fix
AWS Operations & Verification
Attach an IAM Policy to the user or execution role authorizing the specific API action on the target resource ARN.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:GetItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/ProductTable"
}
]
}Platform Specific Fixes
Decode encrypted AWS authorization messages using the AWS CLI tool.
# Decode encrypted message (requires sts:DecodeAuthorizationMessage permission)
aws sts decode-authorization-message --encoded-message "ENCRYPTED_STRING_GOES_HERE"Best Practices
- Adopt the principle of least privilege, mapping explicit Action rules to target resource ARNs.
- Adopt AWS IAM Access Analyzer to detect unused or excessive resource-based access pathways.
Frequently Asked Questions (FAQ)
Q: What is an AccessDeniedException in AWS?
It is an authorization failure. It means AWS verified your identity (AccessKey/SecretKey), but your IAM user or role does not have the policy permissions required to perform the action.
Q: How do I decode an encoded authorization failure message?
When an API call fails, AWS often returns an encrypted string in the error message. If your user has permission to decode, run: 'aws sts decode-authorization-message --encoded-message <message-string>'. This returns a JSON payload showing exactly which policy block (like an SCP or boundary) caused the deny.
Q: Why does my API call fail even though my IAM user has AdministratorAccess?
Check if the resource (like an S3 bucket or KMS key) has a resource-based policy that explicitly denies your account. Explicit denies always override allows. Also, check if you are restricted by a Service Control Policy (SCP) at the AWS Organization level.
Q: Why do KMS keys trigger AccessDeniedException?
If your application reads an encrypted S3 object, it must have permission to both 's3:GetObject' and 'kms:Decrypt' on the key used for encryption. Lacking KMS permissions triggers an AccessDeniedException.