OSM Linux EngineersContact us
MainHomeServicesPricingCase StudiesGuidesAboutContact us
Service categoriesServer & OperationsWeb StackContainersDatabasesCloud & IaCDevelopment & Automation WorkflowsNetwork, DNS & CDNBackup & ObservabilityMigration Planning ProjectsFor AgenciesAll Services

Troubleshooting guide

Troubleshooting Guide: AWS S3 Access Denied

Use this guide to work through the most likely causes, gather useful evidence and make production-safe changes without turning a small problem into a larger outage.

Remote consulting availableCommercial platformsService: S3 engineering assistance
Discuss your project
AWS S3AccessDeniedIAMbucket policyKMS

What this problem usually means

S3 AccessDenied can come from IAM permissions, bucket policies, object ownership, KMS key permissions, public access blocks, explicit denies, wrong region/account, or application credentials using a different role than expected.

Production caution: Do not make a bucket public to “fix” AccessDenied unless the data is intentionally public. Most production S3 access issues should be solved with least-privilege policies.

Common symptoms

  • Application cannot upload or download objects
  • AWS CLI returns AccessDenied
  • Only some prefixes or objects fail
  • Objects uploaded by another account cannot be read
  • Encrypted objects fail while unencrypted ones work

Common causes

  • IAM role lacks required s3 actions
  • Bucket policy has an explicit deny
  • KMS key policy does not allow decrypt/encrypt
  • Object ownership or ACL mismatch
  • Block Public Access conflicts with intended access
  • Application uses different credentials than expected

Safe first checks

These checks are intended to assist identify the direction of the issue. Always adjust paths, solution names and commands for your environment.

Check caller identity

aws sts get-caller-identity

Test object access

aws s3api head-object --bucket BUCKET --key KEY

Review bucket policy

aws s3api get-bucket-policy --bucket BUCKET

Check KMS on object

aws s3api head-object --bucket BUCKET --key KEY --query ServerSideEncryption

Typical fixes

  • Confirm the actual IAM principal being used
  • Check for explicit denies first
  • Align IAM policy, bucket policy and KMS key policy
  • Review object ownership settings
  • Use scoped prefixes for application access
  • Test with AWS CLI before changing application code

When to get assist

Get assist if the system is production-facing, customer data is involved, backup processes are uncertain, or the issue affects revenue, security hardening or uptime. We can review the logs, confirm the cause and quote a fixed-scope fix where appropriate.

Need this fixed?

Get remote engineering help for this issue.

Fixed engineering help starts from $499. Emergency incident engineering assistance is $199/hr with a minimum window.

Contact us

Related guides

AWS Bill Too HighA hands-on AWS cost troubleshooting guide covering EC2, EBS, snapshots, S3, NAT Gateway, CloudWatch, data tra...Backup Restore FailedTroubleshoot failed restores involving missing database dumps, corrupt archives, wrong permissions, incomplete...Website Migration Planning DNS CutoverPlan safe website migration planning DNS cutovers with TTLs, backup processes, staging, database freeze windows, SSL, email reco...