Home / AWS / Fix AWS S3 Bucket Policy Access Denied

AWS

Fix AWS S3 Bucket Policy Access Denied

Resolve S3 access denied errors by checking bucket policies, IAM permissions, ACLs, and public access settings.

Published: Apr 2, 20267 min readBy FixWikiHub Editorial Team

Abstract illustration for a troubleshooting knowledge base category.

Introduction

S3 bucket policies control who can access bucket resources. When access is denied despite valid credentials, the bucket policy, IAM policy, ACLs, or public access settings are blocking the request. S3 evaluates all these together to determine access.

Symptoms

AWS CLI error:

```bash $ aws s3 cp file.txt s3://my-bucket/

upload failed: file.txt to s3://my-bucket/file.txt An error occurred (AccessDenied) when calling the PutObject operation: Access Denied ```

Console error:

bash

Access Denied
You do not have permission to access this bucket.

Application error:

xml

<Error>
  <Code>AccessDenied</Code>
  <Message>Access Denied</Message>
  <RequestId>ABC123</RequestId>
</Error>

Common Causes

1.Bucket policy explicitly denies - Policy has Deny statement
2.Bucket policy doesn't allow principal - Principal not in Allow statement
3.IAM policy doesn't grant permission - User/role lacks S3 permissions
4.Public Access Block enabled - Blocks public bucket policies
5.ACL conflicts - Object or bucket ACL denies access
6.KMS encryption - KMS key policy doesn't allow access
7.VPC endpoint policy - Endpoint policy restricts access
8.Object ownership - Different AWS account owns object

Step-by-Step Fix

1.Check logs for specific error messages
2.Verify configuration settings
3.Test network connectivity
4.Review recent changes
5.Apply corrective action
6.Verify the fix

Step 1: Check Bucket Policy

```bash # Get bucket policy aws s3api get-bucket-policy --bucket my-bucket --output json

# If empty, no explicit policy exists (rely on IAM + ACLs) # If present, check for: # - Explicit Deny statements (these override Allow) # - Principal matching your user/role # - Action covering your operation (s3:GetObject, s3:PutObject, etc.) # - Resource matching the bucket and objects ```

Example bucket policy allowing specific user:

json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789:user/myuser"
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}

Add missing principal:

bash

aws s3api put-bucket-policy --bucket my-bucket --policy '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::123456789:user/myuser"},
      "Action": ["s3:GetObject", "s3:PutObject", "s3:ListBucket"],
      "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]
    }
  ]
}'

Step 2: Check IAM User/Role Permissions

```bash # Get your current identity aws sts get-caller-identity

# Check attached policies aws iam list-attached-user-policies --user-name myuser aws iam list-attached-role-policies --role-name myrole

# Verify permissions include needed S3 actions aws iam get-policy-version --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess --version-id v1

# For custom policies, check the policy document aws iam get-policy-version --policy-arn arn:aws:iam::123456789:policy/my-s3-policy --version-id v1 ```

Minimum IAM permissions for S3 access:

json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}

Step 3: Check Public Access Block Settings

```bash # Get public access block configuration aws s3api get-public-access-block --bucket my-bucket

# If enabled, it blocks: # - Public bucket policies # - Public ACLs # - Any public access to the bucket

# Remove public access block if public access is needed aws s3api delete-public-access-block --bucket my-bucket ```

Step 4: Check Bucket and Object ACLs

```bash # Get bucket ACL aws s3api get-bucket-acl --bucket my-bucket

# Get object ACL aws s3api get-object-acl --bucket my-bucket --key my-file.txt

# ACL grants can conflict with bucket policy # Check for explicit DENY or missing ALLOW for your canonical user ID ```

Set ACL for specific user:

```bash aws s3api put-bucket-acl --bucket my-bucket \ --grant-read 'id="CANONICAL_USER_ID"' \ --grant-write 'id="CANONICAL_USER_ID"'

# Get your canonical user ID aws s3api list-buckets --query Owner.ID ```

Step 5: Check KMS Encryption

```bash # Check bucket encryption aws s3api get-bucket-encryption --bucket my-bucket

# If using SSE-KMS, you need KMS permissions # Check KMS key policy aws kms get-key-policy --key-id KEY_ID --policy-name default ```

KMS key policy must allow your IAM principal:

json

{
  "Sid": "Allow S3 access",
  "Effect": "Allow",
  "Principal": {"AWS": "arn:aws:iam::123456789:user/myuser"},
  "Action": ["kms:Decrypt", "kms:GenerateDataKey"],
  "Resource": "*"
}

Step 6: Check VPC Endpoint Policy

```bash # If using VPC endpoint for S3 aws ec2 describe-vpc-endpoints \ --filters Name=service-name,Values=com.amazonaws.region.s3

# Check endpoint policy aws ec2 get-vpc-endpoint-policy-documents --vpc-endpoint-id vpce-12345

# Endpoint policy may restrict S3 access # Ensure policy allows your operations ```

Step 7: Use Policy Simulator

```bash # Test if IAM policy allows the action aws iam simulate-principal-policy \ --policy-source-arn arn:aws:iam::123456789:user/myuser \ --action-names s3:GetObject \ --resource-arns arn:aws:s3:::my-bucket/*

# Shows "allowed" or specific denial reason ```

Step 8: Check Object Ownership

```bash # For objects uploaded by other accounts aws s3api get-object-acl --bucket my-bucket --key uploaded-by-other.txt

# If object owner is different account, you need: # 1. Object ACL allowing your access # 2. Or bucket owner enforced setting

# Enable bucket owner enforced (recommended) aws s3api put-bucket-ownership-controls --bucket my-bucket \ --ownership-controls '{ "Rules": [{"ObjectOwnership": "BucketOwnerEnforced"}] }' ```

Step 9: Check for Explicit Deny

```bash # Explicit Deny always overrides Allow # Look for Deny statements in bucket policy aws s3api get-bucket-policy --bucket my-bucket \ --query 'Policy' --output text | jq '.Statement[] | select(.Effect=="Deny")'

# Common explicit denies: # - NotPrincipal (everyone except specified) # - Condition based restrictions # - IP address restrictions # - SSL/TLS requirements ```

Step 10: Test Access with Different Principal

```bash # Create test user or use different role aws sts assume-role --role-arn arn:aws:iam::123456789:role/test-role --role-session-name test

# Test with assumed role credentials aws s3 ls s3://my-bucket/

# If works, original principal is the issue # If fails, bucket configuration is the issue ```

S3 Access Evaluation Order

1.IAM user/role identity
2.VPC endpoint policy (if applicable)
3.Bucket policy (explicit Deny first)
4.Bucket ACL
5.Object ACL
6.KMS key policy (for encrypted objects)

Verification

```bash # Test access aws s3 ls s3://my-bucket/

# Upload test file echo "test" | aws s3 cp - s3://my-bucket/test.txt

# Download test file aws s3 cp s3://my-bucket/test.txt -

# Delete test file aws s3 rm s3://my-bucket/test.txt

# All should succeed without AccessDenied error ```

[Fix AWS S3 CORS Config Missing](/articles/fix-aws-s3-cors-config-missing)
[Fix AWS S3 Replication Not Working](/articles/fix-aws-s3-replication-not-working)
[Fix AWS S3 Lifecycle Rule Not Expiring](/articles/fix-aws-s3-lifecycle-rule-not-expiring)

[AWS troubleshooting: Fix IAM Permission Denied - Complete Tro](fix-iam-permission-denied)
[AWS cloud troubleshooting: AWS ACM Certificate Pending Validation Because the](aws-acm-certificate-pending-validation-wrong-route53-zone)
[AWS cloud troubleshooting: AWS ALB Returns 502 Because the Target Closed the ](aws-alb-502-target-closed-connection-keepalive-timeout-mismatch)
[AWS cloud troubleshooting: Fix AWS ALB CreateListener TargetGroupNotFound Err](aws-alb-createlistener-targetgroupnotfound)
[AWS cloud troubleshooting: Fix Aws Alb Lambda 502 Bad Gateway Issue in AWS](aws-alb-lambda-502-bad-gateway)

Was this guide helpful?

Related search paths

People also search for

If the symptom is close but not identical, these search paths usually surface the right neighboring fixes faster than scrolling the full archive.

AWS S3 Bucket Policy Access Denied AWS S3 Bucket Policy Access Denied AWS AWS S3 Bucket Policy Access Denied troubleshooting AWS S3 Bucket Policy Access Denied fix Resolve S3 access denied errors by checking bucket policies, IAM permissions, ACLs, and public access settings AWS Resolve S3 access denied errors by checking bucket policies, IAM permissions, ACLs, and public access settings

Explore Related Topics

Browse Guides from Other Categories

Discover troubleshooting guides from related categories to expand your knowledge.

FAQ

AWS Troubleshooting FAQs

Common questions about troubleshooting and preventing similar issues

How do I know if this aws-errors troubleshooting guide applies to my situation?

This guide is designed for aws-errors issues. If you're experiencing similar symptoms described in the article, follow the step-by-step instructions. Start with the most common causes and work through the diagnostic process.

Is it safe to follow these aws-errors troubleshooting steps?

Yes, all steps are designed to be safe and non-destructive. We recommend creating backups before making significant changes and testing each step before proceeding to the next.

How long does it typically take to resolve this type of aws-errors issue?

Most aws-errors issues can be resolved within 30 minutes to 2 hours, depending on the complexity and root cause. Follow the troubleshooting flow to identify and fix the problem efficiently.

How can I prevent this aws-errors issue from happening again?

Regular maintenance, monitoring, and following best practices for aws-errors configuration can help prevent recurrence. Consider implementing automated checks and alerts for early detection.

Written by

FixWikiHub Editorial Team

Our editorial team consists of experienced DevOps engineers, systems administrators, and cloud architects with hands-on experience in production environments across AWS, Azure, GCP, and on-premises infrastructure.

Every guide undergoes technical review for accuracy and is updated when software versions, commands, or best practices change.

Last updated: Apr 2, 2026

About our team

Important Notice

Disclaimer & Safety Guidelines

The troubleshooting steps in this guide are provided for educational and informational purposes. Before applying any changes to production systems:

Test in a staging environment first — Always verify commands and configurations in a non-production environment before deploying to live systems.
Create backups — Ensure you have current backups of databases, configurations, and critical files before making changes.
Understand the impact — Review how each step may affect your specific environment, dependencies, and users.
Consult official documentation — This guide supplements, but does not replace, official vendor documentation and best practices.

FixWikiHub is not responsible for any damages arising from the use of this content. See our Terms of Use for more information.

Resources

Official Documentation & Further Reading

For authoritative information, consult the official documentation for the technologies discussed in this guide. Our troubleshooting content supplements, but does not replace, vendor documentation.

AWS Documentation — Official Amazon Web Services guides and API references
Kubernetes Documentation — Official Kubernetes documentation
Nginx Documentation — Official Nginx web server documentation
Apache Documentation — Official Apache HTTP Server documentation
Docker Documentation — Official Docker container documentation

Fix AWS S3 Bucket Policy Access Denied

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Step 1: Check Bucket Policy

Step 2: Check IAM User/Role Permissions

Step 3: Check Public Access Block Settings

Step 4: Check Bucket and Object ACLs

Step 5: Check KMS Encryption

Step 6: Check VPC Endpoint Policy

Step 7: Use Policy Simulator

Step 8: Check Object Ownership

Step 9: Check for Explicit Deny

Step 10: Test Access with Different Principal

S3 Access Evaluation Order

Verification

People also search for

Browse Guides from Other Categories

WordPress

SSL

DNS

AWS Troubleshooting FAQs

FixWikiHub Editorial Team

Disclaimer & Safety Guidelines

Official Documentation & Further Reading

Fix AWS S3 Bucket Policy Access Denied

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Step 1: Check Bucket Policy

Step 2: Check IAM User/Role Permissions

Step 3: Check Public Access Block Settings

Step 4: Check Bucket and Object ACLs

Step 5: Check KMS Encryption

Step 6: Check VPC Endpoint Policy

Step 7: Use Policy Simulator

Step 8: Check Object Ownership

Step 9: Check for Explicit Deny

Step 10: Test Access with Different Principal

S3 Access Evaluation Order

Verification

Related Issues

Related Articles

People also search for

Share this guide

More AWS Troubleshooting Guides

Browse Guides from Other Categories

AWS Troubleshooting FAQs

FixWikiHub Editorial Team

Disclaimer & Safety Guidelines

Official Documentation & Further Reading