OSM Linux EngineersContact Us
MainHomeServicesPricingCase StudiesGuidesAboutContact
Service categoriesServer & OperationsWeb StackContainersDatabasesApplicationsCloud & IaCDevelopment & AutomationNetwork, DNS & CDNBackup, Monitoring & SecurityMigrationsFor AgenciesAll Services

Troubleshooting guide

AWS S3 Access Denied: IAM, Bucket Policy and Object Ownership Checks

Troubleshoot S3 AccessDenied errors involving IAM policies, bucket policies, ACLs, object ownership, KMS, Block Public Access and wrong accounts.

Remote support availableCommercial systemsService: S3 Support
Contact UsS3 Support
AWS S3AccessDeniedIAMbucket policyKMS

What this problem usually means

S3 AccessDenied can come from IAM permissions, bucket policies, object ownership, KMS key permissions, public access blocks, explicit denies, wrong region/account, or application credentials using a different role than expected.

Production caution: Do not make a bucket public to “fix” AccessDenied unless the data is intentionally public. Most production S3 access issues should be solved with least-privilege policies.

Common symptoms

  • Application cannot upload or download objects
  • AWS CLI returns AccessDenied
  • Only some prefixes or objects fail
  • Objects uploaded by another account cannot be read
  • Encrypted objects fail while unencrypted ones work

Common causes

  • IAM role lacks required s3 actions
  • Bucket policy has an explicit deny
  • KMS key policy does not allow decrypt/encrypt
  • Object ownership or ACL mismatch
  • Block Public Access conflicts with intended access
  • Application uses different credentials than expected

Safe first checks

These checks are intended to help identify the direction of the issue. Always adjust paths, service names and commands for your environment.

Check caller identity

aws sts get-caller-identity

Test object access

aws s3api head-object --bucket BUCKET --key KEY

Review bucket policy

aws s3api get-bucket-policy --bucket BUCKET

Check KMS on object

aws s3api head-object --bucket BUCKET --key KEY --query ServerSideEncryption

Typical fixes

  • Confirm the actual IAM principal being used
  • Check for explicit denies first
  • Align IAM policy, bucket policy and KMS key policy
  • Review object ownership settings
  • Use scoped prefixes for application access
  • Test with AWS CLI before changing application code

When to get help

Get help if the system is production-facing, customer data is involved, backups are uncertain, or the issue affects revenue, security or uptime. We can review the logs, confirm the cause and quote a fixed-scope fix where appropriate.

Need this fixed?

Get remote support for this issue.

Fixed technical support starts from $499. Emergency incident support is $199/hr with a minimum window.

Contact Us

Related guides

AWS Bill Too HighA practical AWS cost troubleshooting guide covering EC2, EBS, snapshots, S3, NAT Gateway, CloudWatch, data tra...Backup Restore FailedTroubleshoot failed restores involving missing database dumps, corrupt archives, wrong permissions, incomplete...Website Migration DNS CutoverPlan safe website migration DNS cutovers with TTLs, backups, staging, database freeze windows, SSL, email reco...S3 SupportView the related service page for commercial support options.