OSM Linux EngineersContact Us
MainHomeServicesPricingCase StudiesGuidesAboutContact
Service categoriesServer & OperationsWeb StackContainersDatabasesApplicationsCloud & IaCDevelopment & AutomationNetwork, DNS & CDNBackup, Monitoring & SecurityMigrationsFor AgenciesAll Services
Home / Case studies / AWS S3 AccessDenied errors breaking application uploads

Case study

AWS S3 AccessDenied errors breaking application uploads

S3 permission problems can break uploads, backups or application workflows without the whole system going offline. The fix requires checking IAM, bucket policy, object ownership and application configuration together.

Context

Application uploads to S3 started failing with AccessDenied errors after an AWS permission change. The application was still online, but users could no longer complete upload workflows reliably.

The customer needed uploads restored without making the bucket public, granting broad admin access or undoing recent security hardening.

The problem

  • The application IAM role still appeared to have the expected S3 upload permissions.
  • Another AWS user had changed the bucket policy while locking down access for a separate integration.
  • That bucket policy introduced an explicit deny condition that blocked the application role.
  • The obvious IAM role check passed, but the effective S3 permission decision still denied the upload.

Our approach

  • Confirmed the failure was at the S3 permission layer, not in the application code or web server.
  • Reproduced the AccessDenied response using the application’s IAM role and upload path.
  • Compared the IAM role policy, bucket policy and recent AWS changes instead of checking IAM in isolation.
  • Found the restrictive bucket policy change, updated it to allow the application role, and verified uploads without weakening the wider access controls.

Practical outcomes

Upload workflow restoredThe application could write to the intended S3 path again.
Root cause identifiedThe issue was traced to an explicit deny in the bucket policy, not a missing IAM allow.
Security controls preservedThe fix allowed the application role without making the bucket public or granting broad access.
AWS permissions clarifiedThe customer had a clearer view of IAM role policy, bucket policy and effective S3 access.

Relevant technologies and keywords

These are the main technologies, services and search terms connected to this case study.

AWSS3AccessDeniedIAMBucket policyKMSApplication uploadsBackupsCloudWatchS3 permissions

Related services

Relevant services for similar infrastructure problems.

AWS Support

AWS troubleshooting, infrastructure review and cloud support.

View service →

S3 Storage Support

S3 buckets, storage workflows, permissions and backups.

View service →

AWS Security Review

IAM, S3, EC2, VPC and security configuration review.

View service →

AWS CLI Support

AWS CLI troubleshooting, credentials and operational workflows.

View service →

Server Backup Setup

Backup workflows using S3-compatible storage.

View service →

Cloud & IaC Services

AWS, CloudFormation, Ansible and cloud infrastructure support.

View service →

Want help with a similar issue?

Send the symptoms, affected service, recent changes and business impact. We will suggest the most appropriate route: emergency support, a fixed-scope technical fix, an infrastructure review or a wider project.

Contact Us