AWS S3 Permission Denied — How to Fix
S3 permission denied errors stop uploads, downloads, and data access cold. This guide covers every common cause and how to fix each one.
What You'll Learn
How to diagnose and fix S3 access denied errors by checking IAM policies, bucket policies, block public access, and ACL configurations.
Why It Matters
S3 permission errors can bring down production systems, break CI/CD pipelines, and block critical data access.
Real-World Use
Your backup script on an EC2 instance fails with AccessDenied when trying to upload logs to an S3 bucket.
Step 1 — Check the Exact Error Message
The error message tells you exactly which permission is missing:
AccessDenied: User: arn:aws:iam::123456:user/deploy is not authorized to perform: s3:PutObject on resource: arn:aws:s3:::my-bucket/logs/app.log
Expected output: The error specifies the API call (PutObject), the resource (the bucket/key), and the identity (user/role).
Step 2 — Check IAM Policy
Attach the minimum required permissions to your IAM user or role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:PutObject", "s3:GetObject", "s3:ListBucket"],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*]
]
}
]
}
Expected behavior: After attaching the policy, the user can perform the allowed S3 operations.
Common Causes and Fixes
Bucket Policy Denies Access
Check the bucket policy under Permissions → Bucket Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/*]
}
]
}
Remove or modify any Deny statements that block your use case.
Block Public Access Settings
If you need public access, check Settings → Block Public Access:
- Uncheck "Block all public access"
- Configure specific blocks based on your security requirements
Expected behavior: Public access settings override IAM and bucket policies — if enabled, they block all public access regardless of other permissions.
S3 ACLs Conflict
Check if ACLs are enabled on the bucket. If so, the bucket owner or object uploader may need explicit ACL grants:
aws s3api put-object-acl --bucket my-bucket --key file.txt --acl bucket-owner-full-control
Wrong Region Endpoint
Ensure you're using the correct regional endpoint:
AWS_DEFAULT_REGION=us-east-1 aws s3 cp file.txt s3://my-bucket/
Expected behavior: Using the wrong region returns a redirect or permission error.
KMS Encryption Key Issues
If the bucket uses SSE-KMS encryption, the IAM user needs kms:GenerateDataKey and kms:Decrypt permissions:
{
"Effect": "Allow",
"Action": ["kms:GenerateDataKey", "kms:Decrypt"],
"Resource": "arn:aws:kms:us-east-1:123456:key/your-key-id"
}
Prevention Tips
- Use IAM roles instead of long-lived access keys for EC2/Lambda
- Apply least-privilege IAM policies from day one
- Enable CloudTrail to audit S3 API calls
- Test S3 permissions in a dev AWS account first
Quick Reference
| Symptom | Check | Fix |
|---|---|---|
| AccessDenied on upload | IAM policy | Add s3:PutObject permission |
| AccessDenied on list | Bucket policy | Remove Deny statements |
| Public access blocked | Block Public Access | Configure per-usage blocks |
| KMS error | KMS key policy | Add kms:GenerateDataKey |
| Cross-account access | Bucket policy | Add Principal to allow |
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro