Skip to content

AWS S3 Permission Denied — How to Fix

DodaTech Updated 2026-06-22 2 min read

S3 permission denied errors stop uploads, downloads, and data access cold. This guide covers every common cause and how to fix each one.

What You'll Learn

How to diagnose and fix S3 access denied errors by checking IAM policies, bucket policies, block public access, and ACL configurations.

Why It Matters

S3 permission errors can bring down production systems, break CI/CD pipelines, and block critical data access.

Real-World Use

Your backup script on an EC2 instance fails with AccessDenied when trying to upload logs to an S3 bucket.

Step 1 — Check the Exact Error Message

The error message tells you exactly which permission is missing:

AccessDenied: User: arn:aws:iam::123456:user/deploy is not authorized to perform: s3:PutObject on resource: arn:aws:s3:::my-bucket/logs/app.log

Expected output: The error specifies the API call (PutObject), the resource (the bucket/key), and the identity (user/role).

Step 2 — Check IAM Policy

Attach the minimum required permissions to your IAM user or role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:PutObject", "s3:GetObject", "s3:ListBucket"],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*]
      ]
    }
  ]
}

Expected behavior: After attaching the policy, the user can perform the allowed S3 operations.

Common Causes and Fixes

Bucket Policy Denies Access

Check the bucket policy under Permissions → Bucket Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*]
    }
  ]
}

Remove or modify any Deny statements that block your use case.

Block Public Access Settings

If you need public access, check Settings → Block Public Access:

  • Uncheck "Block all public access"
  • Configure specific blocks based on your security requirements

Expected behavior: Public access settings override IAM and bucket policies — if enabled, they block all public access regardless of other permissions.

S3 ACLs Conflict

Check if ACLs are enabled on the bucket. If so, the bucket owner or object uploader may need explicit ACL grants:

aws s3api put-object-acl --bucket my-bucket --key file.txt --acl bucket-owner-full-control

Wrong Region Endpoint

Ensure you're using the correct regional endpoint:

AWS_DEFAULT_REGION=us-east-1 aws s3 cp file.txt s3://my-bucket/

Expected behavior: Using the wrong region returns a redirect or permission error.

KMS Encryption Key Issues

If the bucket uses SSE-KMS encryption, the IAM user needs kms:GenerateDataKey and kms:Decrypt permissions:

{
  "Effect": "Allow",
  "Action": ["kms:GenerateDataKey", "kms:Decrypt"],
  "Resource": "arn:aws:kms:us-east-1:123456:key/your-key-id"
}

Prevention Tips

  • Use IAM roles instead of long-lived access keys for EC2/Lambda
  • Apply least-privilege IAM policies from day one
  • Enable CloudTrail to audit S3 API calls
  • Test S3 permissions in a dev AWS account first

Quick Reference

Symptom Check Fix
AccessDenied on upload IAM policy Add s3:PutObject permission
AccessDenied on list Bucket policy Remove Deny statements
Public access blocked Block Public Access Configure per-usage blocks
KMS error KMS key policy Add kms:GenerateDataKey
Cross-account access Bucket policy Add Principal to allow

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro