Search guides

Fix AWS S3 that returns Access Denied

We'll check credentials, IAM policies, bucket policy, and object ACLs—using aws s3 ls, aws s3api get-object-acl, and IAM review—or tell you when to escalate.

Troubleshooting · AWS & cloud
10–25 min
What you'll need
  • AWS CLI configured with credentials
  • Bucket name and object key (if testing object access)
  • Permissions to view IAM policies and bucket policy (or console access)
Step 1 of 7

Quick triage — pick your path

Get started

Choose the option that matches what you see. You can jump straight to that section.

Show full guide

Steps

Goal: Isolate where Access Denied occurs, then fix IAM, bucket policy, or object ACL.

  • Run aws s3 ls to test bucket listing. Run aws s3 ls s3://bucket-name/ to test object listing. Run aws s3 cp s3://bucket-name/key . to test object download.
  • Good: You know which call fails. Proceed to Confirm where Access Denied occurs.
  • Bad: All succeed—the issue may be intermittent or resolved.

Confirm where Access Denied occurs

Goal: Identify whether the failure is account-level, bucket-level, or object-level.

  • Run aws s3 ls. If Access Denied, the issue is s3:ListAllMyBuckets or account.
  • Run aws s3 ls s3://bucket-name/. If Access Denied, the issue is s3:ListBucket or bucket policy.
  • Run aws s3 cp s3://bucket-name/object-key .. If Access Denied, the issue is s3:GetObject or object ACL.
  • Good: You isolate the failing operation. Proceed to Check IAM and bucket policy or Check object ACL.
  • Bad: Error is unclear—check credentials with aws sts get-caller-identity.

Check IAM and bucket policy

Goal: Confirm IAM grants the required actions and bucket policy does not Deny.

  • Run aws sts get-caller-identity to confirm your principal.
  • Check IAM policies for s3:GetObject, s3:ListBucket, s3:GetBucketLocation. The resource must include the bucket ARN or arn:aws:s3:::bucket-name/* for objects.
  • Open S3 console, bucket, Permissions, Bucket policy. Look for Deny statements that match your principal.
  • Good: IAM allows and no Deny blocks you. Proceed to Check object ACL if GetObject fails.
  • Bad: IAM lacks permissions or bucket policy Denies—add IAM or fix bucket policy.

Check object ACL

Goal: Inspect object-level ACL when GetObject fails but ListBucket works.

  • Run aws s3api get-object-acl --bucket bucket-name --key object-key.
  • Check the grants. Your principal or a group you belong to needs read permission.
  • When the ACL is restrictive and you have s3:PutObjectAcl, run aws s3api put-object-acl --bucket bucket-name --key object-key --acl bucket-owner-full-control or add a grant.
  • Good: ACL allows or you fix it. GetObject succeeds.
  • Bad: You cannot change ACL—contact the bucket owner.

Add or fix IAM policy

Goal: Add missing IAM permissions when IAM is the cause.

  • Create or edit a policy with s3:GetObject, s3:ListBucket, s3:GetBucketLocation for the bucket ARN and arn:aws:s3:::bucket-name/*.
  • Attach to the user or role. For cross-account, the bucket policy must also grant your principal.
  • Good: Policy attached. Retry aws s3 ls and aws s3 cp.
  • Bad: Policy change rejected—check IAM permissions for policy attachment.

Fix bucket policy Deny

Goal: Remove or narrow a Deny in the bucket policy that blocks your principal.

  • Edit the bucket policy. Remove the Deny or add an exception for your principal.
  • For cross-account access, add an Allow statement with your principal ARN and s3:GetObject.
  • Save the policy. Retry access.
  • Good: Access works.
  • Bad: You cannot edit bucket policy—contact bucket owner or AWS support.

When to get help

Contact AWS support or the bucket owner when:

  • IAM and bucket policy grant access but you still get Access Denied.
  • The bucket is in another account and you cannot change its policy.
  • Object ACL changes are rejected and you do not own the object.

Provide bucket name, object key, IAM principal from get-caller-identity, and the exact error. Check the AWS Service Health Dashboard for outages.

Verification

  • aws s3 ls lists buckets (or you confirm the failure is bucket-specific).
  • aws s3 ls s3://bucket-name/ lists objects in the bucket.
  • aws s3 cp s3://bucket-name/object-key . downloads the object.
  • No Access Denied errors for the operations you need.

Escalation ladder

Work from the device outward. Stop when the problem is fixed.

  1. Confirm where Access Denied occurs Run aws s3 ls, aws s3 ls s3://bucket/, aws s3 cp to isolate the failing call.
  2. Check IAM policies Verify s3:GetObject, s3:ListBucket, s3:GetBucketLocation in attached policies.
  3. Check bucket policy Look for Deny statements or missing Allow for cross-account.
  4. Check object ACL Run aws s3api get-object-acl; fix with put-object-acl if you have permission.
  5. Add or fix IAM or bucket policy Add missing permissions or remove blocking Deny.
  6. Contact support or bucket owner Provide bucket, key, principal, and exact error.

What to capture if you need help

Before calling support or posting for help, have these ready. It speeds everything up.

  • Bucket name and object key
  • Output of aws sts get-caller-identity
  • Output of aws s3 ls and aws s3 ls s3://bucket/
  • Relevant IAM policy JSON
  • Bucket policy (if accessible)
  • Output of aws s3api get-object-acl (if object-level)

Does aws s3 ls (list buckets) fail with Access Denied?

aws s3 ls without a bucket lists all buckets. Failure means account-level or s3:ListAllMyBuckets.

Run `aws s3 ls`. Good: buckets list—the issue is bucket or object level. Bad: Access Denied—check IAM for s3:ListAllMyBuckets or use aws s3 ls s3://bucket-name/ with the bucket name.

Yes No

You can change your answer later.

Check IAM for ListAllMyBuckets

Run `aws sts get-caller-identity`. Check IAM policies for s3:ListAllMyBuckets. Add the permission if missing. Retry aws s3 ls.

Done

Does aws s3 ls s3://bucket-name/ fail?

Listing objects in a bucket tests s3:ListBucket and s3:GetBucketLocation.

Run `aws s3 ls s3://bucket-name/`. Good: objects list—issue is object-level. Bad: Access Denied—check IAM for s3:ListBucket, s3:GetBucketLocation and bucket policy for Deny.

Yes No

You can change your answer later.

Check IAM and bucket policy for bucket access

Check IAM policies for s3:ListBucket, s3:GetBucketLocation on the bucket ARN. Check bucket policy for Deny. Add IAM permissions or fix bucket policy Deny. Retry aws s3 ls s3://bucket-name/.

Done

Does GetObject (aws s3 cp or get-object) fail?

Object access requires s3:GetObject. Object ACL can also block.

Run `aws s3 cp s3://bucket-name/key .` or `aws s3api get-object`. Good: object downloads—access works. Bad: Access Denied—check IAM for s3:GetObject, bucket policy, and object ACL with aws s3api get-object-acl.

Yes No

You can change your answer later.

Check IAM, bucket policy, and object ACL

Check IAM for s3:GetObject on arn:aws:s3:::bucket-name/*. Check bucket policy for Deny. Run `aws s3api get-object-acl --bucket bucket-name --key key`. If ACL restricts, use put-object-acl if you have s3:PutObjectAcl. Otherwise contact bucket owner.

Done

Access works

S3 access is working. No further action needed.

Done

Reviewed by Blackbox Atlas

Frequently asked questions

Why does S3 return Access Denied?
IAM user or role lacks s3:GetObject, s3:ListBucket, or s3:GetBucketLocation. Bucket policy may explicitly deny. Object ACL may restrict access. Cross-account access requires both IAM and bucket policy.
How do I check S3 permissions?
Run aws s3 ls to test list access. Run aws s3api get-object-acl for object ACLs. Check IAM policies attached to your user or role for s3:GetObject, s3:ListBucket. Check the bucket policy in the S3 console.
When should I contact AWS support?
If you have confirmed IAM and bucket policy grant access but still get Access Denied, or if the bucket is owned by another account and you cannot change its policy. Provide bucket name, object key, and IAM principal.

Rate this guide

Was this helpful?

Continue to

Browse this topic