aws-labs.com

Practical DevOps guides

S3 bucket access denied even with correct IAM policy

Credits:a-head-is-caged-its-eye-watching

Issue:
S3 bucket returns Access Denied when trying to read/write objects, even though the IAM policy looks correct.

Context:
Happens a lot. You create a bucket, attach a policy to the IAM user or role, but still get “Access Denied.” Most of the time, the problem is either missing bucket policy, incorrect resource ARN, or block public access settings overriding everything.

Checklist / Fix:

  1. Check if Bucket Has “Block Public Access” Enabled
    • Go to S3 → Bucket → Permissions → Block Public Access
    • If you’re using a public access policy (e.g., website hosting), make sure this is disabled.
    • Otherwise, it overrides IAM/bucket policies silently.
  2. Check the IAM Policy
    • Example minimal policy for full access to a bucket: { "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::my-bucket-name", "arn:aws:s3:::my-bucket-name/*" ] }
    • Gotcha: You need both the bucket ARN (...:my-bucket-name) and the object path (...:my-bucket-name/*) for full access.
  3. Check the Bucket Policy (Optional)
    • If you’re granting access to another AWS account or a service, you might need a bucket policy too.
    • Example: { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/SomeUser" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::my-bucket-name", "arn:aws:s3:::my-bucket-name/*" ] }
  4. Verify Role Permissions (if using EC2, Lambda, etc.)
    • Check if the instance role or execution role has the right permissions.
    • IAM user policy ≠ EC2 role policy.
  5. Test with AWS CLI
    Run: aws s3 ls s3://my-bucket-name --profile my-profile or aws s3api get-object --bucket my-bucket-name --key test.txt test.txt If still denied, the error message will often tell you if it’s a permissions issue or something else (like missing file).

Conclusion:
Even if the IAM policy looks good, always check:

  • Bucket policy
  • Block Public Access settings
  • Whether you’re missing one of the required ARNs
  • The execution role if it’s a service

This issue is almost always about overlapping/conflicting permissions.