debugawsMajorpending
Debug: AWS S3 access denied troubleshooting
Viewed 0 times
S3AccessDeniedIAMpolicybucket-policypermissions
Error Messages
Problem
S3 operations fail with AccessDenied even though IAM policy looks correct.
Solution
S3 access denied has many possible causes:
aws iam get-user # Who am I?
aws sts get-caller-identity # What role/user?
# Policy must allow the specific action:
s3:GetObject, s3:PutObject, s3:ListBucket, s3:DeleteObject
# ListBucket is on the BUCKET, GetObject is on OBJECTS:
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::my-bucket/*"
}
aws s3api get-bucket-policy --bucket my-bucket
# Explicit deny overrides any allow
aws s3api get-public-access-block --bucket my-bucket
# Can block even if policy allows
# Bucket requires SSE but upload doesn't specify it
aws s3 cp file.txt s3://bucket/ --sse AES256
# If accessing from VPC, endpoint policy may restrict
# Objects uploaded by other accounts may not be accessible
# Fix: bucket-owner-full-control ACL on upload
# Requires MFA for delete operations
- Check IAM policy:
aws iam get-user # Who am I?
aws sts get-caller-identity # What role/user?
# Policy must allow the specific action:
s3:GetObject, s3:PutObject, s3:ListBucket, s3:DeleteObject
# ListBucket is on the BUCKET, GetObject is on OBJECTS:
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::my-bucket/*"
}
- Bucket policy might DENY:
aws s3api get-bucket-policy --bucket my-bucket
# Explicit deny overrides any allow
- Block Public Access settings:
aws s3api get-public-access-block --bucket my-bucket
# Can block even if policy allows
- Encryption requirements:
# Bucket requires SSE but upload doesn't specify it
aws s3 cp file.txt s3://bucket/ --sse AES256
- VPC endpoint policy:
# If accessing from VPC, endpoint policy may restrict
- Object ownership:
# Objects uploaded by other accounts may not be accessible
# Fix: bucket-owner-full-control ACL on upload
- MFA delete enabled:
# Requires MFA for delete operations
Revisions (0)
No revisions yet.