Introduction

Access Denied Errors from S3 are generally due to a misconfiguration.

There are a few things that you can check to ensure your bucket is configured correctly.

Table of contents

Check IAM Policy for S3 Bucket

A common mistake is to only provide permissions to objects within the bucket. You want to ensure that you give permissions to the bucket itself.

For example, in the policy mentioned below:

  • We provide the ListBucket permission to the bucket itself
  • We provide the GetObject to all objects within the bucket
{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "s3:ListBucket"
          ],
          "Resource": [
              "arn:aws:s3:::bucketname"
          ]
      },
      {
          "Effect": "Allow",
          "Action": [
              "s3:GetObject"
          ],
          "Resource": [
              "arn:aws:s3:::bucketname/*"
          ]
      }
  ]
}

Check Bucket Policy

If your IAM policy is configured correctly and you still can’t access your S3 bucket, there might be an issue with the Bucket Policy.

For example, the following bucket policy uses Deny to restrict access to an S3 bucket to a specific IP address.

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::your-bucket",
                "arn:aws:s3:::your-bucket/*"
            ],
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "54.XX.XX.0/24"
                }
            }
        }
    ]
}