How to debug AWS S3 Access Denied Errors for ListObjects

Introduction

Access Denied Errors from S3 are generally due to a misconfiguration.

There are a few things that you can check to ensure your bucket is configured correctly.

Table of contents

Introduction
- Check IAM Policy for S3 Bucket
- Check Bucket Policy

Check IAM Policy for S3 Bucket

A common mistake is to only provide permissions to objects within the bucket. You want to ensure that you give permissions to the bucket itself.

For example, in the policy mentioned below:

We provide the ListBucket permission to the bucket itself
We provide the GetObject to all objects within the bucket

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "s3:ListBucket"
          ],
          "Resource": [
              "arn:aws:s3:::bucketname"
          ]
      },
      {
          "Effect": "Allow",
          "Action": [
              "s3:GetObject"
          ],
          "Resource": [
              "arn:aws:s3:::bucketname/*"
          ]
      }
  ]
}

Check Bucket Policy

If your IAM policy is configured correctly and you still can’t access your S3 bucket, there might be an issue with the Bucket Policy.

For example, the following bucket policy uses Deny to restrict access to an S3 bucket to a specific IP address.

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::your-bucket",
                "arn:aws:s3:::your-bucket/*"
            ],
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "54.XX.XX.0/24"
                }
            }
        }
    ]
}

Introduction

Check IAM Policy for S3 Bucket

Check Bucket Policy

Read more posts