How to debug AWS S3 Access Denied Errors for ListObjects

Introduction
Access Denied Errors from S3 are generally due to a misconfiguration.
There are a few things that you can check to ensure your bucket is configured correctly.
Table of contents
Check IAM Policy for S3 Bucket
A common mistake is to only provide permissions to objects within the bucket. You want to ensure that you give permissions to the bucket itself.
For example, in the policy mentioned below:
- We provide the
ListBucket
permission to the bucket itself - We provide the
GetObject
to all objects within the bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucketname"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::bucketname/*"
]
}
]
}
Check Bucket Policy
If your IAM policy is configured correctly and you still can’t access your S3 bucket, there might be an issue with the Bucket Policy.
For example, the following bucket policy uses Deny
to restrict access to an S3 bucket to a specific IP address.
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::your-bucket",
"arn:aws:s3:::your-bucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "54.XX.XX.0/24"
}
}
}
]
}