Getting 403 Access Denied errors with your Amazon Simple Storage Service (Amazon S3) operations? For information on the Amazon S3 HTTP status codes, error codes and their description, see Error responses. Review this list of handpicked curated resources to identify the root cause and troubleshooting instructions based on your use case.
Troubleshooting IAM permissions
If your users are unable to access objects in your Amazon S3 bucket and get a 403 Access Denied error, do the following:
- Use the Systems Manager automation to diagnose the issue.
- Check bucket and object ownership.
- Check the policies and IAM permissions.
- Review the user and temporary security credentials.
- Check the AWS KMS encryption configuration.
If your IAM user gets the HTTP 403: Access Denied error when they try to add objects to your Amazon S3 bucket, even though they have the required permissions, then try the following:
- Check the policies for settings that prevent downloads.
If you're getting a 403 Access Denied error when you try to modify the bucket policy for your Amazon S3 bucket, then do the following:
- Check your permissions.
- Use a different IAM entity with access.
- Disable public access.
- Delete service control policies that deny S3 access.
If you're getting a 403 error when you try to download existing objects in an S3 bucket, see Amazon S3 bucket permissions - Access Denied on the Stack Overflow website.
Cross-account access issues
If users from another AWS account get an Access Denied error when they access objects in your S3 bucket that's encrypted with a custom AWS KMS key, then do the following:
- Verify that the permissions in both accounts are set up correctly.
If you want to grant another AWS account access to an object that is stored in an Amazon S3 bucket , then do the following:
- Grant users in the other AWS account granular cross-account access.
Using S3 with other services
If you're getting a 403 Access Denied error when you're using an Amazon S3 bucket as the origin of your Amazon CloudFront distribution, then do the following:
- Determine if your distribution's origin domain name is an S3 website endpoint or an S3 REST API endpoint.
- Troubleshoot accordingly using the linked article.
When you submit an application to an Amazon EMR cluster, the application fails with an HTTP 403 "Access Denied" AmazonS3Exception, try the following:
- Check the credentials in your application code.
- Confirm that the policies allow the required Amazon S3 operations.
Denied access accidentally
If you incorrectly configured your bucket policy to deny all users access to your Amazon S3 bucket, try the following:
- Sign in as the root user and delete the bucket policy.
- Use a new bucket policy with the correct permissions.
Related re:Post Questions: