ERROR

How to Fix AWS AccessDeniedException Error

Quick Fix Summary

TL;DR

Check the IAM policy attached to your user/role for explicit 'Deny' statements or missing required permissions.

AWS AccessDeniedException occurs when an IAM principal lacks the necessary permissions for a requested AWS action. This is an explicit denial from AWS's authorization layer, not a network or service error.

Diagnosis & Causes

  • IAM policy missing the required action permission.
  • Resource-based policy (e.g., S3 bucket policy) denies the request.
  • A service control policy (SCP) in AWS Organizations is blocking the action.
  • Request credentials (Access Key) belong to an IAM user without permissions.
  • The target resource does not exist in the specified region or account.

    • Recovery Steps

    1

    Step 1: Simulate the Policy to Identify the Deny

    Use AWS CLI's `simulate-principal-policy` to pinpoint which policy is causing the denial. Replace PRINCIPAL_ARN and ACTION.

    bash 
    aws iam simulate-principal-policy \
    --policy-source-arn "PRINCIPAL_ARN" \
    --action-names "s3:GetObject" "s3:ListBucket" \
    --resource-arns "arn:aws:s3:::your-bucket-name/*"
    2

    Step 2: Analyze and Compare Effective Permissions

    For critical roles, use IAM Access Analyzer to generate a policy granting only the permissions used in the last 7 days.

    bash 
    # 1. Generate a policy based on access activity
aws accessanalyzer generate-finding-recommendation \
    --analyzer-arn "arn:aws:access-analyzer:us-east-1:ACCOUNT_ID:analyzer/DefaultAnalyzer" \
    --finding-id "FINDING_ID_FROM_ANALYZER"
# 2. Attach the generated policy for testing
    3

    Step 3: Check for Explicit Denies in All Attached Policies

    Explicit 'Deny' overrides any 'Allow'. Manually review all IAM identity policies, SCPs, and resource policies.

    bash 
    aws iam list-attached-role-policies --role-name YOUR_ROLE_NAME
aws iam list-role-policies --role-name YOUR_ROLE_NAME
aws iam get-policy-version --policy-arn POLICY_ARN --version-id v1
    4

    Step 4: Validate Resource Context and Conditions

    Ensure the request meets all policy conditions (e.g., correct region, IP range, MFA present, resource tags).

    json 
    # Example: Check if a condition requiring a specific tag is failing.
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "ec2:StartInstances","Resource": "*","Condition": {"StringEquals": {"ec2:ResourceTag/Environment": "Production"}}}]}

    Architect's Pro Tip

    "Use AWS CloudTrail Lake to run SQL queries on historical 'AccessDenied' events. Filter by `errorCode` and `userIdentity.arn` to see the exact denied API call, resource, and denied reason over time."

    Frequently Asked Questions

    I get AccessDenied even though my IAM policy has an 'Allow'. Why?

    An explicit 'Deny' in any applicable policy (IAM, SCP, Resource Policy) always takes precedence. Check Service Control Policies in AWS Organizations and the policy on the resource itself (like an S3 bucket policy).

    What's the fastest way to grant temporary permissions for emergency recovery?

    Attach a new, specific IAM policy directly to the IAM user or role causing the error. Use the AWS Console for speed. For automation, update the trust policy of an existing role the service can already assume.

    Related AWS Guides

    InvalidClientTokenId

    How to Fix AWS InvalidClientTokenId
    ThrottlingException

    How to Fix AWS Lambda ThrottlingException (Rate Exceeded)
    RateExceeded

    How to Fix AWS RateExceeded