AWSHigh
Fix: AWS Access Denied / Unauthorized
AWS CLI or SDK returns 'Access Denied' or 'UnauthorizedAccess'
!Symptoms
- AWS CLI or SDK returns 'Access Denied' or 'UnauthorizedAccess'
- 403 Forbidden on S3 or API calls
- Terraform apply fails with 'AccessDeniedException'
- Application cannot access AWS resources it previously could
?Root Causes
- IAM policy does not grant the required permissions for the action
- S3 bucket policy explicitly denies access
- STS session token expired (temporary credentials)
- Wrong AWS profile or region being used
- Service Control Policy (SCP) in AWS Organizations blocking the action
- Resource-based policy (e.g., KMS key policy) not granting access
#Diagnosis Steps
- 1Check which identity is being used: `aws sts get-caller-identity`
- 2Use IAM Policy Simulator to test permissions for the action
- 3Check CloudTrail for the exact error: `aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=<action>`
- 4Review the IAM policies attached to the user/role: `aws iam list-attached-user-policies`
- 5Check S3 bucket policy if accessing S3: `aws s3api get-bucket-policy --bucket <name>`
>Fix
- 1Add the missing permission to the IAM policy (principle of least privilege)
- 2Update the S3 bucket policy to allow the required access
- 3Refresh expired credentials: `aws sts get-session-token` or re-assume the role
- 4Set the correct AWS_PROFILE or AWS_DEFAULT_REGION environment variable
- 5Check and update KMS key policies if accessing encrypted resources
*Prevention
- Use IAM Access Analyzer to identify overly permissive or missing policies
- Test IAM policies in a staging account before production
- Implement credential rotation and use IAM roles instead of long-lived keys
- Use AWS SSO for centralized access management
- Audit IAM permissions regularly with access advisor reports
Related Error Messages
Access DeniedAccessDeniedExceptionUnauthorizedAccess403 Forbiddennot authorized to performAn error occurred (AccessDenied)ExpiredTokenException