AWS Error Codes
Amazon Web Services error codes and exceptions
Access Denied
Getting hit with an **AccessDenied** error usually means your IAM User or Role lacks the specific JSON policy required to perform the action—the policy might be missing the exact Action, Resource ARN, or Condition needed. This client-side error (4xx) happens when AWS evaluates your IAM policies and denies access. Most common when IAM policies don't grant the specific permission, but also appears when Service Control Policies (SCPs) block actions, resource-based policies deny access, Security Groups block network access, or VPC endpoints aren't configured correctly.
Account Problem
Getting an **AccountProblem** error means there's an issue with your AWS account that's blocking operations—your account might be suspended, payment method declined, or verification incomplete. This client-side error (4xx) happens when AWS validates account status. Most common when payment methods are declined, but also appears when accounts are suspended, account verification is incomplete, billing problems prevent operations, or account service limits are reached.
Ambiguous Grant By Email Address
Getting an **AmbiguousGrantByEmailAddress** error means the email address you're using in an IAM policy grant is associated with multiple AWS accounts—AWS can't determine which account you mean, so you must specify the account ID explicitly. This client-side error (4xx) happens when AWS evaluates IAM policy grants. Most common when S3 bucket policies grant access by email, but also appears when IAM policies reference users by email across multiple accounts, cross-account grants use email addresses, or account identifiers are missing from grants.
Bad Digest
Getting a **BadDigest** error means the Content-MD5 hash you sent doesn't match what AWS calculated from the uploaded data—the file was corrupted during transmission, the MD5 hash was calculated incorrectly, or the file was modified after hashing. This client-side error (4xx) happens when AWS validates data integrity using MD5 checksums. Most common when uploading S3 objects with Content-MD5 headers, but also appears when data corruption occurs during upload, MD5 hashes are calculated incorrectly, network transmission errors corrupt data, or files are modified after hashing.
Bucket Already Exists
Hitting a **BucketAlreadyExists** error means your S3 bucket name is already taken globally—S3 bucket names are unique across all AWS accounts worldwide, so someone else already claimed that name. This client-side error (4xx) happens when AWS validates bucket name uniqueness. Most common when bucket names are too generic, but also appears when recently deleted buckets are still in the 90-day deletion grace period, bucket names violate S3 naming rules, or you're trying to create a bucket that already exists in your account.
Bucket Already Owned By You
Getting a **BucketAlreadyOwnedByYou** error means the S3 bucket name you're trying to create already exists in your AWS account—you own this bucket, so you can't create another with the same name. This client-side error (4xx) happens when AWS checks bucket name uniqueness within your account. Most common when bucket names are reused, but also appears when buckets weren't fully deleted, bucket deletion is still in progress (90-day grace period), or you're trying to recreate a bucket you already own.
CloudFront CNAME Already Exists
Getting a **CloudFrontCNAMEAlreadyExists** error means the CNAME (alternate domain name) you're trying to use is already in use by another CloudFront distribution—each CNAME must be unique across all distributions, so you can't reuse the same domain name. This client-side error (4xx) happens when AWS validates CNAME uniqueness. Most common when CNAMEs are already used by other distributions, but also appears when domain names are already configured, duplicate CNAME assignments occur, previous distributions are using the CNAME, or CNAME conflicts exist with existing distributions.
CloudFront Distribution Already Exists
Getting a **CloudFrontDistributionAlreadyExists** error means a CloudFront distribution with the specified caller reference already exists—each distribution must have a unique caller reference, so you can't reuse the same reference. This client-side error (4xx) happens when AWS validates caller reference uniqueness. Most common when duplicate caller references are used, but also appears when distributions were already created, previous creation succeeded, caller reference collisions occur, or distributions exist with the same reference.
CloudFront Distribution Not Disabled
Getting a **CloudFrontDistributionNotDisabled** error means you're trying to delete a CloudFront distribution that's still enabled—CloudFront requires distributions to be disabled and fully deployed before deletion. This client-side error (4xx) happens when AWS validates distribution state before deletion. Most common when distributions are still enabled, but also appears when deletion is attempted while enabled, distributions aren't fully disabled, deployment is still in progress, or distribution state isn't ready for deletion.
CloudFront Invalid Argument
Getting a **CloudFrontInvalidArgument** error means one or more arguments in your CloudFront request are invalid—required parameters might be missing, values don't meet CloudFront requirements, or the distribution configuration is malformed. This client-side error (4xx) happens when AWS validates CloudFront request parameters. Most common when distribution configurations are invalid, but also appears when origin settings are wrong, cache behavior settings are invalid, certificate ARNs are malformed, or parameter formats are incorrect.
CloudFront Invalid Origin
Getting a **CloudFrontInvalidOrigin** error means your CloudFront origin configuration is invalid—the origin domain name, protocol, or port configuration doesn't meet CloudFront requirements, or the origin isn't accessible. This client-side error (4xx) happens when AWS validates CloudFront origin configurations. Most common when origin domain names are invalid, but also appears when origin protocols are wrong, port configurations are invalid, origin domains don't resolve, or SSL certificate issues occur.
CloudFront Invalid Viewer Certificate
Getting a **CloudFrontInvalidViewerCertificate** error means the SSL/TLS certificate you specified for CloudFront is invalid or not properly configured—CloudFront requires certificates to be in the us-east-1 region, valid and not expired, and issued by ACM. This client-side error (4xx) happens when AWS validates CloudFront certificate configuration. Most common when certificates aren't in us-east-1 region, but also appears when certificates are expired or invalid, certificate ARNs are incorrect, certificates aren't issued by ACM, or certificate domains don't match the distribution.
CloudFront No Such Distribution
Getting a **CloudFrontNoSuchDistribution** error means the CloudFront distribution ID you specified doesn't exist—the distribution might have been deleted, the ID is misspelled, or it's in a different AWS account. This client-side error (4xx) happens when AWS validates CloudFront distribution existence. Most common when distribution IDs are incorrect, but also appears when distributions have been deleted, incorrect distribution ID formats are used, distribution ID typos occur, or distributions are in different accounts.
CloudFront Too Many Distributions
Hitting a **CloudFrontTooManyDistributions** error means you've reached the maximum number of CloudFront distributions allowed in your AWS account—the default limit is 200 distributions per account, and you can't create more until you delete some or request a limit increase. This client-side error (4xx) happens when AWS enforces CloudFront distribution limits. Most common when account distribution limits are reached, but also appears when too many active distributions exist, distribution limits are exceeded, account-level limits are reached, or maximum distributions are created.
Credentials Not Supported
Getting a **CredentialsNotSupported** error means the AWS service doesn't accept the credential type you're using—some operations require specific authentication methods like IAM roles, while others accept access keys. This client-side error (4xx) happens when AWS validates credential types. Most common when using access keys for operations that require IAM roles, but also appears when credential formats are incorrect, services have specific authentication requirements, authentication methods don't match service expectations, or temporary credentials aren't supported for the operation.
Cross Location Logging Prohibited
Hitting a **CrossLocationLoggingProhibited** error means you're trying to configure S3 bucket logging where the source bucket and logging bucket are in different AWS regions—S3 requires both buckets to be in the same region for logging. This client-side error (4xx) happens when AWS validates S3 logging configuration. Most common when source and logging buckets are in different regions, but also appears when cross-region logging is attempted, geographic location mismatch occurs, or logging configuration violates S3 region rules.
DynamoDB Conditional Check Failed
Getting a **DynamoDBConditionalCheckFailedException** means your conditional write operation (PutItem, UpdateItem, DeleteItem) failed because the condition expression evaluated to false—the item doesn't match your expected state, doesn't exist when expected, or was modified by another operation. This client-side error (4xx) happens when AWS validates conditional expressions. Most common when item attribute values don't match expectations, but also appears when items don't exist when expected, version checks fail, optimistic locking conflicts occur, or condition expressions are incorrect.
DynamoDB Item Collection Size Limit Exceeded
Hitting a **DynamoDBItemCollectionSizeLimitExceededException** means a single item collection (all items sharing the same partition key) exceeds the 10GB limit—this typically happens with Local Secondary Indexes (LSI) or Global Secondary Indexes (GSI) when too many items share the same partition key. This client-side error (4xx) happens when AWS enforces DynamoDB collection size limits. Most common when hot partitions have excessive data, but also appears when LSI/GSI exceeds 10GB, too many items share the same partition key, or index size limits are reached.
DynamoDB Limit Exceeded
Getting a **DynamoDBLimitExceededException** means you've exceeded DynamoDB's account-level or operation-level limits—the number of concurrent table requests, tables per account, indexes per table, or concurrent modifications has reached the maximum allowed. This client-side error (4xx) happens when AWS enforces DynamoDB limits. Most common when too many concurrent table operations occur, but also appears when table limits per account are exceeded, index limits per table are reached, concurrent modification limits are hit, or account-level limits are exceeded.
DynamoDB Provisioned Throughput Exceeded
Getting a **DynamoDBProvisionedThroughputExceededException** means your DynamoDB table's provisioned throughput capacity is exceeded—your request rate is higher than the read or write capacity units allocated to the table. This client-side error (4xx) happens when AWS throttles requests due to capacity limits. Most common when read/write capacity is exceeded, but also appears when hot partitions cause throttling, provisioned capacity is insufficient, sudden traffic spikes occur, or load isn't distributed across partition keys.
DynamoDB Resource Not Found
Getting a **DynamoDBResourceNotFoundException** means the DynamoDB table, index, or stream you're referencing doesn't exist—the resource might have been deleted, the name is misspelled, or it's in a different region. This client-side error (4xx) happens when AWS validates DynamoDB resource existence. Most common when table names are misspelled, but also appears when tables don't exist, tables are deleted, incorrect regions are specified, or indexes/streams are not found.
DynamoDB Transaction Conflict
Getting a **DynamoDBTransactionConflictException** means your DynamoDB transaction conflicted with another concurrent transaction on the same items—DynamoDB transactions are atomic and cannot be modified while in progress. This client-side error (4xx) happens when AWS detects transaction conflicts. Most common when concurrent transactions operate on the same items, but also appears when transactions are already in progress, optimistic locking fails, or transaction timeouts occur.
DynamoDB Validation Exception
Getting a **DynamoDBValidationException** means your DynamoDB request input doesn't satisfy DynamoDB constraints—attribute names, types, or expression syntax are invalid. This client-side error (4xx) happens when AWS validates DynamoDB request parameters. Most common when invalid attribute names are used in expressions, but also appears when expression syntax is invalid, attribute types don't match schema, reserved words are used as attribute names, or key schemas are invalid.
EC2 Instance Limit Exceeded
Hitting an **EC2InstanceLimitExceeded** error means you've reached the maximum number of EC2 instances you can launch in the specified region—this limit applies to the total number of running instances across all instance types. This client-side error (4xx) happens when AWS enforces EC2 instance limits. Most common when account-level instance limits are reached, but also appears when region-specific limits are exceeded, too many instances are running, instance type limits are hit, or VPC instance limits are reached.
EC2 Insufficient Instance Capacity
Getting an **EC2InsufficientInstanceCapacity** error means AWS doesn't have enough available capacity in the Availability Zone you requested to fulfill your instance launch—this is a temporary capacity issue, not a quota limit. This server-side error (5xx) happens when AWS validates instance capacity availability. Most common when Availability Zone capacity is exhausted, but also appears when requested instance types are unavailable, high demand occurs in the region, Spot instance capacity is insufficient, or dedicated host capacity is unavailable.
EC2 Invalid AMI ID Not Found
Getting an **EC2InvalidAMIIDNotFound** error means the AMI (Amazon Machine Image) ID you specified doesn't exist or isn't available in the current region—the AMI might have been deregistered, is in a different region, or isn't shared with your account. This client-side error (4xx) happens when AWS validates AMI existence. Most common when AMI IDs are incorrect, but also appears when AMIs are in different regions, AMIs have been deregistered, AMI ID formats are incorrect, or AMIs aren't shared with your account.
EC2 Invalid Instance ID Not Found
Getting an **EC2InvalidInstanceIDNotFound** error means the EC2 instance ID you specified doesn't exist or has been terminated—the instance might be in a different region, was deleted, or the ID is misspelled. This client-side error (4xx) happens when AWS validates EC2 instance existence. Most common when instance IDs are incorrect, but also appears when instances have been terminated, instances are in different regions, instance ID formats are incorrect, or instance ID typos occur.
EC2 Invalid Key Pair Not Found
Getting an **EC2InvalidKeyPairNotFound** error means the EC2 key pair you specified doesn't exist in the current region—the key pair might be in a different region, was deleted, or the name is misspelled. This client-side error (4xx) happens when AWS validates EC2 key pair existence. Most common when key pair names don't exist, but also appears when key pairs are in different regions, key pairs have been deleted, incorrect key pair name formats are used, or key pair name typos occur.
EC2 Invalid Parameter Combination
Getting an **EC2InvalidParameterCombination** error means the EC2 parameters you specified cannot be used together—some parameters are mutually exclusive, require specific combinations, or conflict with each other. This client-side error (4xx) happens when AWS validates EC2 parameter compatibility. Most common when mutually exclusive parameters are used together, but also appears when parameter combinations aren't supported, instance types are incompatible with parameters, network settings conflict, or storage configurations are invalid.
EC2 Invalid Security Group Not Found
Getting an **EC2InvalidSecurityGroupNotFound** error means the EC2 security group you specified doesn't exist—the security group might be in a different VPC or region, was deleted, or the ID/name is misspelled. This client-side error (4xx) happens when AWS validates EC2 security group existence. Most common when security group IDs don't exist, but also appears when security group names don't exist, security groups are in different VPCs, security groups are in different regions, or security groups have been deleted.
EC2 Invalid Snapshot Not Found
Getting an **EC2InvalidSnapshotNotFound** error means the EBS snapshot ID you specified doesn't exist or isn't available—the snapshot might have been deleted, is in a different region, or isn't shared with your account. This client-side error (4xx) happens when AWS validates EBS snapshot existence. Most common when snapshot IDs are incorrect, but also appears when snapshots have been deleted, snapshots are in different regions, incorrect snapshot ID formats are used, or snapshots aren't shared with your account.
EC2 Invalid Subnet ID Not Found
Getting an **EC2InvalidSubnetIDNotFound** error means the EC2 subnet ID you specified doesn't exist—the subnet might be in a different VPC or region, was deleted, or the ID is misspelled. This client-side error (4xx) happens when AWS validates EC2 subnet existence. Most common when subnet IDs don't exist, but also appears when subnets are in different VPCs, subnets are in different regions, subnets have been deleted, or incorrect subnet ID formats are used.
EC2 Unsupported Operation
Getting an **EC2UnsupportedOperation** error means the EC2 operation you're trying to perform isn't supported for the specified resource or instance type—the operation might not be available for the current instance configuration, instance state, or instance type. This client-side error (4xx) happens when AWS validates operation compatibility. Most common when operations aren't supported for instance types, but also appears when instance states don't allow operations, features aren't available for instances, instance configurations are incompatible, or operations require different instance types.
EC2 Volume In Use
Getting an **EC2VolumeInUse** error means the EBS volume you're trying to delete or modify is currently attached to an EC2 instance—volumes must be detached before deletion or certain modifications. This client-side error (4xx) happens when AWS validates EBS volume attachment status. Most common when volumes are attached to running instances, but also appears when volumes are attached to stopped instances, volume deletion is attempted while attached, volume modification occurs while attached, or volumes are in use by another operation.
Entity Too Large
Hitting an **EntityTooLarge** error means your S3 upload exceeds the 5TB maximum object size limit—S3 allows single objects up to 5TB, but for files larger than 5GB, you should use multipart upload. This client-side error (4xx) happens when AWS validates upload size. Most common when uploading very large files as single objects, but also appears when object size exceeds 5TB limit, files are too large for single upload, or upload size violates S3 limits.
Entity Too Small
Getting an **EntityTooSmall** error means a multipart upload part is smaller than the 5MB minimum—S3 requires each part (except the last) to be at least 5MB. This client-side error (4xx) happens when AWS validates multipart upload part sizes. Most common when multipart chunk size is set too small, but also appears when part sizes are less than 5MB (except last part), minimum part size is violated, or incorrect multipart chunk size is configured.
Expired Token
Getting an **ExpiredToken** error means your temporary AWS credentials (session token) have expired—temporary credentials from STS, IAM roles, or assume role operations expire after a set time period (typically 1 hour, max 12 hours). This client-side error (4xx) happens when AWS validates credential expiration. Most common when temporary credentials expire after 1 hour, but also appears when session tokens expire, STS token expiration time passes, IAM role sessions expire, or token expiration time is reached.
IAM Concurrent Modification
Getting an **IAMConcurrentModification** error means multiple requests to modify the same IAM entity are being processed simultaneously, causing a conflict—you need to wait for the current operation to complete before retrying. This client-side error (4xx) happens when AWS detects concurrent modification attempts. Most common when simultaneous policy updates occur, but also appears when concurrent role modifications happen, multiple users update the same entity, race conditions occur in updates, or overlapping modification requests are made.
IAM Delete Conflict
Hitting an **IAMDeleteConflict** error means the IAM entity (user, role, or policy) you're trying to delete is still in use—it has attached policies, group memberships, access keys, or other dependencies that must be removed first. This client-side error (4xx) happens when AWS validates IAM entity dependencies before deletion. Most common when users have attached policies, but also appears when users are members of groups, users have access keys, roles have attached policies, or policies are attached to entities.
IAM Entity Already Exists
Hitting an **IAMEntityAlreadyExists** error means the IAM entity (user, group, role, or policy) you're trying to create already exists in your AWS account—IAM entity names must be unique within your account, so you can't create duplicates. This client-side error (4xx) happens when AWS validates IAM entity name uniqueness. Most common when user names already exist, but also appears when role names, group names, or policy names already exist, or duplicate entity creation attempts occur.
IAM Invalid User ID Not Found
Getting an **IAMInvalidUserIDNotFound** error means the IAM user you specified doesn't exist—the user might have been deleted, the name is misspelled, or it's in a different AWS account. This client-side error (4xx) happens when AWS validates IAM user existence. Most common when user names are misspelled, but also appears when users don't exist, users have been deleted, incorrect user name formats are used, or users are in different AWS accounts.
IAM Limit Exceeded
Hitting an **IAMLimitExceeded** error means you've exceeded the maximum number of IAM entities allowed in your AWS account—IAM enforces limits on users (5000), groups (300), roles (5000), and customer managed policies (1500) per account. This client-side error (4xx) happens when AWS validates IAM entity limits. Most common when too many IAM users exist, but also appears when too many groups, roles, or policies are created, or account-level IAM limits are reached.
IAM Malformed Policy Document
Getting an **IAMMalformedPolicyDocument** error means your IAM policy document is malformed or invalid—the JSON syntax might be wrong, required policy elements are missing, or the policy statement structure doesn't follow IAM policy language syntax. This client-side error (4xx) happens when AWS validates IAM policy documents. Most common when JSON syntax is invalid, but also appears when required policy elements are missing, policy statement structures are invalid, action or resource values are malformed, or policy document encoding issues occur.
IAM Password Policy Violation
Getting an **IAMPasswordPolicyViolation** error means the password you're trying to set doesn't meet your AWS account's password policy requirements—the password might be too short, missing required character types, or violate complexity or history rules. This client-side error (4xx) happens when AWS validates passwords against the account password policy. Most common when passwords are too short, but also appears when required characters are missing, complexity requirements aren't met, passwords are in history (reuse prevention), or password policy rules are violated.
IAM Policy Not Attachable
Hitting an **IAMPolicyNotAttachable** error means the IAM policy you're trying to attach cannot be attached to the entity—some AWS managed policies aren't attachable, or the policy type is incompatible with the entity type (user, role, or group). This client-side error (4xx) happens when AWS validates policy attachment compatibility. Most common when AWS managed policies aren't attachable, but also appears when policy types are incompatible with entities, policy attachment restrictions exist, service-linked policy limitations occur, or policies aren't designed for attachment.
IAM Unmodifiable Entity
Getting an **IAMUnmodifiableEntity** error means the IAM entity (user, role, or policy) you're trying to modify cannot be modified—AWS managed entities have restrictions on modifications, and you must create customer managed alternatives. This client-side error (4xx) happens when AWS validates IAM entity modification permissions. Most common when AWS managed policies cannot be modified, but also appears when service-linked roles have restrictions, AWS managed users have limitations, entities have modification restrictions, or entities are read-only.
Illegal Versioning Configuration
Hitting an **IllegalVersioningConfigurationException** means your S3 bucket versioning configuration is invalid—the versioning settings might conflict, MFA delete configuration is incorrect, or versioning state transition is invalid. This client-side error (4xx) happens when AWS validates S3 versioning configuration. Most common when MFA delete configuration is incorrect, but also appears when versioning configuration parameters are invalid, conflicting versioning settings exist, versioning state conflicts occur, or invalid versioning transitions are attempted.
Incomplete Body
Getting an **IncompleteBody** error means the Content-Length HTTP header doesn't match the actual request body size—the body is incomplete, truncated, or the header value is wrong. This client-side error (4xx) happens when AWS validates request body completeness. Most common when Content-Length header is incorrect, but also appears when request body is incomplete or truncated, network interruptions occur during upload, body size mismatches the header, or uploads terminate early.
Incorrect Number of Files in POST Request
Hitting an **IncorrectNumberOfFilesInPostRequest** error means your POST request has zero files or more than one file—S3 presigned POST requires exactly one file per request. This client-side error (4xx) happens when AWS validates POST request file count. Most common when no file is provided, but also appears when multiple files are included in a single POST, file field is missing from form data, form data structure is incorrect, or POST request format is invalid.
Inline Data Too Large
Getting an **InlineDataTooLarge** error means you're trying to embed file data directly in the request body, but it exceeds the inline data size limit—for large files, you should use multipart upload or presigned URLs instead of inline embedding. This client-side error (4xx) happens when AWS validates inline data size. Most common when large files are embedded in request bodies, but also appears when inline data exceeds size limits, request body is too large for inline upload, or large files are included directly in requests.
Insufficient Capacity
Getting an **InsufficientCapacityException** means AWS doesn't have enough physical capacity in the requested Availability Zone to launch your EC2 instance—the specific instance type or zone is temporarily out of capacity. This client-side error (4xx) happens when AWS can't allocate hardware resources. Most common when launching EC2 instances in popular zones, but also appears when specific instance types are unavailable, regions have capacity constraints, Spot instances have no capacity, or temporary capacity issues occur.
Internal Error
Getting an **InternalError** means AWS encountered an internal service error—this is a server-side issue (5xx) that's usually temporary and resolves with retries. This server-side error happens when AWS services experience internal failures. Most common during temporary service issues, but also appears when backend processing errors occur, services are temporarily unavailable, internal system failures happen, or AWS infrastructure experiences problems.
Invalid Access Key ID
Getting an **InvalidAccessKeyId** error means your AWS Access Key ID doesn't exist in AWS—the key might have been deleted, it's misspelled, or it belongs to a different AWS account. This client-side error (4xx) happens when AWS can't find the access key in its records. Most common when access keys are deleted or rotated, but also appears when credentials are misconfigured, access keys are deactivated, or there's a typo in the key ID.
Invalid Action
Hitting an **InvalidAction** error means the AWS API action you're trying to call doesn't exist or isn't supported by that service—the action name might be misspelled, it's not available for that service, or there's an API version mismatch. This client-side error (4xx) happens when AWS validates action names. Most common when action names are misspelled, but also appears when actions aren't supported by the service, actions are called on wrong services, API versions don't match, or service endpoints are incorrect.
Invalid Addressing Header
Getting an **InvalidAddressingHeader** error means the HTTP addressing headers in your AWS API request are invalid or malformed—headers like Host, X-Amz-Date, or X-Amz-Target don't match AWS requirements. This client-side error (4xx) happens when AWS validates request headers. Most common when making direct HTTP requests to AWS APIs, but also appears when addressing header format is invalid, required headers are missing, header values are incorrect or malformed, or headers don't match service requirements.
Invalid Argument
Hitting an **InvalidArgument** error means one or more parameters in your AWS API request have invalid values, types, or formats—the argument might be out of range, wrong type, or unsupported. This client-side error (4xx) happens when AWS validates request parameters. Most common when parameter values are invalid, but also appears when parameter types don't match requirements, arguments are out of valid range, parameter formats are incorrect, or unsupported argument values are used.
Invalid Bucket Name
Hitting an **InvalidBucketName** error means your S3 bucket name violates AWS naming rules—bucket names must be 3-63 characters, lowercase, alphanumeric with hyphens, and globally unique. This client-side error (4xx) happens when AWS validates bucket name format. Most common when bucket names have uppercase letters or invalid characters, but also appears when names are too short/long, names look like IP addresses, names have consecutive dots, or reserved names are used.
Invalid Client Token ID
Getting an **InvalidClientTokenId** error means your AWS security token (Access Key ID) is invalid or doesn't exist—the token might have been deleted, rotated, or belongs to a different AWS account. This client-side error (4xx) happens when AWS validates request tokens. Most common when IAM access keys are deleted or rotated, but also appears when credentials are misconfigured, tokens are expired, credentials files are corrupted, or you're using credentials from the wrong AWS account.
Invalid Parameter
Hitting an **InvalidParameter** error means one of your API parameters has the wrong name, type, or value—parameter names must match AWS API exactly, types must be correct (string vs number), and values must be valid. This client-side error (4xx) happens when AWS validates request parameters. Most common when parameter names are misspelled, but also appears when parameter types are wrong, required parameters are missing, parameter values are invalid, or unsupported parameter combinations are used.
Invalid Parameter Value
Hitting an **InvalidParameterValue** error means one of your API parameters has the wrong format, is out of range, or violates AWS service constraints—EC2 instance types must be valid, S3 bucket names must follow naming rules, or IAM role names must match patterns. This client-side error (4xx) happens when AWS validates your request parameters before processing. Most common when EC2 instance types are invalid, S3 bucket names violate rules, or IAM resource names don't match patterns, but also appears when parameter values exceed limits, unsupported combinations are used, or data types don't match expected formats.
Invalid Request
Getting an **InvalidRequest** error means your AWS API request has invalid structure or format—the request might be malformed, missing required elements, or have syntax errors. This client-side error (4xx) happens when AWS validates request structure. Most common when JSON request bodies are malformed, but also appears when request structure is invalid, required elements are missing, request format doesn't match API requirements, or request validation fails.
Invalid User ID Not Found
Getting an **InvalidUserID.NotFound** error means the IAM User ID you're referencing doesn't exist in your AWS account—the user might have been deleted, the ID is misspelled, or it belongs to a different account. This client-side error (4xx) happens when AWS can't find the user by ID. Most common when IAM users are deleted, but also appears when user IDs are misspelled, users are in different accounts, user ID format is invalid, or IAM policies reference non-existent users.
Lambda EC2 Access Denied
Getting a **LambdaEC2AccessDeniedException** means your Lambda function can't access VPC or EC2 resources—the Lambda execution role lacks EC2 permissions to create/manage network interfaces, or security groups/NACLs are blocking access. This client-side error (4xx) happens when AWS validates Lambda VPC permissions. Most common when Lambda execution role lacks EC2 permissions, but also appears when security group rules are too restrictive, network ACLs block access, route tables are misconfigured, or ENI creation fails.
Lambda ENI Limit Reached
Hitting a **LambdaENILimitReachedException** means your AWS account has reached the maximum number of Elastic Network Interfaces (ENIs) that can be created in the region—this happens when too many Lambda functions are configured to use VPCs, and each concurrent execution creates an ENI. This client-side error (4xx) happens when AWS enforces ENI limits. Most common when too many Lambda functions use VPCs, but also appears when concurrent executions create too many ENIs, ENIs aren't cleaned up properly, or account-level ENI limits are reached.
Lambda Invalid Parameter Value
Getting a **LambdaInvalidParameterValueException** means one or more Lambda function parameters have invalid values—function name format, runtime, memory size, timeout, or environment variables don't meet Lambda requirements. This client-side error (4xx) happens when AWS validates Lambda parameters. Most common when memory size is invalid, but also appears when function name format is wrong, runtime specification is invalid, timeout is out of range, or environment variable format is incorrect.
Lambda Invalid Request Content
Getting a **LambdaInvalidRequestContentException** means your Lambda function invocation payload is invalid—the JSON is malformed, exceeds the 6MB limit, or has encoding issues. This client-side error (4xx) happens when AWS validates Lambda invocation payloads. Most common when JSON format is invalid, but also appears when request payloads exceed 6MB limit, JSON structure is malformed, encoding issues occur, or unsupported content types are used.
Lambda Resource Not Found
Getting a **LambdaResourceNotFoundException** means the Lambda function, layer, or event source mapping you're referencing doesn't exist—the resource might have been deleted, the name is misspelled, or it's in a different region. This client-side error (4xx) happens when AWS validates Lambda resource existence. Most common when function names are misspelled, but also appears when functions are deleted, incorrect regions are specified, functions don't exist, or layers/event sources are not found.
Lambda Service Exception
Getting a **LambdaServiceException** means AWS Lambda encountered an internal service error—this is a server-side issue (5xx) that's usually temporary and resolves with retries. This server-side error happens when Lambda services experience internal failures. Most common during temporary service issues, but also appears when services are temporarily unavailable, Lambda is overloaded, regional service issues occur, or transient infrastructure problems happen.
Lambda Subnet IP Address Limit Reached
Hitting a **LambdaSubnetIPAddressLimitReachedException** means your Lambda functions have exhausted the available IP addresses in the VPC subnet—each concurrent Lambda execution in a VPC requires an IP address, and the subnet's CIDR block doesn't have enough available. This client-side error (4xx) happens when AWS enforces subnet IP address limits. Most common when subnet CIDR blocks are too small, but also appears when too many concurrent Lambda executions occur, IP addresses aren't released properly, subnets are near capacity, or multiple Lambda functions share the same subnet.
Limit Exceeded
Hitting a **LimitExceededException** means your request would exceed AWS Service Quotas—you've reached the maximum number of resources, operations, or concurrent actions allowed for your account. This client-side error (4xx) happens when AWS enforces account-level or service-level limits. Most common when creating too many EC2 instances, DynamoDB tables, or IAM roles, but also appears when Service Quotas (formerly soft limits) are exceeded, concurrent operation limits are hit, or account-level resource caps are reached.
Malformed Query String
Hitting a **MalformedQueryString** error means your AWS API request has invalid query string syntax—special characters aren't URL-encoded, parameters are duplicated, or the query format violates AWS API requirements. This client-side error (4xx) happens when AWS parses query parameters. Most common when building S3 presigned URLs or API Gateway requests manually, but also appears when query parameters have unencoded special characters, duplicate parameter names exist, or query string syntax is invalid.
Missing Parameter
Hitting a **MissingParameter** error means your AWS API request is missing a required parameter—AWS usually specifies which parameter is missing in the error message. This client-side error (4xx) happens when AWS validates request parameters. Most common when EC2 run-instances is missing ImageId or InstanceType, but also appears when parameter names are misspelled, nested parameters are missing, conditional parameters are required but not provided, or parameters are in the wrong location in the request.
No Such Bucket
Getting a **NoSuchBucket** error means the S3 bucket you're trying to access doesn't exist in your AWS account, or you don't have permission to see it—the bucket might have been deleted, the name is misspelled, or it's in a different region. This client-side error (4xx) happens when AWS can't find the bucket. Most common when bucket names have typos, but also appears when buckets were deleted, buckets are in different regions, IAM policies don't grant ListBucket permission, or you're accessing a bucket from another account without proper permissions.
No Such Entity
Getting a **NoSuchEntity** error means the IAM entity (user, role, policy, or group) you're referencing doesn't exist in your AWS account—the entity might have been deleted, the name is misspelled, or it belongs to a different account. This client-side error (4xx) is common in IAM operations. Most common when IAM users or roles are deleted, but also appears when entity names are misspelled, entities are in different accounts, entity IDs are wrong, or IAM policies reference non-existent entities.
No Such Key
Hitting a **NoSuchKey** error means the S3 object (file) you're trying to access doesn't exist at that key path in the bucket—the object might have been deleted, the key path is misspelled, or it's in a different folder. This client-side error (4xx) happens when AWS can't find the object at the specified key. Most common when object keys have typos, but also appears when objects were deleted, keys have incorrect paths, case sensitivity doesn't match, or objects are in different prefixes/folders.
Opt In Required
Getting an **OptInRequired** error means you need to opt in to an AWS service or feature before using it—some AWS services require explicit opt-in, especially new regions, Local Zones, Wavelength Zones, or certain features. This client-side error (4xx) happens when AWS requires explicit acceptance. Most common when using new AWS regions, but also appears when Local Zones require opt-in, Wavelength Zones need activation, certain features require acceptance, or service agreements haven't been completed.
Request Expired
Getting a **RequestExpired** error means your S3 presigned URL or AWS request has passed its expiration time—presigned URLs typically expire after 1 hour (default) or the time you specified, and AWS requests expire if the timestamp is more than 15 minutes old. This client-side error (4xx) happens when AWS validates request timestamps. Most common when S3 presigned URLs expire, but also appears when system clocks are skewed, request timestamps are too old, or expiration times are set too short.
Resource Not Found
Getting a **ResourceNotFoundException** means the AWS resource you're trying to access doesn't exist—the resource ID is wrong, it was deleted, or it's in a different region/account. This client-side error (4xx) is common across DynamoDB, Lambda, EC2, and other AWS services. Most common when resource IDs have typos, but also appears when resources were deleted, resources are in different regions, resources belong to different accounts, or IAM policies don't grant List permissions to see the resource.
S3 Bucket Already Owned By You
Hitting an **S3BucketAlreadyOwnedByYou** error means the S3 bucket name you're trying to create already exists in your AWS account—S3 bucket names must be globally unique across all AWS accounts, so if you own a bucket with that name, you can't create another. This client-side error (4xx) happens when AWS validates bucket name uniqueness. Most common when bucket name already exists in your account, but also appears when attempting to create a duplicate bucket, bucket name collision occurs, previous bucket creation succeeded, or bucket exists in a different region.
S3 Invalid Access Key ID
Hitting an **S3InvalidAccessKeyId** error means your AWS access key ID doesn't exist or is invalid—the access key might have been deleted, rotated, or belongs to a different AWS account. This client-side error (4xx) happens when AWS validates S3 request credentials. Most common when access keys are deleted or rotated, but also appears when access key IDs are incorrect, credentials files are misconfigured, wrong AWS account credentials are used, or old keys are still in use after rotation.
S3 Invalid Bucket Name
Hitting an **S3InvalidBucketName** error means your S3 bucket name doesn't follow AWS naming rules—bucket names must be 3-63 characters, lowercase, alphanumeric with hyphens/periods, and globally unique. This client-side error (4xx) happens when AWS validates bucket name format. Most common when bucket names are too short/long, but also appears when invalid characters are used, names start/end with period or hyphen, uppercase letters are included, or consecutive periods exist.
S3 Invalid Object State
Hitting an **S3InvalidObjectState** error means you're trying to access an S3 object that's archived in Glacier or Deep Archive storage class without restoring it first—archived objects must be restored before they can be accessed. This client-side error (4xx) happens when AWS validates object accessibility. Most common when accessing Glacier objects without restore, but also appears when objects are in Deep Archive, restoration hasn't completed, objects are archived and not restored, or accessing archived objects directly.
S3 Invalid Storage Class
Hitting an **S3InvalidStorageClass** error means the S3 storage class you specified is invalid or not supported for the operation—the storage class name might be misspelled, not available in your region, or not supported for the specific operation. This client-side error (4xx) happens when AWS validates S3 storage class names. Most common when storage class names are misspelled, but also appears when storage classes aren't supported in the region, storage class transitions aren't allowed, or unsupported storage classes are used for operations.
S3 No Such Bucket
Getting an **S3NoSuchBucket** error means the S3 bucket you're trying to access doesn't exist—the bucket might have been deleted, the name is misspelled, or it's in a different region or AWS account. This client-side error (4xx) happens when AWS validates bucket existence. Most common when bucket names are misspelled, but also appears when buckets don't exist, buckets are deleted, incorrect regions are specified, or buckets are in different AWS accounts.
Service Quota Exceeded
Hitting a **ServiceQuotaExceededException** means your request would exceed an AWS Service Quota (formerly soft limits)—you've reached the maximum allowed for a specific service quota like EC2 instances, DynamoDB tables, or IAM roles. This client-side error (4xx) happens when AWS enforces service quotas. Most common when creating too many EC2 instances or DynamoDB tables, but also appears when regional quotas are exceeded, account-level quotas are hit, or quotas haven't been increased from defaults.
Service Unavailable
Hitting a **ServiceUnavailable** error means the AWS service is temporarily down or overloaded—this is a server-side issue (5xx) that usually resolves with retries. This server-side error happens when AWS services are experiencing outages, maintenance, or capacity issues. Most common during AWS service outages, but also appears when services are in maintenance mode, regions are experiencing issues, services are overloaded, or temporary capacity constraints occur.
Signature Does Not Match
Getting a **SignatureDoesNotMatch** error means AWS calculated a different request signature than what you sent—your Secret Access Key is wrong, system clock is skewed, or the request was modified after signing. This client-side error (4xx) happens when AWS validates request signatures using Signature Version 4. Most common when Secret Access Keys are incorrect, but also appears when system clocks are out of sync (more than 15 minutes), requests are modified after signing, regions don't match, or signing algorithms are wrong.
Throttling Exception
Hitting a **Throttling** error means AWS is rate-limiting your requests—you're making too many API calls too quickly, exceeding service quotas, or exhausting burst capacity. This client-side error (4xx) happens when AWS enforces rate limits to protect service stability. Most common when DynamoDB, S3, or EC2 APIs are called too rapidly, but also appears when Service Quotas are exceeded, burst capacity is exhausted, or account-level throttling is active.
Service Unavailable
Getting an **Unavailable** error means the AWS service is temporarily down or overloaded—this is a server-side issue (5xx) that usually resolves with retries. This server-side error happens when AWS services are experiencing outages, maintenance, or capacity issues. Most common during AWS service outages, but also appears when services are in maintenance mode, regions are experiencing issues, services are overloaded, or temporary capacity constraints occur.
Validation Exception
Getting a **ValidationException** means your input data failed AWS service validation—DynamoDB items violate schema constraints, Lambda function code has errors, or IAM policy documents have syntax issues. This client-side error (4xx) happens when AWS validates request data before processing. Most common when DynamoDB item attributes don't match table schema, but also appears when Lambda function code is invalid, IAM policy JSON is malformed, or input values violate service constraints.