AWS

AccessDenied - Access Denied

Getting hit with an **AccessDenied** error usually means your IAM User or Role lacks the specific JSON policy required to perform the action—the policy might be missing the exact Action, Resource ARN, or Condition needed. This client-side error (4xx) happens when AWS evaluates your IAM policies and denies access. Most common when IAM policies don't grant the specific permission, but also appears when Service Control Policies (SCPs) block actions, resource-based policies deny access, Security Groups block network access, or VPC endpoints aren't configured correctly.

#Common Causes

  • Identity: IAM policy missing required Action (e.g., s3:GetObject). Policy Resource ARN doesn't match target resource. Service Control Policy (SCP) blocks action at organization level. IAM role trust policy incorrect. Policy Condition not met (IP, time, MFA).
  • Network: Security Group inbound/outbound rules block traffic. Network ACL (NACL) denies connection. VPC endpoint policy restricts access. Route table misconfiguration prevents access.
  • Limits: Service Quota exceeded (soft limit reached). Account-level restrictions active. Region-specific access denied.

Solutions

  1. 1Step 1: Diagnose - Run AWS CLI to check your current identity: aws sts get-caller-identity. Verify which IAM User/Role is making the request. Check if credentials are correct.
  2. 2Step 2: Diagnose - Review IAM policies attached to your identity: aws iam list-attached-user-policies --user-name YOUR_USER. Check inline policies: aws iam list-user-policies --user-name YOUR_USER.
  3. 3Step 3: Diagnose - Check Service Control Policies (if in AWS Organizations): aws organizations list-policies-for-target --target-id ACCOUNT_ID. Review SCPs that might deny actions.
  4. 4Step 4: Fix - Update IAM policy to include required Action and Resource. Use AWS Policy Simulator: aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::ACCOUNT:user/USER --action-names s3:GetObject --resource-arns arn:aws:s3:::bucket/*.
  5. 5Step 5: Fix - Check Security Groups if network-related: aws ec2 describe-security-groups --group-ids sg-xxxxx. Verify inbound/outbound rules allow traffic. Check VPC endpoints: aws ec2 describe-vpc-endpoints.

</>Code Examples

Diagnose AccessDenied: Check Identity and Policies
1#!/bin/bash
2# Step 1: Check your current AWS identity
3echo "=== Current Identity ==="
4aws sts get-caller-identity
5
6# Step 2: List IAM policies attached to your user
7USER_NAME=$(aws sts get-caller-identity --query User.UserName --output text)
8echo "\n=== Attached Policies for ${USER_NAME} ==="
9aws iam list-attached-user-policies --user-name ${USER_NAME}
10
11# Step 3: List inline policies
12echo "\n=== Inline Policies ==="
13aws iam list-user-policies --user-name ${USER_NAME}
14
15# Step 4: Get policy document for a specific policy
16POLICY_ARN="arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
17echo "\n=== Policy Document ==="
18aws iam get-policy --policy-arn ${POLICY_ARN}
19VERSION_ID=$(aws iam get-policy --policy-arn ${POLICY_ARN} --query Policy.DefaultVersionId --output text)
20aws iam get-policy-version --policy-arn ${POLICY_ARN} --version-id ${VERSION_ID}
21
22# Step 5: Simulate policy to see if action is allowed
23echo "\n=== Policy Simulation ==="
24aws iam simulate-principal-policy \
25  --policy-source-arn $(aws sts get-caller-identity --query Arn --output text) \
26  --action-names s3:GetObject \
27  --resource-arns "arn:aws:s3:::my-bucket/*"
Check Service Control Policies (SCPs)
1#!/bin/bash
2# Check if you're in an AWS Organization
3ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
4echo "Account ID: ${ACCOUNT_ID}"
5
6# List SCPs attached to account (requires organizations:ListPoliciesForTarget)
7echo "\n=== Service Control Policies ==="
8aws organizations list-policies-for-target \
9  --target-id ${ACCOUNT_ID} \
10  --filter SERVICE_CONTROL_POLICY 2>/dev/null || echo "Not in AWS Organizations or no permission"
11
12# Get SCP document
13SCP_ID="p-xxxxx"  # Replace with actual SCP ID
14aws organizations describe-policy --policy-id ${SCP_ID}
Check Security Groups and VPC Endpoints
1#!/bin/bash
2# Check Security Groups for EC2 instances
3INSTANCE_ID="i-xxxxx"  # Replace with your instance ID
4echo "=== Security Groups for Instance ==="
5aws ec2 describe-instances \
6  --instance-ids ${INSTANCE_ID} \
7  --query 'Reservations[0].Instances[0].SecurityGroups[*].[GroupId,GroupName]' \
8  --output table
9
10# Describe Security Group rules
11SG_ID="sg-xxxxx"  # Replace with Security Group ID
12echo "\n=== Security Group Rules ==="
13aws ec2 describe-security-groups --group-ids ${SG_ID}
14
15# Check VPC Endpoints
16echo "\n=== VPC Endpoints ==="
17aws ec2 describe-vpc-endpoints
18
19# Check VPC Endpoint policies
20VPC_ENDPOINT_ID="vpce-xxxxx"  # Replace with VPC Endpoint ID
21aws ec2 describe-vpc-endpoint-policy --vpc-endpoint-id ${VPC_ENDPOINT_ID}

Related Errors

UnauthorizedOperationInvalidUserID.NotFound

Provider Information

This error code is specific to AWS services. For more information, refer to the official AWS documentation.

AccessDenied - Access Denied | AWS Error Reference | Error Code Reference