An error occurred (AccessDenied) when calling the GetObject operation: Access Denied
403 Forbidden

Your IAM user/role doesn’t have permission to access the S3 bucket or object.

Fix 1: Check IAM Policy

{
    "Effect": "Allow",
    "Action": ["s3:GetObject", "s3:PutObject", "s3:ListBucket"],
    "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
    ]
}

You need both the bucket ARN (for ListBucket) and bucket/* (for object operations).

Fix 2: Bucket Policy Blocking Access

# Check bucket policy
aws s3api get-bucket-policy --bucket my-bucket

# Common issue: explicit Deny overrides any Allow
# Remove or fix the Deny statement

Fix 3: Wrong Account or Region

# Verify you're using the right credentials
aws sts get-caller-identity

# Check bucket region
aws s3api get-bucket-location --bucket my-bucket

Fix 4: Block Public Access Settings

# ❌ Bucket has "Block all public access" enabled
# If you need public access:
aws s3api put-public-access-block --bucket my-bucket \
    --public-access-block-configuration \
    BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false

Fix 5: KMS Encryption

# ❌ Object encrypted with KMS key you don't have access to
# ✅ Add kms:Decrypt permission to your IAM policy
{
    "Effect": "Allow",
    "Action": ["kms:Decrypt", "kms:GenerateDataKey"],
    "Resource": "arn:aws:kms:region:account:key/key-id"
}

Related resources

• AWS AccessDenied fix
• AWS CLI cheat sheet