Why does my pre-signed URL still 403?

The signer's IAM permissions must include the action you signed for. A pre-signed URL cannot grant more than the signer had.

AWS

Oct 25, 2025 6 min read

Fix AWS S3 403 Access Denied

A checklist for S3 403 errors — bucket policy, IAM, KMS, Object Ownership and Block Public Access.

Problem

bash

An error occurred (AccessDenied) when calling the GetObject operation: Access Denied

Root cause

S3 evaluates several policy layers. A deny in any one of them blocks the request:

IAM identity policy on the caller.
Bucket policy.
Object ACL and Object Ownership setting.
Block Public Access at the account or bucket level.
KMS key policy when the object is SSE-KMS encrypted.
VPC endpoint policy if accessed via a Gateway endpoint.

Solution

Simulate the call

bash

aws iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::123:user/me \
  --action-names s3:GetObject \
  --resource-arns arn:aws:s3:::my-bucket/key

Grant minimum IAM permission

json

{
  "Effect": "Allow",
  "Action": ["s3:GetObject"],
  "Resource": "arn:aws:s3:::my-bucket/*"
}

Don't forget KMS

If the object is encrypted with a customer KMS key, the caller also needs `kms:Decrypt` on the key.

Frequently asked questions

More AWS fixes

Related fixes

AWS

6 min

Fix EKS Worker Nodes Not Joining the Cluster

Nodes stay missing from `kubectl get nodes`. Walk through aws-auth, IAM, security groups and user-data.

#eks#iam#vpc

AWS

4 min

Fix AWS "is not authorized to perform: sts:AssumeRole"

Both sides of an AssumeRole call need to agree — fix the trust policy and the calling principal.

#iam#sts

Weekly digest

Short, practical, no fluff. Real errors, real fixes — straight from production postmortems.