I’m currently trying to figure out a problem with an S3 bucket.
A handful of IAM users keep getting “Access Denied” errors.
The strange part? They’re in the same IAM group as other users who can access the bucket without any issues.
The bucket policy clearly permits the necessary actions: ListBucket, GetObject, and PutObject.
The IAM group permissions are the same for everyone, both those having trouble and those who aren’t.
I’ve already ruled out some common culprits, like conflicting Deny statements, missing resource ARNs, and any SCP restrictions within the organization.
Nothing seems amiss. What’s puzzling is that this doesn’t appear to be a straightforward misconfiguration. It feels like something outside of IAM is causing the problem.
Could things like:
S3 access points, each with its own set of network access rules, can be a source of confusion.
VPC endpoints, with policies designed to block specific users, can also play a role.
Then there are those old or inactive access keys, still pointing to permissions that are no longer relevant.
Region-specific mismatches between the bucket and API requests can create problems, too.
And let’s not forget MFA conditions or session policies that, without warning, supersede group permissions.
These factors can lead to a situation where only some users are denied access, even when the RBAC/IAM configuration appears sound.
Has anyone else encountered a similar access issue?
Where two users, identical in terms of group membership, policies, and bucket permissions, still faced different access results in certain cases.?