When you encounter an “Access Denied” error in AWS CloudFormation related to Amazon S3, it indicates that the AWS Identity and Access Management (IAM) user or role associated with CloudFormation does not have the necessary permissions to perform the required actions on the S3 bucket specified in your CloudFormation template.
Here are steps to troubleshoot and resolve the “Access Denied” error:
Verify that the IAM user or role associated with your CloudFormation stack has the required permissions to interact with S3. Necessary permissions include s3:CreateBucket, s3:PutObject, s3:GetObject, etc., depending on your CloudFormation template.
If CloudFormation assumes an IAM role, check the trust relationship to ensure that the entity (user, role, or service) assuming the role is correctly specified.
Review the S3 bucket policy to ensure it allows the necessary actions for the IAM user or role. Bucket policies can override IAM permissions.
Check the S3 bucket’s “Block Public Access” settings. If enabled, it may restrict certain operations. Adjust these settings if needed.
Attach the AmazonS3FullAccess managed policy to your IAM user or role for testing purposes. This policy provides full access to S3 and helps identify if the issue is related to permissions.
Examine if there’s a stack policy applied to your CloudFormation stack. A stack policy might restrict specific actions.
Sometimes (and it happened twice with me), the template.yml is not in the correct format i.e. there could be indentation errors and instead of throwing an error like “YAML not well formed”, you get an S3 access denied error. Hence, please make sure that there are no syntax errors in the YAML template file. If you are using an IDE like Eclipse or IntelliJ to write YAML, you can install the ‘cfn-lint’ plugin which is a validator tool for Cloud Formation JSON and YAML files.