DEV Community

Cover image for Why My S3 Object URL Still Gave Access Denied (And How I Fixed It)
Muhammad Usman Tahir
Muhammad Usman Tahir

Posted on

Why My S3 Object URL Still Gave Access Denied (And How I Fixed It)

#aws #cloud #s3 #beginners

When you’re new to AWS S3, one of the most confusing things is public access.
Recently, I faced an issue where I uploaded a file to S3, disabled Block all public access, but still got Access Denied when opening the Object URL.
Here’s what happened, why it happened, and how I fixed it.

The Problem
I uploaded a file to an S3 bucket and wanted to access it using the Object URL.
Steps I had already taken:

  • Uploaded the file successfully
  • Disabled Block all public access at the bucket level
  • Tried opening the Object URL in the browser

Result: AccessDenied
At this point, I thought:
"Public access is disabled, so why is it still denying access?"

The Important Concept I Missed
Disabling Block all public access does NOT automatically make your objects public.
It only means:
AWS will now allow you to create public permissions — but you still have to define them.
So unless you:

  • Add a bucket policy, or
  • Make the object public via ACL (not recommended anymore) Your objects will remain private.

The Solution That Worked
I added a bucket policy to explicitly allow public read access for objects.
Here is the policy I used:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::usman-bucket-v1/*"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

What This Policy Does

  • Allows anyone (Principal: "*")
  • To read objects (s3:GetObject)
  • Inside my bucket (usman-bucket-v1/*)

After adding this policy, I refreshed the Object URL and it worked.
Why AWS Does This (Security Reason)
AWS follows secure-by-default principles.
Even if public access blocking is disabled:

  • Objects are still private
  • You must explicitly allow public access

This prevents accidental data leaks, especially in production environments.

Important Warning
This policy makes all objects in the bucket public.
Do NOT use this for:

  • Sensitive files
  • User data
  • Production buckets without proper review

Safer Alternatives

  • Use CloudFront + OAC
  • Use pre-signed URLs
  • Restrict access to specific IPs or principals

Key Takeaways

  • Disabling Block all public access ≠ public files
  • You still need a bucket policy
  • AWS forces explicit permission for security
  • Bucket policies are powerful — use carefully

Final Thoughts
This small issue helped me better understand how S3 security actually works.
If you're learning AWS (like me), these "Access Denied" errors are not failures — they’re lessons.
If this post helped you, feel free to share or drop a comment on dev.to.

Top comments (0)