DoraPulse
All errors
S3-403Cloud Storage

AWS S3 403 Access Denied

Service receives 403 Forbidden from S3 when reading or writing objects required for transaction processing.

Root Cause & Remediation

IAM policy drift, missing KMS key grant, bucket policy denial, or expired STS credentials. Frequently follows a Terraform apply or SCP change at the organization level.

Remediation steps

  1. 1Replay the failing call with the simulate-principal-policy IAM tool.
  2. 2Confirm the bucket policy and object ownership settings (BPO).
  3. 3Verify the KMS key policy grants Decrypt to the workload role.
  4. 4Rotate or refresh STS credentials and check clock skew on the host.
  5. 5Roll back the last IaC change if drift is detected.

DORA Risk Matrix

Typical classification
Context-dependent
Likelihood
Medium
Blast radius
Scoped to services depending on the affected bucket or prefix.
CIF impact
Document storage, KYC artefacts and audit logs become unavailable.
Analyst notes
Often MINOR unless the bucket backs a critical function such as KYC onboarding or settlement archives.

Ready to classify this incident?

Use the DoraPulse Triage Calculator to instantly determine if this event breaches DORA materiality thresholds and generate a ready-to-file regulatory draft for your internal compliance team.

Open Triage Calculator — Pre-filled for AWS S3 403 Access Denied