Amazon S3 extends additional context for HTTP 403 Access Denied error messages to Amazon Organizations
Amazon S3 now includes additional context in HTTP 403 Access Denied errors for requests made to resources in accounts within the same Amazon Organization. This context includes the type of policy that denied access, the reason for denial, and information on the Amazon Identity and Access Management (IAM) user or role that requested access to the resource. This context helps you to troubleshoot access issues, identify the root cause of access denied errors, and fix incorrect access controls by updating the relevant policies. This additional context is also available in Amazon CloudTrail logs.
Enhanced access denied error messages are rolling out in the coming weeks in all Amazon Web Services Regions, including the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. To learn more about how to troubleshoot access denied errors in S3, visit the S3 User Guide and the IAM troubleshooting documentation.