Lets say a user sees an Access Denied message when trying to access a resource, for example S3.
This is likely the result of a policy applied to the user, or the users group, or it could be a bucket policy. Or it could be that the user or group has no explicit permissions at all.
One way to troubleshoot the issue is to use the IAM Policy Simulator.
I am already logged in as an admin, and it displays a list of users in my account.
Select the user, and simulate an action, here I select S3 as the service.
For the actions, I select “All Actions” (you can also choose a specific action on a specific bucket) and click Run Simulation.
It will list which actions are allowed or denied. You can drill down on any denied action and it will display the policy and even the section of the policy which is denying access.
In this case the user was in a group with the “AdministratorAccess” policy, but the above policy applied to the user was overriding the Allow.