One of our customers recently tried to enable S3 Transfer Acceleration, a service designed to expedite data transfers to and from Amazon Simple Storage Service (S3) on an S3 bucket and encountered an unexpected error(Access Denied).
We initially thought it was an IAM permissions issue, a Service Control Policy Issue, or an S3 bucket policy, so we looked into those aspects.
We started our investigation and found that:
- No deny-SCP was associated with the account except for the Full AWS access SCP, which allows Access.
- No bucket policy was associated with the S3 bucket. Therefore, there is no explicit deny statement on the bucket level.
- The naming convention of the bucket complied with what is expected for S3 transfer acceleration.
- The user had IAM admin privileges. We also tried using the AWS account root user. However, the root user was denied with the same error message.
- Amazon S3 Transfer acceleration was supported in the S3 bucket's regions.
A quick Google search suggested that the same error had been reported in multiple forums, but no solution had been posted.
Luckily, we could replicate this in some of our personal AWS Accounts, so we dug deeper but still couldn't find what was causing this error. What we did find was:
- This error was more prominent in accounts created using AWS organizations.
- There wasn't any specific correlation with the age of the accounts.
- There was nothing in AWS CloudTrail that suggested what caused this error.
- We also tried to leave the AWS Organization and make our account stand-alone, but we need more.
Digging deeper into AWS Documents, we found that Amazon S3 Transfer Acceleration takes advantage of the globally distributed edge locations in Amazon CloudFront.
So we tried creating a new CloudFront distribution, but it failed with the below error.
At this point, we almost gave up and thought our only option was to upgrade our AWS Support Plan, but in the era of cost optimization, we were trying to avoid any additional costs.
But then we had this idea that this might be related to the Security Score on your AWS Account(Some benefits of working at AWS before ;), so we decided to try it out.
We launched a couple of EC2 instances in the N.Virginia (us-east-1) Region (t2.micro is fine) and left them running for 2–3 hours until we received an email like the one below.
Once we got this email from the screenshot above, we tried to enable Transfer Acceleration again, and it worked!
So, the conclusion is that the account must be explicitly verified in the N. Virginia(us-east-1) Region before you can use Amazon S3 Transfer Acceleration. It doesn't matter if it was verified in another region.
AWS can improve its documentation and the error message so it becomes more transparent to users about why this is occurring, and they don't have to pay for AWS Support unnecessarily.
This blog has been co-authored with my colleague and security guru
.
Senior Cloud Architect at Doit International
Author
Glad it helped you, i will add the error to the text .
--
Reply
Wish google indexed this page. Can you add the error in the page as text so people can find this?
Thanks for saving the day!!
--
Reply
by
[Setting up SAML Authentication to Stream Amazon Workspaces using Auth 0 as your identity provider.\ \
Nov 23, 2023
by
[Building AWS Architecture with MCP Servers and Strands Agents\ \
Sep 22, 2025
by
[JA3 and JA4 Fingerprints in AWS WAF and Beyond\ \
Apr 10, 2025
[AWS VPN Concentrators: Simplifying Large-Scale Hybrid Connectivity\ \
Jan 22
by
[A Complete Guide for URL Redirection using AWS CloudFront, S3, and Route53\ \
Oct 1, 2025
[Migrating from Serverless Framework to AWS SAM\ \
Oct 7, 2025
[S3\ \
Oct 4, 2025
[AWS S3 Bucket\ \
Dec 19, 2025
[Web Application with EC2, S3, CloudFront, and RDS\