The Root Cause

Nginx “Permission Denied” errors on AWS EC2 typically occur because the Nginx worker process, which usually runs under a dedicated, unprivileged user (e.g., www-data on Ubuntu/Debian or nginx on Amazon Linux/CentOS/RHEL), lacks the necessary read or write permissions for the web root directory, its files, or Nginx log files. This commonly happens when web content is deployed by the EC2 instance’s default login user (e.g., ec2-user, ubuntu) whose files/directories are not correctly shared or owned by the Nginx user.

Quick Fix (CLI)

The following commands assume your web root is /var/www/html and you are using www-data for Debian/Ubuntu-based AMIs or nginx for Amazon Linux/CentOS/RHEL-based AMIs. Adjust the user and path as needed.

For Debian/Ubuntu-based AMIs (e.g., Ubuntu):

# Set ownership of the web root to the Nginx user and group
sudo chown -R www-data:www-data /var/www/html

# Set appropriate directory permissions (read, write, execute for owner; read, execute for group/others)
sudo chmod -R 755 /var/www/html

# Ensure Nginx can write to its log directory (if logs are the issue)
sudo chown -R www-data:adm /var/log/nginx

# Restart Nginx to apply changes
sudo systemctl restart nginx

For Amazon Linux/CentOS/RHEL-based AMIs:

# Set ownership of the web root to the Nginx user and group
sudo chown -R nginx:nginx /var/www/html

# Set appropriate directory permissions (read, write, execute for owner; read, execute for group/others)
sudo chmod -R 755 /var/www/html

# Ensure Nginx can write to its log directory (if logs are the issue)
sudo chown -R nginx:nginx /var/log/nginx

# Restart Nginx to apply changes
sudo systemctl restart nginx

Configuration Check

Review the following Nginx configuration files to ensure the Nginx user is correctly defined and the web root path matches your permissions adjustments.

1. Nginx Main Configuration (/etc/nginx/nginx.conf)

Verify the user directive at the top of the file. This dictates which user Nginx worker processes run as.

# Example for Debian/Ubuntu
user www-data;

# Example for Amazon Linux/CentOS/RHEL
user nginx;

2. Virtual Host Configuration (e.g., /etc/nginx/sites-available/default or custom site configs)

Confirm the root directive points to the exact path you applied permissions to.

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/html; # Ensure this path matches the chown/chmod target

    index index.html index.htm index.nginx-debian.html;
    server_name _;

    location / {
        try_files $uri $uri/ =404;
    }
}

3. Dockerfile (if using Nginx in a Docker container)

If Nginx is containerized, ensure the user running Nginx inside the container has permissions to the mounted web root.

# Example for a Debian-based Nginx image
FROM nginx:latest

# Set the user that Nginx will run as
USER nginx # Or www-data, depending on the base image setup

# Copy content to the web root
COPY . /usr/share/nginx/html

# Ensure the Nginx user has ownership of the web root within the container
RUN chown -R nginx:nginx /usr/share/nginx/html

Verification

After applying the fix, verify Nginx is running correctly and serving content.

1. Check Nginx Service Status:

   sudo systemctl status nginx

   Look for an active (running) status.

2. Inspect Nginx Error Logs for Residual Issues:

   sudo tail -f /var/log/nginx/error.log

   Ensure no new “Permission Denied” errors appear.

3. Test Web Access: Use curl from the EC2 instance or access the public IP/domain from your browser.

   curl -I http://localhost/

   You should receive an HTTP 200 OK status, indicating successful page delivery.