First, you need to utilize the Amazon S3 console to see the properties of one of the objects that you are not able to access. Then review the object's Encryption properties. If the IAM identity is lacking permissions to any of these actions, then you should modify the key policy so that you are able to grant the missing permissions.