diff --git a/pkg/cloud/services/s3/s3_test.go b/pkg/cloud/services/s3/s3_test.go
index 80422ffc4e..3db7abfca7 100644
--- a/pkg/cloud/services/s3/s3_test.go
+++ b/pkg/cloud/services/s3/s3_test.go
@@ -738,6 +738,18 @@ func TestDeleteObject(t *testing.T) {
 				t.Fatalf("Unexpected error, got: %v", err)
 			}
 		})
+
+		t.Run("object_access_denied_and_BestEffortDeleteObjects_is_on", func(t *testing.T) {
+			t.Parallel()
+
+			svc, s3Mock := testService(t, &testServiceInput{Bucket: &infrav1.S3Bucket{BestEffortDeleteObjects: aws.Bool(true)}})
+			s3Mock.EXPECT().HeadObject(gomock.Any()).Return(nil, nil)
+			s3Mock.EXPECT().DeleteObject(gomock.Any()).Return(nil, awserr.New("AccessDenied", "Access Denied", nil))
+
+			if err := svc.Delete(machineScope); err != nil {
+				t.Fatalf("Unexpected error, got: %v", err)
+			}
+		})
 	})
 
 	t.Run("returns_error_when", func(t *testing.T) {
@@ -793,6 +805,27 @@ func TestDeleteObject(t *testing.T) {
 				t.Fatalf("Expected error")
 			}
 		})
+
+		t.Run("object_access_denied_and_BestEffortDeleteObjects_is_off", func(t *testing.T) {
+			t.Parallel()
+
+			svc, s3Mock := testService(t, &testServiceInput{Bucket: &infrav1.S3Bucket{}})
+			s3Mock.EXPECT().HeadObject(gomock.Any()).Return(nil, nil)
+			s3Mock.EXPECT().DeleteObject(gomock.Any()).Return(nil, awserr.New("AccessDenied", "Access Denied", nil))
+
+			machineScope := &scope.MachineScope{
+				Machine: &clusterv1.Machine{},
+				AWSMachine: &infrav1.AWSMachine{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: nodeName,
+					},
+				},
+			}
+
+			if err := svc.Delete(machineScope); err == nil {
+				t.Fatalf("Expected error")
+			}
+		})
 	})
 
 	t.Run("is_idempotent", func(t *testing.T) {