Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
How do I troubleshoot access denied issues for my account root user or an IAM entity that has admin permissions?
I want to troubleshoot the "Access denied" error I receive for my AWS account root user or AWS Identity and Access Management (IAM) entity that has admin permissions.
Short description
You might receive an Access denied error for your root user or IAM entity that has admin permissions for the following reasons:
- A service control policy (SCP) restricts to a service.
- A resource-based policy restricts access to a resource.
- A permissions boundary limits the actions that your root user or IAM entity can perform.
- A session policy is causing an authorization issue.
- An Amazon Virtual Private Cloud (Amazon VPC) endpoint policy restricts access.
Resolution
Resolve authorization issues for root users
An SCP can include values that restrict a root user from an AWS Organizations member account. Remove restrictions from the SCP that's attached to the management account of your organization.
The following example shows an SCP that denies Amazon Simple Storage Service (Amazon S3) access for a root user. The SCP includes the aws:PrincipalArn condition key and the root ARN in the arn:aws:iam::accountID:root format to deny access:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "s3:*" ], "Resource": [ "*" ], "Condition": { "StringLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:root" ] } } } ] }
Resolve authorization issues for IAM entities
Another policy type might be restricting an IAM entity that has administrator-level access. For more information, see Troubleshoot access denied error messages.
Resource-based policies, such as an Amazon S3 bucket policy, can restrict an IAM entity's access to resources. Make sure that the resource-based policy that's attached to the resource specifies the IAM entity. For a list of services that support resource-based policies, see AWS services that work with IAM.
If you use a permissions boundary, then the entity can only perform the actions that are allowed in both the identity-based policy and the permissions boundary. Update the permissions boundary so that it allows the same actions as the identity-based policy.
When you create a temporary session for your IAM role for a federated user, you can programmatically pass session policies. To check whether you passed a session policy for your IAM role session, check AWS CloudTrail logs for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity API calls. To check for session policies that you passed for a federated user session, check CloudTrail logs for GetFederationToken API calls.
If you route your requests through a VPC endpoint, then check for and remove restrictions in the associated VPC endpoint policy.
Resolve "Access denied" error messages for Amazon S3 resources
To troubleshoot Access denied error messages for Amazon S3 resources, see How do I troubleshoot 403 Access Denied errors from Amazon S3?
Resolve authorization issues when you access the Billing and Cost Management console
You must grant your root user or IAM entity access to the AWS Billing and Cost Management console. For more information, see How do I troubleshoot IAM permission issues for the Billing and Cost Management console?
To resolve authorization issues, check whether your IAM entity was activated as the root user.
Related information
Relevant content
- asked 2 years ago
