Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I troubleshoot SCP explicit deny errors in AWS Organizations?

3 minute read

My AWS Organizations member account received an explicit deny error message similar to the following: "The IAM Entity is not authorized to perform API action on resource: arn:aws:iam::123456789012:role/Admin with an explicit deny in a service control policy".

Short description

You can use Organizations Service control policies (SCPs) to manage permissions for member accounts in your organization. However, SCPs don't grant permissions to AWS Identity and Access Management (IAM) identities in your organization.

To grant access to an API action, both the SCP and the IAM identity-based policy must allow access for the member account.

Resolution

To confirm that the explicit deny error occurred because an SCP denied the request, use the AWS CloudTrail Event history to search for the event name. Then, from the AWS Organizations management account use the Organizations console to either remove or modify the policy to allow the API action request.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Review the CloudTrail Event history

Use the CloudTrail console

You can view all supported services and integrations and event types, such as create, modify, delete, and non-mutable activities, from the past 90 days. You don't need to set up a trail to use CloudTrail Event history.

For instructions, see Viewing recent CloudTrail events in the CloudTrail console.

Use the AWS CLI

Run the lookup-events AWS CLI command to look up management events or CloudTrail Insights events for the past 90 days.

Run the filter-log-events command to apply metric filters to search for specific terms, phrases, and values in your log events. You can then change them to CloudWatch metrics and alarms.

For more information, see Filter pattern syntax for metric filters, subscription filters, filter log events, and Live Tail.

Use the AWS Organizations console to remove or modify the SCP

Complete the following steps:

Open the AWS Organizations console with your AWS Organization management account.
In the navigation pane, choose AWS accounts, and then choose the affected member account.
Choose the Policies tab, and then review all applied SCPs that restrict access to API actions.
To edit the policy, select the SCP, choose Edit policy. After you edit the policy, choose Save changes.
-or-
To delete the policy, select the SCP, and then choose Delete
-or-
To detach the policy, select the SCP, and then choose Detach.

From the member account, run the API action again to confirm that the explicit deny error is resolved.

For more information, see Viewing information for Organizations (console).

Topics

Security, Identity, & Compliance

Relevant content

SCP not matching implicit Deny
Accepted Answer
Troy
asked 6 months ago
AWS Organizations SCP policies and member root accounts
Accepted Answer
Anesu M
asked a year ago
User is not is authorized to perform: aws-marketplace:Subscribe on resource: * with an explicit deny in a service control policy
Accepted Answer
Christoph
asked 2 months ago
SCP Evaluation - Is the example in the documentation correct?
mentlsve
asked a year ago
Organization's account access AWS S3 through Glue Crawler (Error: Account *** denied access)
KLaHD
asked a year ago
How do I troubleshoot explicit deny error messages when requesting API calls using IAM roles or users?
AWS OFFICIALUpdated 7 months ago
How do I manage the SCP character size limit or number of SCPs for an AWS Organization?
AWS OFFICIALUpdated 8 months ago
What's the difference between an AWS Organizations service control policy and an IAM policy?
AWS OFFICIALUpdated 3 years ago
How do I use SCPs and tag policies so that users in my organization's member accounts in Organizations can't create resources?
AWS OFFICIALUpdated 5 months ago
How do I troubleshoot CloudFormation error "Error occurred during operation 'CreateCluster SDK error: Service Unavailable. Please try again later."?
SUPPORT ENGINEER
Hemanth
published 2 months ago