Posted On: Nov 18, 2021

To help you quickly troubleshoot your permissions in Amazon Web Services (AWS), AWS Identity and Access Management (IAM) now includes the policy type that’s responsible for the denied permissions in access denied error messages. Amazon Sagemaker, AWS CodeCommit and AWS Secrets Manager are among the first AWS services that now offer this additional context, with other services following in the next few months. When you troubleshoot access-related challenges, the identified policy type in the access denied error message helps you to quickly identify the root cause and unblock your developers by updating relevant policies.

For example, when a developer attempting the DescribeDomain action in Amazon Sagemaker is denied access, the error message can enable her to understand that the access is denied due to Service Control Policy (SCP) which is managed by the central security team. She can create a trouble ticket with her central security team, providing the access denied error message and highlighting the policy type that is responsible for the denied access. The security administrator can focus their troubleshooting efforts on SCPs that are related to Sagemaker, enabling them to save time and effort on troubleshooting access-related challenges.

To learn more, see IAM troubleshooting documentation.