AWS introduces additional policy details to access denied error messages
AWS now includes the AWS Identity and Access Management (IAM) and AWS Organizations policy’s Amazon Resource Name (ARN) in access denied error messages in same account and same organization scenarios. This allows you to quickly identify the exact policy responsible for the denied access and take action to troubleshoot the issue.
Before this launch, customers had to identify the root cause of access denied errors based only on the policy type in the error message. This launch expedites troubleshooting when you have multiple policies of the same type, as you can directly see which policy to address for explicit deny cases. The error message now includes the policy ARN for Service Control Policies (SCP), Resource Control Policies (RCP), identity-based policies, session policies, and permission boundaries.
This additional context will gradually become available across AWS services in all AWS regions. To learn more, refer to IAM documentation.