How can I resolve access denied issues caused by permissions boundaries?

Last updated: 2022-03-21

I received an access denied or unauthorized error when trying to access my AWS service. How can I troubleshoot access denied errors on my AWS account?

Short description

You might receive an access denied or unauthorized error because your AWS Identity and Access Management (IAM) policy does not meet specific conditions requirements. First, review any service control policies (SCPs) on your account, and then check that there are no denies present in your resource-based policies. If this doesn't resolve the error, then the issue might be caused by the presence of a permissions boundary.

A permissions boundary is a feature that allows you to use a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity (user or role). When you set a permissions boundary for an entity, that entity can only perform actions that are allowed by both its identity-based policies and its permissions boundary.

Note: The permissions boundary sets the maximum permissions for an entity, but does not grant those permissions.

To troubleshoot authorization errors, follow these steps:

  • Check if an action is allowed in your IAM policy but not in the permissions boundary
  • Include all required actions in the permissions boundary using the IAM console
  • Use the "iam:PermissionsBoundary" condition key in your IAM policy

Resolution

Check if an action is allowed in your IAM policy, but not in the permissions boundary

The following example shows an action that is allowed in an IAM policy, but not in the permissions boundary. In this example, an IAM user has the policy USER_IAM_POLICY attached to it:

IAM policy:(USER_IAM_POLICY )
 “Effect”: “Allow”,
            “Action”: [
                “ec2:*”,
                “s3:*”
            ],

This policy gives the user full access to Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Simple Storage Service (Amazon S3) services. The user also has a permissions boundary named USER_PB_POLICY set.

Permissions Boundary:(USER_PB_POLICY)
 “Effect”: “Allow”,
            “Action”: [
                “cloudwatch:*”,
                “s3:*”
            ],

The permissions boundary sets the maximum permissions that the user can perform. In this example, this permission boundary allows full access to Amazon CloudWatch and Amazon S3 services. But, because Amazon S3 is the only service that is allowed in both the IAM policy and the permissions boundary, the user only has access to S3. If the user tries to access Amazon EC2, they receive an access denied error.

To resolve this error, edit the permissions boundary and allow access to Amazon EC2:

“Effect”: “Allow”,
            “Action”: [
                “cloudwatch:*”,
                “s3:*”,
                “ec2:*”
            ],

Include all required actions in the permissions boundary using the IAM console

Follow these steps to edit the permissions boundary to include all actions that a user requires:

  1. Open the IAM console.
  2. In the navigation pane, choose Roles/Users.
  3. Choose the IAM entity you want to edit.
  4. In the Permissions boundary section, check your settings. If a permissions boundary is set, this means that there is a permissions boundary in place. The name of the managed policy that is used as a permissions boundary on your IAM entity is listed in this section.
  5. Expand the JSON policy, and check if the action you require is whitelisted in the permissions boundary. If your action is not whitelisted, edit the JSON policy to allow all actions that your IAM entity requires.

For more information on editing policies, Editing IAM policies.

Use the iam:PermissionsBoundary condition key in your IAM policies

Add the iam:PermissionsBoundary condition key to your IAM policies. This condition key checks that a specific policy is attached as a permissions boundary on an IAM entity.

The following example shows an IAM policy named RestrictedRegionpermissionsBoundary:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EC2RestrictRegion",
            "Effect": “Allow”,
            "Action": "ec2:*” 
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": [
                        "us-east-1"
                   ]
                }
            }
        }

Create a policy and attach it to a delegated admin who has the responsibility to create users. When we attach the following example policy to the admin, they can only create an IAM user when they attach the RestrictedRegionPermissionsBoundary policy to that user. If the admin tries to create an IAM user without attaching the policy, they receive an access denied error.

{
            "Sid": "CreateUser",
            "Effect": "Allow",
            "Action": [
                "iam:CreateUser"
            ],
            "Resource": "arn:aws:iam::111222333444:user/test1*",
            "Condition": {
                "StringEquals": {
                    "iam:PermissionsBoundary": "arn:aws:iam::111222333444:policy/RestrictedRegionPermissionsBoundary"
                }
            }

To set the IAM policy RestrictedRegionPermissionsBoundary as a permissions boundary when creating a new user, follow these steps:

  1. Open the IAM console.
  2. In the navigation pane, choose Users, and then choose Add Users.
  3. Enter the user name that you want to edit, choose AWS access type, and then choose next.
  4. Expand the Set permissions boundary section, and choose Use a permissions boundary to control the maximum role permissions.
  5. In the search field, enter RestrictedRegionPermissionsBoundary, and then choose the radio button for your policy.
  6. Choose Next:Tags.
  7. Review your settings and create a user.

Did this article help?


Do you need billing or technical support?