How do I troubleshoot access denied issues for a root user or an admin user?

Last updated: 2022-04-04

I received an access denied error on my root user or AWS Identity and Access Management (IAM) entity that has admin permissions added to it. How can I troubleshoot and resolve access denied issues?

Short description

There are a number of reasons that you might receive an access denied error on your root user or IAM entity that has admin permissions added to it. This includes:

  • A service control policy (SCP) is restricting your access to a service
  • A resource-based policy is restricting your access to a resource
  • A permissions boundary is in limiting the actions your entity can perform
  • A session policy is in place and is causing an authorization issue
  • A VPC endpoint policy is restricting access to your IAM entities

Use the troubleshooting steps below, depending on your use case and the error that you receive.

Resolution

Resolve authorization issues for root users

Although you can't restrict a root user's permissions using IAM policies, you can restrict a root user from an AWS Organizations member account using a service control policy (SCP). Check for restrictions coming from an SCP using the management account of your Organization.

This example shows a service control policy that denies Amazon Simple Storage Service (Amazon S3) access for a root user. It does this by using the aws:PrincipleArn condition key and a value that matches the root ARN in the format arn:aws:iam::<<accountIAD>:root.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "*"
      ],
      "Condition": {
        "StringLike": {
          "aws:PrincipalArn": [
            "arn:aws:iam::*:root"
          ]
        }
      }
    }
  ]
}

Resolve authorization issues for IAM entities with admin permissions assigned

While an IAM entity might have a policy in place that grants administrator level access, it might also be restricted by other types of policies. For more information, see Troubleshooting access denied error messages and Policy types. Use the following guidelines to understand the policies that might be restricting the access of your IAM entity:

  • An Organization SCP can restrict access to member account IAM entities. Check for restrictions coming from an SCP using the management account of the Organization.
  • Resource based policies can restrict an IAM entity's access to resources. An example of a resource based policy is an Amazon S3 bucket policy. To track a service's support resource-based policies, see AWS services that work with IAM.
  • A permission boundary defines the maximum permissions that an identity-based policy can grant to an entity. If you use a permissions boundary, then the entity can only perform actions that are allowed in both the identity-based policy and the permissions boundary. Check if the user or role has a permissions boundary assigned using the IAM console.
  • Session policies can be passed programmatically when you create a temporary session for your IAM role for a federated user. The permissions for a session are at the intersection of the identity-based policies assigned to the IAM entity that the session is created for and the session policy itself. Check if a session policy is passed for your IAM role session using the AWS CloudTrail logs for AssumeRole/AssumeRoleWithSAML/AssumeRoleWithWebIdentity API calls. To check for session policies passed for a federated user session, check CloudTrail logs for GetFederationToken API calls. For more information about each of these API calls, see Actions.
  • A VPC endpoint policy is a resource-based policy that you can attach to a VPC endpoint. It can restrict access to IAM entities. If you route your requests through a VPC endpoint, then check for any restrictions coming from the associated VPC endpoint policy. For more information, see Use VPC endpoint policies.

Resolve access denied error messages for Amazon S3 resources

For more information on troubleshooting access denied error messages for Amazon S3 resources, see How do I troubleshoot 403 Access Denied errors from Amazon S3?

Resolve authorization issues when accessing the AWS Billing and Cost Management Console

IAM entities with admin permissions sometimes experience authorization issues when trying to access the Billing and Cost Management console. Activate the IAM user/role's access to the Billing and Management console, as detailed in step one of the IAM tutorial: Delegate access to the billing console. The IAM entity is not able to access this data without completing this step, as well as adding the necessary IAM permissions.

To resolve any related authorization issues, check if your IAM entity was activated as the root user.