AWS IAM documentation change
Summary
Enhanced documentation for troubleshooting access denied errors by adding details about policy ARNs in error messages and refining troubleshooting steps for various policy types
Security assessment
The changes improve documentation for diagnosing access denials by explaining how policy ARNs appear in error messages and providing more granular troubleshooting steps. While related to security controls (IAM policies), there's no evidence of addressing a specific vulnerability or incident. The updates help users better understand and resolve policy-related access issues.
Diff
diff --git a/IAM/latest/UserGuide/troubleshoot_access-denied.md b/IAM/latest/UserGuide/troubleshoot_access-denied.md index 5775927ac..11f1c4d92 100644 --- a//IAM/latest/UserGuide/troubleshoot_access-denied.md +++ b//IAM/latest/UserGuide/troubleshoot_access-denied.md @@ -33 +33 @@ When you make a request to a service or resource, multiple policies may apply to - * Check if the error message includes the type of policy responsible for denying access. For example, if the error mentions that access is denied due to a Service Control Policy (SCP), then you can focus on troubleshooting SCP issues. Once you identify the policy type, you can check for deny statements or missing allow actions in those policy types. If the error message doesn't mention the policy type responsible for denying access, use the rest of the guidelines in this section to troubleshoot further. + * Check if the error message includes the type and [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) of the policy responsible for denying access. If this is the case, then check for deny statements for the action in the specified policy. If the policy type is provided but there is no policy ARN, then focus on troubleshooting issues for that policy type: Check for deny statements for the action in policies of the specified type. If the error message doesn't mention the policy type responsible for denying access, use the rest of the guidelines in this section to troubleshoot further. @@ -99 +99 @@ JSON -Most access denied error messages appear in the format `User `user` is not authorized to perform `action` on `resource` because `context``. In this example, `user` is the [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-arns) that doesn't receive access, `action` is the service action that the policy denies, and `resource` is the ARN of the resource on which the policy acts. The `context` field represents additional context about the policy type that explains why the policy denied access. +Most access denied error messages appear in the format `User `user` is not authorized to perform `action` on `resource` because `context``. In this example, `user` is the ARN of the principal that is denied access, `action` is the service action that the policy denies, and `resource` is the ARN of the resource on which the policy acts. The `context` field provides additional context about the policy type that denied access. In some cases, it also contains the ARN of the policy which denied access. @@ -101 +101,3 @@ Most access denied error messages appear in the format `User `user` is not autho -When a policy explicitly denies access because the policy contains a `Deny` statement, then AWS includes the phrase `with an explicit deny in a `type` policy` in the access denied error message. When the policy implicitly denies access, then AWS includes the phrase `because no `type` policy allows the `action` action` in the access denied error message. +When a policy explicitly denies access because the policy contains a `Deny` statement, then AWS includes the phrase `with an explicit deny in a `type` policy` in the access denied error message. This phrase may also specify the ARN of the policy, as follows: `with an explicit deny in a `type` policy: `policy ARN``. + +When the policy implicitly denies access, then AWS includes the phrase `because no `type` policy allows the `action` action` in the access denied error message. @@ -119,2 +121,2 @@ The following examples show the format for different types of access denied erro - User: arn:aws:iam::777788889999:user/John is not authorized to perform: - codecommit:ListRepositories because no service control policy allows the codecommit:ListRespositories action + User: arn:aws:iam::123456789012:user/John is not authorized to perform: codecommit:ListRepositories + because no service control policy allows the codecommit:ListRespositories action @@ -124 +126,8 @@ The following examples show the format for different types of access denied erro - 1. Check for a `Deny` statement for the action in your service control policies (SCPs). For the following example, the action is `codecommit:ListRepositories`. + 1. If a policy ARN is provided in the error message, check for a `Deny` statement for the action in the specified service control policy (SCP). In the example below, the action is `codecommit:ListRepositories`. + + 2. If no policy ARN is provided in the error message, check for a `Deny` statement for the action in your SCPs. + + 3. Update your SCP by removing the `Deny` statement. For more information, see [ Update a service control policy (SCP)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_policies_update.html#update_policy) in the _AWS Organizations User Guide_. + + + @@ -126 +135 @@ The following examples show the format for different types of access denied erro - 2. Update your SCP by removing the `Deny` statement. For more information, see [Update a service control policy (SCP)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_policies_update.html#update_policy) in the _AWS Organizations User Guide_. +Error message with a policy ARN: @@ -128,0 +138,2 @@ The following examples show the format for different types of access denied erro + User: arn:aws:iam::123456789012:user/John is not authorized to perform: codecommit:ListRepositories + with an explicit deny in a service control policy: arn:aws:organizations::777788889999:policy/o-exampleorgid/service_control_policy/p-examplepolicyid123 @@ -129,0 +141 @@ The following examples show the format for different types of access denied erro +Error message without a policy ARN: @@ -132,2 +144,2 @@ The following examples show the format for different types of access denied erro - User: arn:aws:iam::777788889999:user/John is not authorized to perform: - codecommit:ListRepositories with an explicit deny in a service control policy + User: arn:aws:iam::123456789012:user/John is not authorized to perform: codecommit:ListRepositories + with an explicit deny in a service control policy @@ -137 +149 @@ The following examples show the format for different types of access denied erro - 1. Check for a `Deny` statement for the action in your resource control policies (RCPs). For the following example, the action is `secretsmanager:GetSecretValue`. + 1. If a policy ARN is provided in the error message, check for a `Deny` statement for the action in the specified resource control policy (RCP). In the example below, the action is `secretsmanager:GetSecretValue`. @@ -139 +151 @@ The following examples show the format for different types of access denied erro - 2. Update your RCP by removing the `Deny` statement. For more information, see [Update a resource control policy (RCP)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_policies_update.html#update_policy-rcp) in the _AWS Organizations User Guide_. + 2. If no policy ARN is provided in the error message, check for a `Deny` statement for the action in your RCPs. @@ -140,0 +153 @@ The following examples show the format for different types of access denied erro + 3. Update your RCP by removing the `Deny` statement. For more information, see [ Update a resource control policy (RCP)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_policies_update.html#update_policy-rcp) in the _AWS Organizations User Guide_. @@ -145,2 +158,13 @@ The following examples show the format for different types of access denied erro - User: arn:aws:iam::123456789012:user/John is not authorized to perform: - secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:123456789012:secret:* with an explicit deny in a resource control policy +Error message with a policy ARN: + + + User: arn:aws:iam::123456789012:user/John is not authorized to perform: secretsmanager:GetSecretValue + on resource: arn:aws:secretsmanager:us-east-1:123456789012:secret:* + with an explicit deny in a resource control policy: arn:aws:organizations::777788889999:policy/o-exampleorgid/resource_control_policy/p-examplepolicyid456 + +Error message without a policy ARN: + + + User: arn:aws:iam::123456789012:user/John is not authorized to perform: secretsmanager:GetSecretValue + on resource: arn:aws:secretsmanager:us-east-1:123456789012:secret:* + with an explicit deny in a resource control policy @@ -158,2 +182,2 @@ The following examples show the format for different types of access denied erro - User: arn:aws:iam::123456789012:user/John is not authorized to perform: - codecommit:ListRepositories because no VPC endpoint policy allows the codecommit:ListRepositories action + User: arn:aws:iam::123456789012:user/John is not authorized to perform: codecommit:ListRepositories + because no VPC endpoint policy allows the codecommit:ListRepositories action @@ -171,2 +195,3 @@ The following examples show the format for different types of access denied erro - User: arn:aws:iam::123456789012:user/John is not authorized to perform: - codedeploy:ListDeployments on resource: arn:aws:codedeploy:us-east-1:123456789012:deploymentgroup:* with an explicit deny in a VPC endpoint policy + User: arn:aws:iam::123456789012:user/John is not authorized to perform: codedeploy:ListDeployments + on resource: arn:aws:codedeploy:us-east-1:123456789012:deploymentgroup:* + with an explicit deny in a VPC endpoint policy @@ -184,2 +209,3 @@ The following examples show the format for different types of access denied erro - User: arn:aws:iam::123456789012:user/John is not authorized to perform: - codedeploy:ListDeployments on resource: arn:aws:codedeploy:us-east-1:123456789012:deploymentgroup:* because no permissions boundary allows the codedeploy:ListDeployments action + User: arn:aws:iam::123456789012:user/John is not authorized to perform: codedeploy:ListDeployments + on resource: arn:aws:codedeploy:us-east-1:123456789012:deploymentgroup:* + because no permissions boundary allows the codedeploy:ListDeployments action @@ -189 +215,3 @@ The following examples show the format for different types of access denied erro - 1. Check for an explicit `Deny` statement for the action in your permissions boundary. For the following example, the action is `sagemaker:ListModels`. + 1. If a policy ARN is provided in the error message, check for a `Deny` statement for the action in the specified permissions boundary. In the example below, the action is `sagemaker:ListModels`. + + 2. If no policy ARN is provided in the error message, check for a `Deny` statement for the action in the permissions boundary attached to the principal. @@ -191 +219 @@ The following examples show the format for different types of access denied erro - 2. Update your permissions boundary by removing the `Deny` statement from your IAM policy. For more information, see [Permissions boundaries for IAM entities](./access_policies_boundaries.html) and [Edit IAM policies](./access_policies_manage-edit.html). + 3. Update your permissions boundary by removing the `Deny` statement from your IAM policy. For more information, see [Permissions boundaries for IAM entities](./access_policies_boundaries.html) and [Edit IAM policies](./access_policies_manage-edit.html). @@ -195,0 +224 @@ The following examples show the format for different types of access denied erro +Error message with a policy ARN: @@ -197,2 +226,9 @@ The following examples show the format for different types of access denied erro - User: arn:aws:iam::777788889999:user/John is not authorized to perform: - sagemaker:ListModels with an explicit deny in a permissions boundary + + User: arn:aws:iam::123456789012:user/John is not authorized to perform: sagemaker:ListModels + with an explicit deny in a permissions boundary: arn:aws:iam::123456789012:policy/DeveloperPermissionBoundary + +Error message without a policy ARN: + + + User: arn:aws:iam::123456789012:user/John is not authorized to perform: sagemaker:ListModels + with an explicit deny in a permissions boundary @@ -210,2 +246,2 @@ The following examples show the format for different types of access denied erro - User: arn:aws:iam::123456789012:user/John is not authorized to perform: - codecommit:ListRepositories because no session policy allows the codecommit:ListRepositories action + User: arn:aws:iam::123456789012:user/John is not authorized to perform: codecommit:ListRepositories + because no session policy allows the codecommit:ListRepositories action @@ -215 +251,5 @@ The following examples show the format for different types of access denied erro - 1. Check for an explicit `Deny` statement for the action in your session policies. For the following example, the action is `codedeploy:ListDeployments`. + 1. If a policy ARN is provided in the error message, check for a `Deny` statement for the action in the specified session policy. In the example below, the action is `codedeploy:ListDeployments`. + + 2. If no policy ARN is provided in the error message, check for a `Deny` statement for the action in your session policies. + + 3. Update your session policy by removing the `Deny` statement. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) and [Edit IAM policies](./access_policies_manage-edit.html). @@ -217 +256,0 @@ The following examples show the format for different types of access denied erro - 2. Update your session policy by removing the `Deny` statement. For more information, see [Session policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) and [Edit IAM policies](./access_policies_manage-edit.html). @@ -220,0 +260 @@ The following examples show the format for different types of access denied erro +Error message with a policy ARN: @@ -223,2 +263,10 @@ The following examples show the format for different types of access denied erro - User: arn:aws:iam::123456789012:user/John is not authorized to perform: - codedeploy:ListDeployments on resource: arn:aws:codedeploy:us-east-1:123456789012:deploymentgroup:* with an explicit deny in a sessions policy + User: arn:aws:iam::123456789012:user/John is not authorized to perform: codedeploy:ListDeployments + on resource: arn:aws:codedeploy:us-east-1:123456789012:deploymentgroup:* + with an explicit deny in a session policy: arn:aws:iam::123456789012:policy/DeveloperSessionPolicy + +Error message without a policy ARN: + + + User: arn:aws:iam::123456789012:user/John is not authorized to perform: codedeploy:ListDeployments + on resource: arn:aws:codedeploy:us-east-1:123456789012:deploymentgroup:* + with an explicit deny in a session policy @@ -236,2 +284,2 @@ The following examples show the format for different types of access denied erro - User: arn:aws:iam::123456789012:user/John is not authorized to perform: - secretsmanager:GetSecretValue because no resource-based policy allows the secretsmanager:GetSecretValue action + User: arn:aws:iam::123456789012:user/John is not authorized to perform: secretsmanager:GetSecretValue + because no resource-based policy allows the secretsmanager:GetSecretValue action @@ -249,2 +297,3 @@ The following examples show the format for different types of access denied erro - User: arn:aws:iam::123456789012:user/John is not authorized to perform: - secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:123456789012:secret:* with an explicit deny in a resource-based policy + User: arn:aws:iam::123456789012:user/John is not authorized to perform: secretsmanager:GetSecretValue + on resource: arn:aws:secretsmanager:us-east-1:123456789012:secret:* + with an explicit deny in a resource-based policy @@ -262,2 +311,2 @@ The following examples show the format for different types of access denied erro - User: arn:aws:iam::123456789012:user/John is not authorized to perform: - sts:AssumeRole because no role trust policy allows the sts:AssumeRole action + User: arn:aws:iam::123456789012:user/John is not authorized to perform: sts:AssumeRole + because no role trust policy allows the sts:AssumeRole action @@ -275,2 +324,2 @@ The following examples show the format for different types of access denied erro - User: arn:aws:iam::777788889999:user/John is not authorized to perform: - sts:AssumeRole with an explicit deny in the role trust policy + User: arn:aws:iam::123456789012:user/John is not authorized to perform: sts:AssumeRole + with an explicit deny in the role trust policy @@ -288,2 +337,2 @@ The following examples show the format for different types of access denied erro - User: arn:aws:iam::123456789012:role/HR is not authorized to perform: - codecommit:ListRepositories because no identity-based policy allows the codecommit:ListRepositories action + User: arn:aws:iam::123456789012:role/HR is not authorized to perform: codecommit:ListRepositories + because no identity-based policy allows the codecommit:ListRepositories action @@ -293,5 +342 @@ The following examples show the format for different types of access denied erro - 1. Check for an explicit `Deny` statement for the action in identity-based policies attached to the identity. For the following example, the action is `codedeploy:ListDeployments` attached to the role `HR`. - - 2. Update your policy by removing the `Deny` statement. For more information, see [Identity-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_id-based) and [Edit IAM policies](./access_policies_manage-edit.html). - - + 1. If a policy ARN is provided in the error message, check for a `Deny` statement for the action in the specified policy. In the example below, the action is `codedeploy:ListDeployments`. @@ -298,0 +344 @@ The following examples show the format for different types of access denied erro + 2. If no policy ARN is provided in the error message, check for a `Deny` statement for the action in identity-based policies attached to the identity. @@ -299,0 +346 @@ The following examples show the format for different types of access denied erro + 3. Update your policy by removing the `Deny` statement. For more information, see [Identity-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_id-based) and [Edit IAM policies](./access_policies_manage-edit.html). @@ -301,2 +347,0 @@ The following examples show the format for different types of access denied erro - User: arn:aws:iam::123456789012:role/HR is not authorized to perform: - codedeploy:ListDeployments on resource: arn:aws:codedeploy:us-east-1:123456789012:deploymentgroup:* with an explicit deny in an identity-based policy @@ -304 +348,0 @@ The following examples show the format for different types of access denied erro -### Access is denied when a VPC request fails due to another policy @@ -306 +349,0 @@ The following examples show the format for different types of access denied erro - 1. Check for an explicit `Deny` statement for the action in your Service Control Policies (SCPs). For the following example, the action is `SNS:Publish`. @@ -308 +351 @@ The following examples show the format for different types of access denied erro - 2. Update your SCP by removing the `Deny` statement. For more information, see [Updating an SCP](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html#update_policy) in the _AWS IAM Identity Center User Guide_. +Error message with a policy ARN: @@ -310,0 +354,3 @@ The following examples show the format for different types of access denied erro + User: arn:aws:iam::123456789012:role/HR is not authorized to perform: codedeploy:ListDeployments + on resource: arn:aws:codedeploy:us-east-1:123456789012:deploymentgroup:* + with an explicit deny in an identity-based policy: arn:aws:iam::123456789012:policy/HRAccessPolicy @@ -311,0 +358 @@ The following examples show the format for different types of access denied erro +Error message without a policy ARN: @@ -314,3 +361,3 @@ The following examples show the format for different types of access denied erro - User: arn:aws:sts::111122223333:assumed-role/role-name/role-session-name is not authorized to perform: - SNS:Publish on resource: arn:aws:sns:us-east-1:444455556666:role-name-2 - with an explicit deny in a VPC endpoint policy transitively through a service control policy + User: arn:aws:iam::123456789012:role/HR is not authorized to perform: codedeploy:ListDeployments + on resource: arn:aws:codedeploy:us-east-1:123456789012:deploymentgroup:* + with an explicit deny in an identity-based policy