AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2026-03-13 · Documentation low

File: IAM/latest/UserGuide/troubleshoot_access-denied.md

Summary

Added documentation for Access Troubleshooter feature including required permissions, usage instructions, and policy examples

Security assessment

The change documents a new security diagnostics tool (Access Troubleshooter) and explicitly states that it requires iam:TroubleshootAccess permission which exposes authorization context details. While this helps diagnose access issues, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/IAM/latest/UserGuide/troubleshoot_access-denied.md b/IAM/latest/UserGuide/troubleshoot_access-denied.md
index 11f1c4d92..d1a569f36 100644
--- a//IAM/latest/UserGuide/troubleshoot_access-denied.md
+++ b//IAM/latest/UserGuide/troubleshoot_access-denied.md
@@ -5 +5 @@
-I get "access denied" when I make a request to an AWS serviceI get "access denied" when I make a request with temporary security credentialsAccess denied examples
+I get "access denied" when I make a request to an AWS serviceI get "access denied" when I make a request with temporary security credentialsAccess TroubleshooterAccess denied examples
@@ -96,0 +97,65 @@ JSON
+## Access Troubleshooter
+
+###### Note
+
+Access Troubleshooter is gradually becoming available for all AWS services in all regions for single account and single organization scenarios. The richness of data will evolve.
+
+You can use Access Troubleshooter to debug and resolve access denied errors.
+
+Access Troubleshooter provides the following capabilities:
+
+  * View the request and evaluation details: the principal, action, resource, context, and evaluation result.
+
+  * View individual authorization evaluation: authorization evaluations for individual action and resource pairs.
+
+  * Review all policies and their individual statements: all evaluated policies and their individual statements, with evaluation results for each.
+
+
+
+
+### Permissions for Access Troubleshooter
+
+To use Access Troubleshooter, you must have `iam:TroubleshootAccess` permission attached to your principal. Allowing this action means you are allowing the principal to view all authorization context details, including the context keys and statements of all policies that were evaluated.
+
+The following example policy grants the necessary permission:
+    
+    
+    {
+        "Version": "2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Action": "iam:TroubleshootAccess",
+                "Resource": "*"
+            }
+        ]
+    }
+
+### Using Access Troubleshooter
+
+When you receive an access denied error, the error message includes a link and an AuthorizationID that you can use with Access Troubleshooter. The following example shows an access denied error message:
+    
+    
+    An error occurred (AccessDenied) when calling the RestoreTableFromBackup operation: User: arn:aws:sts:012345678901:assumedRole/DatabaseDev/RestoreBackupSession is not authorized to perform: dynamodb:RestoreTableFromBackup with an explicit deny in an identity policy. Go to https://console.aws.amazon.com/iam/home#/access-troubleshooter for complete details, or call the iam:GetAuthorizationDetails API with the following authorization id: 67f1576b-af29-4c66-9b2b-10fd67516713
+
+If you have the appropriate permission, on the console you can choose **Troubleshoot in IAM** to open a new Access Troubleshooter tab.
+
+Alternatively, you can call the `iam:GetAuthorizationDetails` API using the AuthorizationID:
+    
+    
+    aws iam get-authorization-details --authorization-id 67f1576b-af29-4c66-9b2b-10fd67516713
+
+If you are an administrator and a developer provides the AuthorizationID, you can go to the IAM console and enter the AuthorizationID to retrieve the authorization context details.
+
+### View the request and evaluation details
+
+Access Troubleshooter provides your request details that were considered in the evaluation. You can review the operation or API call you attempted, the Authorization ID, the principal making the call, the resource you tried to access, and the evaluation result.
+
+### View individual authorization evaluation
+
+To successfully call an operation, you might need additional permissions to perform dependent actions. For example, to perform `RestoreTableFromBackup` on DynamoDB, you need permissions for `dynamodb:BatchWriteItem`, `dynamodb:DeleteItem`, `dynamodb:GetItem`, `dynamodb:PutItem`, `dynamodb:Query`, `dynamodb:Scan`, and `dynamodb:UpdateItem`. These actions are evaluated against the resources you want to access. For more information, see the [Service Authorization Reference](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html).
+
+### Review all policies and their individual statements
+
+In many cases, multiple policies affect your authorization, and each policy can contain multiple statements. Access Troubleshooter lists all policies that are evaluated when you perform your operation. You can review the individual statements within those policies and the evaluation result for each, giving you a complete view to resolve issues efficiently.
+