Review any service-specific controls that might affect the permissions. For example, VPC endpoint policies and Organization Service Control policies (SCP) can also affect the permission evaluation. For more information, see Controlling Access to Services with VPC Endpoints and About Service Control Policies

3. Troubleshooting examples

Using this evaluation method, you can identify the cause of the error messages you can receive for permission issues for different AWS services. For more details, see the following common error messages and troubleshooting steps:

Example error message A:

This error message indicates that you don't have permission to call the DeleteKeyPair API.

1. Identify the API caller.
2. Confirm that the ec2:DeleteKeyPair API action isn't included in any deny statements.
3. Confirm that the ec2:DeleteKeyPair API action is included in the allow statements.
4. Confirm that there's no resource specified for this API action. Note: This API action doesn't support resource-level permissions.
5. Confirm that all IAM conditions specified in the allow statement are supported by the delete-key-pair action and that the conditions are matched.

Example error message B:

This error message includes the API name, API caller, and target resource. Be sure that the IAM identity that called the API has the correct access to the resources. Review the IAM policies using the previous evaluation method and evaluate the following:

The trust policy of IAM role: EC2-FullAccess:

1. Confirm arn:aws:iam::123456789012:user/test or arn:aws:iam::123456789012:root isn't included in any deny statement of the trust policy.
2. Confirm arn:aws:iam::123456789012:user/test or arn:aws:iam::123456789012:root is included in the allow statement of the trust policy.
3. Confirm all IAM conditions specified in that allow statement are supported by sts:AssumeRole API action and matched.

The IAM policies attached to the API caller (arn:aws:iam::123456789012:user/test)

1. Confirm arn:aws:iam::123456789012:role/EC2-FullAccess isn't included in any deny statement with sts:AssumeRole API action.
2. If arn:aws:iam::123456789012:root is in the allow statement of the trust policy, confirm arn:aws:iam::123456789012:role/EC2-FullAccess is included in the allow statement of the IAM policies with sts:AssumeRole API action.
3. Confirm all IAM conditions specified in that allow statement are supported by sts:AssumeRole API action and matched.

Example error message C:

Example error message D:

This error message returns an encoded message that can provide details about the authorization failure. To decode the error message and get the details of the permission failure, see DecodeAuthorizationMessage. After decoding the error message, identify the API caller and review the resource-level permissions and conditions

Review the IAM policy permissions:

1. If the error message indicates that the API is explicitly denied, remove ec2:AssociateIamInstanceProfile or(and) iam:PassRole API actions from the matched statement.
2. Confirm that ec2:AssociateIamInstanceProfile and iam:PassRole are in the allow statement with supported and correct resource targets. For example, confirm that the resource targets of ec2:AssociateIamInstanceProfile API action are EC2 instances and the resource targets of "iam:PassRole" are IAM roles.
3. If ec2:AssociateIamInstanceProfile and iam:PassRole API actions are in the same allow statement, confirm that all conditions specified in the allow statements are supported by ec2:AssociateIamInstanceProfile and iam:PassRole API action and that the conditions match.
4. If ec2:AssociateIamInstanceProfile and iam:PassRole API actions are in separate allow statements, confirm that all conditions specified in each allow statement are supported by a corresponding action and that the conditions match.