Troubleshoot IAM Policy Issues
Review any service-specific controls that might affect the permissions. For example, VPC endpoint policies and Organization Service Control policies (SCP) can also affect the permission evaluation. For more information, see Controlling Access to Services with VPC Endpoints and About Service Control Policies
3. Troubleshooting examples
Using this evaluation method, you can identify the cause of the error messages you can receive for permission issues for different AWS services. For more details, see the following common error messages and troubleshooting steps:
Example error message A:
This error message indicates that you don't have permission to call the DeleteKeyPair API.
- Identify the API caller.
- Confirm that the ec2:DeleteKeyPair API action isn't included in any deny statements.
- Confirm that the ec2:DeleteKeyPair API action is included in the allow statements.
- Confirm that there's no resource specified for this API action. Note: This API action doesn't support resource-level permissions.
- Confirm that all IAM conditions specified in the allow statement are supported by the delete-key-pair action and that the conditions are matched.
Example error message B:
This error message includes the API name, API caller, and target resource. Be sure that the IAM identity that called the API has the correct access to the resources. Review the IAM policies using the previous evaluation method and evaluate the following:
The trust policy of IAM role: EC2-FullAccess:
- Confirm arn:aws:iam::123456789012:user/test or arn:aws:iam::123456789012:root isn't included in any deny statement of the trust policy.
- Confirm arn:aws:iam::123456789012:user/test or arn:aws:iam::123456789012:root is included in the allow statement of the trust policy.
- Confirm all IAM conditions specified in that allow statement are supported by sts:AssumeRole API action and matched.
The IAM policies attached to the API caller (arn:aws:iam::123456789012:user/test)
- Confirm arn:aws:iam::123456789012:role/EC2-FullAccess isn't included in any deny statement with sts:AssumeRole API action.
- If arn:aws:iam::123456789012:root is in the allow statement of the trust policy, confirm arn:aws:iam::123456789012:role/EC2-FullAccess is included in the allow statement of the IAM policies with sts:AssumeRole API action.
- Confirm all IAM conditions specified in that allow statement are supported by sts:AssumeRole API action and matched.
Example error message C:
Example error message D:
This error message returns an encoded message that can provide details about the authorization failure. To decode the error message and get the details of the permission failure, see DecodeAuthorizationMessage. After decoding the error message, identify the API caller and review the resource-level permissions and conditions
Review the IAM policy permissions:
- If the error message indicates that the API is explicitly denied, remove ec2:AssociateIamInstanceProfile or(and) iam:PassRole API actions from the matched statement.
- Confirm that ec2:AssociateIamInstanceProfile and iam:PassRole are in the allow statement with supported and correct resource targets. For example, confirm that the resource targets of ec2:AssociateIamInstanceProfile API action are EC2 instances and the resource targets of "iam:PassRole" are IAM roles.
- If ec2:AssociateIamInstanceProfile and iam:PassRole API actions are in the same allow statement, confirm that all conditions specified in the allow statements are supported by ec2:AssociateIamInstanceProfile and iam:PassRole API action and that the conditions match.
- If ec2:AssociateIamInstanceProfile and iam:PassRole API actions are in separate allow statements, confirm that all conditions specified in each allow statement are supported by a corresponding action and that the conditions match.
相關推薦
Troubleshoot IAM Policy Issues
Review any service-specific controls that might affect the permissions. For example, VPC endpoint policies and Organization Service Control pol
Use EC2Rescue to Troubleshoot EC2 Windows Issues
EC2Rescue for EC2 Windows is a convenient, straightforward, GUI-based troubleshooting tool that can be run on your Amazon EC2 Windows Server in
Troubleshoot Cluster Launch Issues after Amazon EMR Release Version Upgrade
<property> <name>javax.jdo.option.ConnectionURL</name> <value>jdbc:mysql://<HOSTNAME OF YOUR EXTERNAL METASTO
Use IAM Policy Variables with Federated Users
{ "Version":"2012-10-17", "Statement":[ { "Sid":"AllowListingOfUserFolder", "Action":[ "s3:ListBucket"
Troubleshoot Disk Space Issues with EMR Core Nodes
Check for these common causes of disk space use on the core node: Local and temp files from the Spark application When yo
Guidelines for Function Compute Development - Troubleshoot Timeout Issues
Endless codes and endless bugs When you write code, you may inadvertently introduce some hidden bugs, even if you test a large proportion of the codes to
Troubleshoot Access Issues for Websites that Use Route 53 DNS Services
Check the website's public hosted zone resource records sets Important: At a minimum, the public hosted zone must contai
Troubleshoot Issues with CloudHSM Classic using Logs
Collect syslogs from your CloudHSM appliance The HSM appliance generates logs that can be exported via syslog. Syslogs can be used t
Troubleshoot Issues Connecting to S3 from VPC Endpoints
You might experience connectivity issues with your gateway VPC endpoint due to network access or security rules that allow the connection to Am
Troubleshoot SMTP Connectivity or Timeout Issues with Amazon SES
2. Note the output. 3. If the connection times out, check your local firewall rules, routes, and access control lists (ACLs).
Troubleshoot Issues with VPC Route Tables
To identify the source of the issue, check the route tables of the subnets with the resources that are impacted. Public subnets
Troubleshoot Issues With Amazon VPC Interface Endpoints
Amazon Web Services is Hiring. Amazon Web Services (AWS) is a dynamic, growing business unit within Amazon.com. We are currently hiring So
Troubleshoot Issues Passing DHCP Parameters to Instances in a VPC
Amazon Web Services is Hiring. Amazon Web Services (AWS) is a dynamic, growing business unit within Amazon.com. We are currently hiring So
Troubleshoot Issues with CloudFront Caching Times
Amazon Web Services is Hiring. Amazon Web Services (AWS) is a dynamic, growing business unit within Amazon.com. We are currently hiring So
Troubleshoot BGP Issues Over VPN
To troubleshoot BGP connection issues over VPN, check the following: Check the underlying VPN connection For BGP-based VP
Troubleshoot VPN Low Bandwidth Issues
Amazon Web Services is Hiring. Amazon Web Services (AWS) is a dynamic, growing business unit within Amazon.com. We are currently hiring So
Troubleshoot Issues with SES Publishing Data to Kinesis Firehose
Here are some reasons why Amazon SES might not publish data to Amazon Kinesis Firehose: The delivery stream was deleted S
Troubleshoot Issues Deleting VPC Security Groups
Default security group Default security groups can't be deleted. To verify if a security group is a default resource, follow these s
Troubleshoot BGP Issues Over Direct Connect
If your BGP session doesn't come up, check the following: Check the Direct Connect link status To bring up the BGP sess
Troubleshoot VPN Tunnel Inactivity or Instability Issues
For VPN tunnels failing due to DPD, verify that the customer gateway device responds to DPD messages (that is, UDP 500 and UDP 4500 packets) fr