How do I troubleshoot "AccessDenied" errors with IAM tag-based access control?

Resolution

Take the following actions to troubleshoot the "AccessDenied" error for your IAM policies.

Verify tag matching requirements

IAM condition keys like aws:ResourceTag, aws:RequestTag, and aws:TagKeys are case-sensitive. The aws:RequestTag and aws:ResourceTag condition keys check the case sensitivity of the tag value. The aws:TagKeys condition key checks the case sensitivity of the tag key.

Make sure that you enter the correct values in your IAM policy conditions to match the exact case of your resource tags.

Important: Make sure that you use aws:ResourceTag for actions on existing resources and aws:RequestTag for resource creation actions. The wrong condition key also causes an "AccessDenied" error.

For more information about tag-based access control requirements, see Controlling access to AWS resources using tags.

Confirm AWS service support for tag-based conditions

Make sure that you use an AWS service that supports tag-based condition keys for all API actions. To verify the support of a service, complete the following steps:

1. Go to AWS services that work with IAM.
2. Review the table for your service, and then check that Yes appears in the ABAC column.
3. Choose the service name to open the service authorization reference.
4. In the Actions table, find your API action and check the Condition keys column.
5. In the Resource types table, verify what condition keys support your resource type.

For more information about tag-based access control, see Controlling access to AWS resources using tags.

Check for explicit Deny statements

An explicit Deny statement in an IAM policy overrides an Allow statement. Review the following policy types for explicit Deny statements that might block access:

• Identity-based policies
• Service Control Policies (SCPs)
• Permissions boundaries
• Resource-based policies

For more information about policy evaluation logic, see Policy evaluation logic.

Review CloudTrail logs for detailed error information

You can review AWS CloudTrail logs to see what policy has the "AccessDenied" error and the issue. To review CloudTrail logs, complete the following steps:

1. Open the CloudTrail console.
2. In the navigation pane, choose Event history.
3. For Lookup attributes, choose Event name.
4. For the search field, enter the API action that failed.
5. Review the events and check the following:
   For Error code, look for AccessDenied.
   For Error message, review the issue.
   For User identity, identify what principal attempted the action.
   For Resources, verify the resource Amazon Resource Name (ARN) and tags.
   For Request parameters, review the tags that passed in the request context.

For more information about CloudTrail events, see Logging IAM and AWS STS API calls with AWS CloudTrail.

Use IAM policy simulator to test policies

The IAM policy simulator helps you test and troubleshoot tag-based policies before you deploy them to production. To use the IAM policy simulator, complete the following steps:

1. Open the IAM policy simulator.
2. Select the IAM user, group, or role that you want to test.
3. Choose Select service, and then choose the AWS service.
4. Choose Select actions, and then choose the actions to test.
5. Expand Simulation Settings for the selected action.
6. For Resource ARN, enter the ARN of the resource you want to simulate.
7. Under Context Keys, add the relevant tag condition keys. For example, enter aws:ResourceTag/Environment. Then, set the value. For example, you can set the value to Production.
8. Choose Run Simulation.
9. Review the results to identify the policy statement that allows or denies access.

For more information about testing IAM policies, see IAM policy testing with the IAM policy simulator.