1 Answer
- Newest
- Most votes
- Most comments
3
Most likely, you are getting access denied either because of service control policy or permission boundary.
Please check SCP or permissions boundaries associated to your IAM role. Also, see if you are using cloudformation role which you are attaching to stack, if that is the case then cloudformation role should have CerateBucket Access.
In your case, bucket is not even getting created so DeletionPolicy:Retain property is not coming into effect. That would be used when your stack creates S3 bucket and you delete cloudformation stack, but your bucket wouldn't be deleted as cloudformation would know that this resource needs to be retained. See DeleteionPolicy for more details.
Relevant content
- asked 4 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
There is no SCP as it throws an error with a keyword explicit deny which is not showing in CloudTrail or the CloudFormation Stack Events. AFAIK there is no permission boundary attached to the IAM role either whose sole purpose is to set the maximum permissions that an identity-based policy can grant to an IAM entity.
Please suggest @Abhishek_At_AWS
Absolutely, I can help. Explicit deny error comes because of restrictions in one or more of the following type of policies:
Since this is for CreateBucket, there would be restriction either through Identity-Based Policy, SCP, Permission Boundary, Session Policy. Can you paste cloudtrail API call detail for access denied error after redacting your account/resource information.
Also, check if there is any SCP attached to this account by going to organization->policies->scp-> see policy content and it's attached target. Check your IAM role or Cloudformation role(if attached to stack) permissions section, there you can see if there is any permission boundary attached to either of those two roles. Explicit deny most commonly appears because of deny either at SCP or permissions boundary, which doesn't come into notice immediately.