By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

s3:CreateBucket Access Denied

0

Hi AWS, I am facing a strange issue. I am trying to create a simple S3 bucket and while creating it I am facing the issue s3:CreateBucket Access Denied. The IAM role used to create the bucket is having s3:*, AdministratorAccess as well as I explicitly added s3:CreateBucket API access but still I am not able to create the bucket either using AWS CloudFormation Stack and manually.

Also one more strange issue my S3Bucket resource has property DeletionPolicy:Retain, so in an ideal scenario talking about the cloudformation form of deployment even if the stack fails it should forcefully allow AWS to create bucket but it is not letting it creating the bucket.

What could be the potential reasons for both of the issues?

Please acknowledge.

Topics
StorageSecurity, Identity, & ComplianceManagement & Governance
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementAWS CloudFormation
Language
English
profile picture
Arjun
asked 10 months ago1082 views
1 Answer
3
Accepted Answer

Most likely, you are getting access denied either because of service control policy or permission boundary.

Please check SCP or permissions boundaries associated to your IAM role. Also, see if you are using cloudformation role which you are attaching to stack, if that is the case then cloudformation role should have CerateBucket Access.

In your case, bucket is not even getting created so DeletionPolicy:Retain property is not coming into effect. That would be used when your stack creates S3 bucket and you delete cloudformation stack, but your bucket wouldn't be deleted as cloudformation would know that this resource needs to be retained. See DeleteionPolicy for more details.

profile pictureAWS
EXPERT
secondabhi_aws
answered 10 months ago
profile pictureAWS
EXPERT
iBehr
reviewed 10 months ago
  • Arjun
    10 months ago

    There is no SCP as it throws an error with a keyword explicit deny which is not showing in CloudTrail or the CloudFormation Stack Events. AFAIK there is no permission boundary attached to the IAM role either whose sole purpose is to set the maximum permissions that an identity-based policy can grant to an IAM entity.

    Please suggest @Abhishek_At_AWS

  • secondabhi_aws EXPERT
    10 months ago

    Absolutely, I can help. Explicit deny error comes because of restrictions in one or more of the following type of policies:

    1. Identity-based policies
    2. Resource-based policies
    3. Permissions boundary
    4. Service control policies
    5. Session policy

    Since this is for CreateBucket, there would be restriction either through Identity-Based Policy, SCP, Permission Boundary, Session Policy. Can you paste cloudtrail API call detail for access denied error after redacting your account/resource information.

    Also, check if there is any SCP attached to this account by going to organization->policies->scp-> see policy content and it's attached target. Check your IAM role or Cloudformation role(if attached to stack) permissions section, there you can see if there is any permission boundary attached to either of those two roles. Explicit deny most commonly appears because of deny either at SCP or permissions boundary, which doesn't come into notice immediately.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content