- Newest
- Most votes
- Most comments
-
When you receive an AccessDeniedException, AWS is indicating that the credentials used do not have the necessary permissions to perform the requested operation (DescribeBackupVault in this case).
AWS often prefers to return AccessDeniedException instead of ResourceNotFoundException when there are permission issues. This is a security measure to prevent unauthorized users from probing the existence of resources in an AWS account. If an unauthorized user were to receive a ResourceNotFoundException, it would confirm the non-existence of the resource, which can be considered sensitive information.
-
This behavior is by design to ensure that users without proper permissions do not get hints about the existence or non-existence of resources. This way, AWS protects against potential information disclosure through error messages.
-
Tools like Terraform might interpret AccessDeniedException as ResourceNotFoundException, leading to unintended behavior, such as trying to create a resource that already exists but cannot be accessed due to insufficient permissions.
To avoid this, it's essential to ensure that the IAM policies associated with the credentials used by such tools are appropriately configured to have the necessary permissions for the operations being performed.
-
Review IAM Permissions:
Ensure that the IAM policy associated with the credentials has the necessary permissions for the DescribeBackupVault action. For example:
{ "Effect": "Allow", "Action": "backup:DescribeBackupVault", "Resource": "*" }
Ensure the credentials have the necessary permissions to list and describe backup vaults.
-
Handle Errors Appropriately:
When integrating with external tools like Terraform, handle AccessDeniedException errors separately from ResourceNotFoundException to ensure that you can differentiate between genuine permission issues and non-existent resources.
-
Custom Error Handling in Automation:
In your scripts or automation workflows, explicitly check for permission issues (AccessDeniedException) and handle them appropriately, such as logging a permissions issue rather than assuming the resource doesn't exist.
Hi,
Given the fact that you have full access to AWS Backup resources, I would tend to agree with you re. the expectation of ResourceNotFoundException rather than AccessDeniedException.
So, I'd suggest you to open a ticket via the console of your AWS account: service teams do not monitor re:Post as a community site to surface and handle such issues.
Best,
Didier
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Thank you for the detailed response. I understand the good points you make about not intentionally leaking information about the presence of a resource when not authorised, and the general usage of the
AccessDeniedException
error, however the credentials being used have full administrative access (equivalent to an allow rule forbackup:*
actions). The same credentials can successfully describe theDefault
Backup vault, but if the request includes the name a non-existent vault in the target account then the error response isAccessDeniedException
when I would expect to receive aResourceNotFoundException
error. Using valid credentials, I can't seem to generate aResourceNotFoundException
under any conditions using theDescribeBackupVault
API request, despite this being a documented error response in the Backup API documentation.