Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Struggling with AccessDenied Error Despite Full Access for CloudFormation Stack

0

Hi AWS Community,

I'm reaching out for help with a frustrating issue I've been facing. Despite granting full access to CloudFormation stacks, I'm still encountering an AccessDenied error. This is really impacting my deployment process, and I'm struggling to figure out what might be going wrong.

Here's a brief overview of the situation:

  1. IAM Policy: I have a policy that grants full access to CloudFormation actions and resources. The policy looks like this:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SAMDeployCloudFormation",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateChangeSet",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:DescribeStacks"
            ],
            "Resource": [
                "arn:aws:cloudformation:ap-south-1:<AccountID>:stack/aws-sam-cli-managed-default/*",
                "arn:aws:cloudformation:ap-south-1:aws:transform/Serverless-2016-10-31"
            ]
        },
        {
            "Sid": "SAMDeployCloudFormationFullAccess",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:cloudformation:ap-south-1:<AccountID>:stack/aws-sam-cli-managed-default/*"
                }
            }
        }
    ]
}
  1. CloudTrail Event Log:
{
    "eventVersion": "1.09",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "AIDA4MTWHLCH7XAVMZPVY",
        "arn": "arn:aws:iam::<AccountID>:user/<IAMUser>",
        "accountId": "<AccountID>",
        "accessKeyId": "ASIA4MTWHLCHW5KQB3MV",
        "userName": "<IAMUser>",
        "sessionContext": {
            "attributes": {
                "creationDate": "2024-08-14T08:37:47Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "cloudformation.amazonaws.com"
    },
    "eventTime": "2024-08-14T08:37:52Z",
    "eventSource": "s3.amazonaws.com",
    "eventName": "CreateBucket",
    "awsRegion": "ap-south-1",
    "sourceIPAddress": "cloudformation.amazonaws.com",
    "userAgent": "cloudformation.amazonaws.com",
    "errorCode": "AccessDenied",
    "errorMessage": "Access Denied",
    "requestParameters": {
        "CreateBucketConfiguration": {
            "LocationConstraint": "ap-south-1",
            "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/"
        },
        "bucketName": "aws-sam-cli-managed-default-samclisourcebucket-rcekmruyslgl",
        "Host": "aws-sam-cli-managed-default-samclisourcebucket-rcekmruyslgl.s3.ap-south-1.amazonaws.com",
        "x-amz-acl": "bucket-owner-full-control"
    },
    "responseElements": null,
    "additionalEventData": {
        "SignatureVersion": "SigV4",
        "CipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
        "bytesTransferredIn": 192,
        "AuthenticationMethod": "AuthHeader",
        "x-amz-id-2": "Gmdsb47WoXYj86HgW52XChlVenj8h90sR6Yd7EnaBBbZjvwfh+TDh4d4mAK1lzChnhijFI/KJok=",
        "bytesTransferredOut": 243
    },
    "requestID": "J5BP3BVYT0RRNY8V",
    "eventID": "688b5cac-2bcc-44f0-99f3-c1943161ebc6",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "<AccountID>",
    "eventCategory": "Management"
}

What I've Tried:

  1. Verified the IAM policy and ensured it grants full access to CloudFormation actions and resources.
  2. Checked CloudFormation permissions and conditions.
  3. Reviewed S3 bucket policies and ACLs.

What I'm Looking For:

I need to understand why I'm still getting an AccessDenied error despite granting what seems like full access. Any insights or suggestions on what might be missing or incorrect would be greatly appreciated!

Thank you in advance for your help.

Topics
ServerlessManagement & GovernanceSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS Command Line InterfaceAWS CloudFormationIAM PoliciesAWS Serverless Application Model (SAM)
Language
English
asked a year ago686 views
2 Answers
1

Hello.

Looking at CloudTrail events, it appears that creation of the S3 bucket to store the CloudFormation template has failed.
So, why not try adding a policy for operating S3 as shown below?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SAMDeployCloudFormation",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateChangeSet",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:DescribeStacks"
            ],
            "Resource": [
                "arn:aws:cloudformation:ap-south-1:<AccountID>:stack/aws-sam-cli-managed-default/*",
                "arn:aws:cloudformation:ap-south-1:aws:transform/Serverless-2016-10-31"
            ]
        },
        {
            "Sid": "SAMDeployCloudFormationFullAccess",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:cloudformation:ap-south-1:<AccountID>:stack/aws-sam-cli-managed-default/*"
                }
            }
        },
        {
            "Sid": "S3",
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": "*"
        }
    ]
}
EXPERT
answered a year ago
EXPERT
reviewed a year ago
EXPERT
reviewed a year ago
  • Riku_Kobayashi EXPERT
    a year ago

    The following document describes the policies required for S3 operations. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html

    s3:PutObject
s3:ListBucket
s3:GetObject
s3:CreateBucket
  • rePost-User-9359022
    a year ago

    Because it will grant the access to other user as well, who is using this role for developing the lambda function locally.

    So, to them I only want to grant the required permissions(are there in this policy, but not included on re:post)

    Also, if I'm granting the full access already to the service(aws-sam-cli-managed-default cloudformation stack) which is initiating the creation of S3 bucket during "SAM Deploy", then why do I need to again grant the permission?

  • Riku_Kobayashi EXPERT
    a year ago

    I thought that since the ARN is "arn:aws:cloudformation:ap-south-1:<AccountID>:stack/aws-sam-cli-managed-default/*", this wouldn't allow S3 operations.

  • rePost-User-9359022
    a year ago

    Can you please explain what do you mean by this?

    Means is it the source issue(that it's not stack and something else)? Or Something else?

    If it's source issue, what will be the right source that is generating the commands?

  • Riku_Kobayashi EXPERT
    a year ago

    This is an IAM policy issue. At first glance, the policy below seems to allow full access, but the ARN is "arn:aws:cloudformation:ap-south-1:<AccountID>:stack/aws-sam-cli-managed-default/* ", so you cannot create or operate S3 with this.

            {
            "Sid": "SAMDeployCloudFormationFullAccess",
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:cloudformation:ap-south-1:<AccountID>:stack/aws-sam-cli-managed-default/*"
                }
            }
        }
1

Create a role that CloudFormation can assume, and attach to this role a permissions policy that contains sufficient privileges to create an S3 bucket.

In the CloudFormation template, specify the IAM role using the RoleARN property for the AWS::CloudFormation::Stack resource.

RoleARN: arn:aws:iam::<AccountID>:role/MyCloudFormationRole
EXPERT
answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content