By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

My Admin Account (and Root Account) do not have full permissions

0

Hi, I'm trying to access various parts of the AWS Console and am getting this:

Contact your AWS administrator if you need help. If you are an AWS administrator, you can provide permissions for your users or groups by creating IAM policies.

The problem is, I'm using the AWS Admin account with "AdministratorAccess", which should have access to all functionality. Do you know why this isn't working? Thanks!

Topics
Management & Governance
Tags
AWS Management ConsoleAWS Account Management
Language
English
AlexC
asked 2 months ago212 views
1 Answer
1

Is your account a member account in a AWS Organization and is it possible there's a SCP in place? "An SCP restricts permissions for IAM users and roles in member accounts, including the member account's root user. Any account has only those permissions permitted by every parent above it. If a permission is blocked at any level above the account, either implicitly (by not being included in an Allow policy statement) or explicitly (by being included in a Deny policy statement), a user or role in the affected account can't use that permission, even if the account administrator attaches the AdministratorAccess IAM policy with / permissions to the user."

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

AWS
AWS-User-5612342
answered 2 months ago
profile pictureAWS
EXPERT
Jose Guay
reviewed 2 months ago
  • AlexC
    2 months ago

    Thank you! This is very helpful and makes sense, but where do I go to actually see if an SPC is denying the policy even in my root/admin accounts? Is there a specific setting? I followed your link to the articles, but I'm struggling with finding out how to correct the permissions. Thank you!!

  • Jose Guay EXPERT
    2 months ago

    Hi AlexC. Access the SCPs from the AWS Organizations console. The steps are here [1].

    [1] https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html

  • AlexC
    2 months ago

    Hi, Jose! Thanks for your response. When I click "Organization" (upper right-hand side of the screen), I get a page about what organizations are. On the left-hand side of that page is an option for "Invitations." I click on that and it says there are no invitations. I don't think I have any organizations assigned to any of my accounts (root or admin).

  • AlexC
    a month ago

    Hi, there! I'm still really struggling with this. Can I get additional direction and ideas as to what to do? Thank you!

  • AlexC
    a month ago

    Jose- I used Incognito to access the portal. I went to:

    Billing and Cost Management

    It shows "Month-to-date Cost - Access Denied."

    I clicked on "Access Denied"

    A window surfaced that featured text to give to my "Administrator" (even though I am the administrator :)

    Here is the text: User: [my user account number is here] Service: [Cost Explorer] Name: [AccessDeniedException] HTTP status code: [400] Context: [IAM user access not activated] Request ID: [this is a unique number I didn't want to cut/paste into this message]

    Any thoughts? Thanks again for your help!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content