1 Answer
- Newest
- Most votes
- Most comments
0
Redact your account details from question immediately
Can you make sure, there was no change occurred at service control policy or permissions boundary side for a specific region, eu-central-1 in your case.
If you see no change either at SCP/permissions boundary side recently, can you attach ** AWSLambdaDynamoDBExecutionRole** to your lambda execution role for testing in eu-central-1.
Comment here how it goes.
Thanks for your response. There were no changes to SCP / permission boundary. I could attach that role, but this is in our production environment so it will require updating the CloudFormation stack and redeploying. If it were a problem with the role, I think it would fail consistently and in all regions, but this only happens intermittently, and only in the eu-central-1 region. I'll still give it a try and report back.
The reason, why I mentioned SCP and permissions boundary is, these are two places, which don't come into notice directly and to your question about consistency for same across all regions, there can be conditions in SCP/permissions boundary for specific region and I just wanted you to make sure that's not the case here. If it's happening intermittently, that sounds more suspicious and see if you can find something in cloudtrail, what's blocking that access, it's an explicit deny or missing permissions. If none of this works, I'd suggest you to log a support case(if you have the support plan to create the case). Meanwhile I'll also check if I can find something to replicate in-house, if you can share the CF stack by redacting account/resource details here.
We have a lot of accounts in our organization and currently 11 of them are failing this way. I opened a support ticket in one of them, but then the CloudFormation stack succeeded. I can't keep signing up for support in every account. Is it possible to have someone take a look at this issue?