By using AWS re:Post, you agree to the Terms of Use
/AWS SSO user with AdministratorAccess cannot access root owned resources/

AWS SSO user with AdministratorAccess cannot access root owned resources


Hi All,

I have an AWS environment where all the resources (VPC’s, EC2, Route53, etc) were created and administered by the root account and I’m trying to move away from this so administration of the environment can be delegated to others. I’ve setup AWS SSO with our IdP (Okta), created a AWS Account for the user and linked it with an SSO User, created the permission set “AdministratorAccess” and assigned it to the AWS account. I’m able to sign-in to AWS via the IdP, can see the permission set assigned it AdministratorAccess, but I cannot access/view any of the resources that were created by the root account.

I’ve been going through all the IAM, policy and access documentation and cannot figure out how to provide access to the resources. I assumed assigning the AdministratorAccess permission set was sufficient, but I’m clearly mistaken or missing something.

Any assistance would be greatly appreciated.


1 Answers

What resources exactly are we talking about ? S3 buckets? SNS topics? AWS doesn't really have a notion of "owner" that has special access (except for some S3 objects , but that is a different story). Only thing I can imagine is that they wrote an S3 bucket policy to do a "deny *" for everybody not themselves. In that case, the only thing you can do is to log in as root, remove/fix the policy.

A VPC, EC2 instance, etc... doesn't have resource policies, so you wouldn't be able to restrict access to it that way.

Other things to consider:

  • Are you SURE you are in the right account and region?
  • Is this perhaps part of an account in an org that has SCPs active?
answered 3 months ago
  • The resources I'm referring to are VPC's, EC2 instances, and Route 53 zones. When signed in as the root account I have 4 VPC's, 10+ Route53 zones, and 30+ EC2 instances across multiple regions. The SSO user assigned the AdministratorAccess permission set cannot see any of this.

    I've confirmed that the account and regions are correct, the Organization details are the same for the SSO User, same Organization ID and the Management ID is that of our root account. All AWS Organization Policies are disabled and AWS Organization Services are all "access disable" other than SSO.


You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions