By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS SSO user with AdministratorAccess cannot access root owned resources

1

Hi All,

I have an AWS environment where all the resources (VPC’s, EC2, Route53, etc) were created and administered by the root account and I’m trying to move away from this so administration of the environment can be delegated to others. I’ve setup AWS SSO with our IdP (Okta), created a AWS Account for the user and linked it with an SSO User, created the permission set “AdministratorAccess” and assigned it to the AWS account. I’m able to sign-in to AWS via the IdP, can see the permission set assigned it AdministratorAccess, but I cannot access/view any of the resources that were created by the root account.

I’ve been going through all the IAM, policy and access documentation and cannot figure out how to provide access to the resources. I assumed assigning the AdministratorAccess permission set was sufficient, but I’m clearly mistaken or missing something.

Any assistance would be greatly appreciated.

Thanks!

  • rePostReReadReTry
    2 years ago

    Did you find a solution to this? I'm running into the same situation as your comment below, where SSO users with the builtin AdministratorAccess permission set don't have any permissions to the things created by other AdministratorAccess users...

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Management ConsoleAWS OrganizationsAWS Account Management
Language
English
AWS-User-2734320
asked 2 years ago777 views
2 Answers
2

What resources exactly are we talking about ? S3 buckets? SNS topics? AWS doesn't really have a notion of "owner" that has special access (except for some S3 objects , but that is a different story). Only thing I can imagine is that they wrote an S3 bucket policy to do a "deny *" for everybody not themselves. In that case, the only thing you can do is to log in as root, remove/fix the policy.

A VPC, EC2 instance, etc... doesn't have resource policies, so you wouldn't be able to restrict access to it that way.

Other things to consider:

  • Are you SURE you are in the right account and region?
  • Is this perhaps part of an account in an org that has SCPs active?
profile pictureAWS
Obijan
answered 2 years ago
  • AWS-User-2734320
    2 years ago

    The resources I'm referring to are VPC's, EC2 instances, and Route 53 zones. When signed in as the root account I have 4 VPC's, 10+ Route53 zones, and 30+ EC2 instances across multiple regions. The SSO user assigned the AdministratorAccess permission set cannot see any of this.

    I've confirmed that the account and regions are correct, the Organization details are the same for the SSO User, same Organization ID and the Management ID is that of our root account. All AWS Organization Policies are disabled and AWS Organization Services are all "access disable" other than SSO.

    Thanks!

0

Other things to try:

  • Create something, like an empty S3 bucket as the SSO user and see if that works
  • (Termporarily) create a local IAM user with Admin rights, then login with that (using its own username and password)

This looks like a very strange setup.

profile pictureAWS
Obijan
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content