- Newest
- Most votes
- Most comments
What resources exactly are we talking about ? S3 buckets? SNS topics? AWS doesn't really have a notion of "owner" that has special access (except for some S3 objects , but that is a different story). Only thing I can imagine is that they wrote an S3 bucket policy to do a "deny *" for everybody not themselves. In that case, the only thing you can do is to log in as root, remove/fix the policy.
A VPC, EC2 instance, etc... doesn't have resource policies, so you wouldn't be able to restrict access to it that way.
Other things to consider:
- Are you SURE you are in the right account and region?
- Is this perhaps part of an account in an org that has SCPs active?
The resources I'm referring to are VPC's, EC2 instances, and Route 53 zones. When signed in as the root account I have 4 VPC's, 10+ Route53 zones, and 30+ EC2 instances across multiple regions. The SSO user assigned the AdministratorAccess permission set cannot see any of this.
I've confirmed that the account and regions are correct, the Organization details are the same for the SSO User, same Organization ID and the Management ID is that of our root account. All AWS Organization Policies are disabled and AWS Organization Services are all "access disable" other than SSO.
Thanks!
Other things to try:
- Create something, like an empty S3 bucket as the SSO user and see if that works
- (Termporarily) create a local IAM user with Admin rights, then login with that (using its own username and password)
This looks like a very strange setup.
Relevant content
- Accepted Answerasked 9 months ago
- asked 4 years ago
- asked 6 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
Did you find a solution to this? I'm running into the same situation as your comment below, where SSO users with the builtin AdministratorAccess permission set don't have any permissions to the things created by other AdministratorAccess users...