Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Lambda AccessDeniedException Issue

0

Lambda AccessDeniedException Issue - Problem Summary Problem Description User experiencing AccessDeniedException when attempting to update Lambda function code via AWS CLI, despite having multiple policies that should grant full Lambda access. The error message is: An error occurred (AccessDeniedException) when calling the UpdateFunctionCode operation: None

What We've Tested and Ruled Out ✅ User Permissions - VERIFIED AS SUFFICIENT Multiple Lambda full access policies attached: AWSLambda_FullAccess (managed policy attached to user) AWSLambdaFullAccess (managed policy from DelocoBasicGroup) lambda:* (in user's inline policy manuallambdadan) PowerUserAccess (managed policy attached to user)

✅ IAM Policy Simulator - SHOWS ALLOWED Simulator confirms lambda:UpdateFunctionCode is "allowed" Simulator confirms lambda:CreateFunction is "allowed" Critical discrepancy: Simulator says "allowed" but API calls fail

✅ Permission Boundaries - NOT THE ISSUE User has no permission boundaries (aws iam get-user returned null)

✅ Group Policies - NO DENY STATEMENTS No inline policies on groups (DelocoBasicGroup, AWsrekognition) All attached managed policies contain only "Allow" statements No explicit deny statements found anywhere

✅ Service Control Policies (SCPs) - NOT BLOCKING Checked for SCPs that might block Lambda operations No restrictive SCPs found

✅ Lambda Function Resource Policy - NOT RESTRICTIVE Function resource policy allows the user's account full access No cross-account restrictions

✅ Multiple Update Methods Tested - ALL FAIL ❌ S3-based update: aws lambda update-function-code --s3-bucket --s3-key ❌ Direct zip update: aws lambda update-function-code --zip-file fileb://test.zip Both methods fail with identical AccessDeniedException

✅ Account-Wide Issue Confirmed Created new test user with AWSLambda_FullAccess and PowerUserAccess New user also fails with same AccessDeniedException ❌ CreateFunction fails for new user ❌ UpdateFunctionCode fails for new user This confirms it's NOT user-specific

✅ Read Operations Work Fine ✅ aws lambda get-function works successfully ✅ aws lambda list-functions works successfully Only write operations are blocked

IAM Simulator Contradiction: The most significant finding is that AWS IAM Policy Simulator shows operations as "allowed" but actual API calls fail Multiple Users Affected: Both original user and newly created user with identical policies experience the same issue All Write Operations Blocked: CreateFunction, UpdateFunctionCode, and DeleteFunction all fail Read Operations Unaffected: Can successfully retrieve function information

Pulling my hair out with this, it did work until a few days ago. Unsure whats changed

Topics
Networking & Content DeliverySecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM PoliciesAWS IAM Access AnalyzerAWS Verified AccessIAM Roles Anywhere
Language
English
asked 15 days ago89 views
3 Answers
1

Since the IAM Simulator shows 'Allowed' and you've already ruled out SCPs/Boundaries, this specific behavior often points to two hidden blockers:

  • KMS Key Permissions: If the Lambda is encrypted with a Customer Managed Key (CMK), you need explicit kms:Decrypt and kms:GenerateDataKey permissions for that key. The IAM Simulator often misses this dependency because it only evaluates the Lambda service action itself.

  • CloudTrail Error Details: Check AWS CloudTrail for the specific UpdateFunctionCode event. The errorMessage in the raw JSON log is usually much more descriptive than the generic CLI output and will pinpoint if it's a KMS issue, a VPC restriction, or a hidden Condition block in your policies.

Also, verify if Code Signing is enabled for the function, as this requires additional permissions (lambda:GetCodeSigningConfig) that are sometimes omitted in custom 'FullAccess' policies."

EXPERT
answered 15 days ago
EXPERT
reviewed 15 days ago
  • Leo K EXPERT
    15 days ago

    A KMS key issue is a good bet. Note that any KMS errors will also show in CloudTrail's default event history view in the current region. You can expose the "error code" column in the event history view and then search for the Event name "GenerateDataKey" or "Decrypt" to find any relevant errors, without having to scroll through dozens of pages of unrelated or read-only events.

0
Accepted Answer

I had missed a 'Amazon Web Services: New Support case' email. In there it said 'Your AWS Account may have been inappropriately accessed by a third-party...' regard the use of a Key and that limitations had been applied to the account until i contacted AWS.

It would have been great if that message was visible when i logged in. Hopefully will be sorted quickly now

answered 14 days ago
EXPERT
reviewed 14 days ago
0

Hello.

Is it possible to update a Lambda function using an IAM user with the same policy attached, via the Management Console instead of the AWS CLI?

If you are running the AWS CLI on your local PC, please also check the credentials being loaded.
You may be loading incorrect credentials and therefore do not have permission to update Lambda.
https://repost.aws/articles/ARvcQCv8jdR8q9DMDLp7GWSw/priority-of-credentials-read-by-the-aws-cli

There may also be a problem with your AWS account.
Therefore, please contact AWS Support by opening a case under "Account and billing".
Inquiries under "Account and billing" can be made free of charge.
https://console.aws.amazon.com/support

EXPERT
answered 15 days ago
EXPERT
reviewed 15 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content