- Newest
- Most votes
- Most comments
I would review what SCP's you have in place in your ORG/OU's https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
If using control tower, you may have turned on some controls which places SCP's into effect to prevent specific actions. There are mandatory controls inplace https://docs.aws.amazon.com/controltower/latest/userguide/mandatory-controls.html
Here is some documentation which also relates to an SCP to block QuickSight https://docs.aws.amazon.com/quicksight/latest/user/security-scp.html
The error you got is typically caused indeed by SCP.
Suggestion is to access or request the account owner/organization to and, modify the explicit SCP deny by allowing your account for instance to perform the quick sight action.
I am getting the same error, i think this is the issue with AWS account which is in below ARN. That account is owned by AWS and its referred by CFN to get some template. as I dont have anything in us-east-1 and below account is not part of my organisation.
arn:aws:quicksight:us-east-1:223485597511:template/cudos_dashboard_v3 with an explicit deny in a service control policy
This is most likely because of Control Tower mandatory controls when region deny restrictions are in place. For example, if you are using us-east-2 and us-west-2, there will be SCP deny policies against related to other regions. This template is in us-east-1, thus the error.
The SCP for me was attached to /Root/Infrastructure/ and impacting my FinOps account underneath. I did the following:
- Identify SCP name and note it
- Detach from OU
- Rerun pipeline (may need to manually disable failed one if you have delete protection)
- confirm Success
- Attach SCP
- Celebrate
Relevant content
asked 3 years ago- asked 2 years ago
