Issue with AWS permissions

Question

Hello everyone!

Me and my colleague recently took over on being IT in cilent's company which have little stuff on the AWS. I am new to AWS and we have an issue with permissions

We have multiple AWS Accounts in our organization, to which we got access by adding ourselves to Azure Groups (We have SSO from Azure to AWS)

We have the same groups but for some reason he has all permissions and I am missing most of them i.e. I cannot list IAM User's but I have no problem doing anything with S3 or SES

We have recently created IAM accounts with e-mail addresses of accounts we are using to log in to AWS we have set up my access to be limited only to S3 for test but I did not lose or get any more access

Where should we search for possible issues?

Max Clements · Answer

This is a difficult question to answer without more information. Firstly, you mention manually making users in AWS with e-mails which you use to login, but you are also using Azure SSO. When you configure Azure SSO with an AWS Organization - you typically would provision the users directly from the Azure directory using SCIM as documented here (https://docs.aws.amazon.com/singlesignon/latest/userguide/idp-microsoft-entra.html). Without knowing how your SSO is setup - it is difficult to offer anything but generic advice.

If you are unable to manage IAM users - but have the same permissions and roles as your colleague - it is possible that this may have been specifically denied in AWS. In IAM an explicit deny rule always wins - regardless if there are allow rules that allow the action that apply to your principal (user).

One way to see why you are being denied is to look at CloudTrail and see what is happening there. You can also have your colleague (who has IAM access) look at the effective permissions you have in IAM using the AWS Policy Simulator on the user that you have provisioned for yourself in AWS (https://policysim.aws.amazon.com/)

Issue with AWS permissions

Relevant content