- Newest
- Most votes
- Most comments
Hi,
For the 403 error, there are a couple of items that may cause it. Please first see the relevant StartInstance event in CloudTrail to collect the details of the error. The CloudTrail event can provide you details including the principals. And then please check the following configurations: 1, The IAM policy that is attached to the principal. 2, The permission boundary attached to the principal (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html). 3, The SCP policy attached to the IAM account.
For the above policies, please check if there is any explicit deny for the Lightsail service. However, if no explicit deny has been found and it is certain that AdminstratorAccess is attached in the IAM principal, please feel free to open a support ticket for further troubleshooting.
Relevant content
- asked 3 months ago
- What's the difference between Lambda function execution role permissions and invocation permissions?
AWS OFFICIALUpdated 2 years ago - AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 4 months ago
Is your account under an AWS Organization Unit? Have you verified the SCP on that Organization Unit?
Thanks very much for your response. I didnt have a SCP but tried attaching FullAWSAccess ("Allows access to every operation") to the member account (doesn't seem to apply to root/management users). Received the message that a policy with the same name already exists, and it turns out this had been inherited from root. So, the only two accounts in the org I have, including one IAM user on one of the accounts, seem to have full permissions. Yet I still can't restart my Lightsail instance. Maybe I need to reach out to support?