使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

My Admin Account (and Root Account) do not have full permissions

0

Hi, I'm trying to access various parts of the AWS Console and am getting this:

Contact your AWS administrator if you need help. If you are an AWS administrator, you can provide permissions for your users or groups by creating IAM policies.

The problem is, I'm using the AWS Admin account with "AdministratorAccess", which should have access to all functionality. Do you know why this isn't working? Thanks!

主題
管理與治理
標籤
AWS 管理主控台AWS Account Management
語言
English
AlexC
已提問 2 個月前檢視次數 236 次
1 個回答
1

Is your account a member account in a AWS Organization and is it possible there's a SCP in place? "An SCP restricts permissions for IAM users and roles in member accounts, including the member account's root user. Any account has only those permissions permitted by every parent above it. If a permission is blocked at any level above the account, either implicitly (by not being included in an Allow policy statement) or explicitly (by being included in a Deny policy statement), a user or role in the affected account can't use that permission, even if the account administrator attaches the AdministratorAccess IAM policy with / permissions to the user."

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

AWS
AWS-User-5612342
已回答 2 個月前
profile pictureAWS
專家
Jose Guay
已審閱 2 個月前
  • AlexC
    2 個月前

    Thank you! This is very helpful and makes sense, but where do I go to actually see if an SPC is denying the policy even in my root/admin accounts? Is there a specific setting? I followed your link to the articles, but I'm struggling with finding out how to correct the permissions. Thank you!!

  • Jose Guay 專家
    2 個月前

    Hi AlexC. Access the SCPs from the AWS Organizations console. The steps are here [1].

    [1] https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_create.html

  • AlexC
    2 個月前

    Hi, Jose! Thanks for your response. When I click "Organization" (upper right-hand side of the screen), I get a page about what organizations are. On the left-hand side of that page is an option for "Invitations." I click on that and it says there are no invitations. I don't think I have any organizations assigned to any of my accounts (root or admin).

  • AlexC
    2 個月前

    Hi, there! I'm still really struggling with this. Can I get additional direction and ideas as to what to do? Thank you!

  • AlexC
    2 個月前

    Jose- I used Incognito to access the portal. I went to:

    Billing and Cost Management

    It shows "Month-to-date Cost - Access Denied."

    I clicked on "Access Denied"

    A window surfaced that featured text to give to my "Administrator" (even though I am the administrator :)

    Here is the text: User: [my user account number is here] Service: [Cost Explorer] Name: [AccessDeniedException] HTTP status code: [400] Context: [IAM user access not activated] Request ID: [this is a unique number I didn't want to cut/paste into this message]

    Any thoughts? Thanks again for your help!

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容