Fix AWS IAM Permissions

TL;DR

You can’t access something in AWS because of an IAM permission issue. This guide shows you how to find the problem and fix it.

1. Understand the Error Message

The first step is to carefully read the error message. It usually tells you:

• What action you tried to perform (e.g., launching an EC2 instance, listing S3 buckets).
• Which service you were using (e.g., EC2, S3, IAM).
• The specific permission that’s missing (e.g., ec2:RunInstances, s3:ListBucket).

Example error message:

User arn:aws:iam::123456789012:user/MyUser is not authorized to perform: ec2:RunInstances on resource: *

2. Identify the IAM User, Group or Role

Figure out who is having the problem:

• IAM User: A specific person with AWS access.
• IAM Group: A collection of users with similar permissions.
• IAM Role: Permissions assumed by an AWS service (e.g., EC2 instance, Lambda function).

Check the AWS Management Console’s IAM section to see which user, group or role you are logged in as.

3. Check Attached Policies

IAM permissions come from policies. These policies are attached to users, groups, or roles.

1. Go to the IAM section of the AWS Management Console.
2. Select Users/Groups/Roles depending on who has the issue.
3. Choose the relevant user, group or role.
4. Go to the “Permissions” tab. This shows all attached policies.

Look for policies that should grant access to the service you’re using.

4. Review Policy Statements

Policies are made up of statements. Each statement defines what actions are allowed or denied on which resources.

1. Click on a policy to view its JSON definition.
2. Examine the “Statement” section. Look for statements that cover the action you’re trying to perform.

Example Policy Statement (allowing EC2 instance launches):

{
  "Effect": "Allow",
  "Action": [
    "ec2:RunInstances"
  ],
  "Resource": "*"
}

5. Common Policy Issues and Fixes

• Missing Action: The policy doesn’t allow the specific action you’re trying to take (e.g., ec2:RunInstances). Add it to the “Action” list.
• Incorrect Resource: The policy restricts access to a specific resource that you don’t have permission for (e.g., a particular S3 bucket). Change the “Resource” value to allow broader access (e.g., s3:*) or specify the correct resource ARN.
• Explicit Deny: Another policy statement explicitly denies the action. Denies always override allows, so you’ll need to remove or modify the deny statement.
• Incorrect Principal: For roles, make sure the “Principal” section is correctly configured to allow the intended AWS service to assume the role.

6. Test Your Changes

After making changes to policies:

1. Wait a few minutes for the changes to propagate (it can take up to 10-15 minutes).
2. Try the action again that was failing.

If it still fails, double-check your policy statements and ensure there are no conflicting rules.

7. Use AWS IAM Policy Simulator

The IAM Policy Simulator is a powerful tool for testing permissions without actually making changes to your policies. It lets you simulate the actions of a user, group or role and see which permissions are granted or denied.