5

So my manager have left the company a few months back, leaving me to manage things on my own, and now, I'm looking through cloud trail events, and found that in one of our accounts, I have an explicit deny from viewing them.

Here is some background. We have a root account, from which we assume the admin role in other accounts, when I assume the role of admin in the production account, I get an explicit deny error message when trying to view cloud trail events.

I've been looking through all the policies that have the "Deny" effect on them anywhere, but nothing looks related. Also, the admin role I'm assuming is not linked to any policy other than the allow all policy. And yet, I get the same error message of explicit deny.

Any magic tool that I can use to understand where the explicit deny is coming from?

Tom Klino
  • 601
  • 1
  • 7
  • 14
  • 1
    IAM policy and SCP policy are the two main places to look. I'm not sure there's a magic tool, other than AWS support if you pay for it. – Tim Nov 10 '19 at 18:09

1 Answers1

4

Your best bet, if you think it's IAM denying you access, is to use the AWS Policy Simulator to figure it out.

https://policysim.aws.amazon.com/

Login to the account that has the role you're assuming, then open policy simulator. From the selector, choose the role you assume, and from services choose CloudTrail. Select a bunch of actions like viewing or reading logs, and the use the run/check button.

Usually Policy Simulator is good at pointing out which policy is blocking you. For roles with multiple policies attached you can usually also deselect policies one by one as a process of elimination.

More info here: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html

Shogan
  • 236
  • 1
  • 2
  • 8