Report #101051
[bug\_fix] AWS IAM AccessDenied: User/role is not authorized to perform an action on a resource because no identity-based/policy allows it, or due to an explicit deny in an SCP/permissions boundary/session policy.
Identify the policy type named in the error and add the missing Allow or remove the Deny. Check identity-based policies, resource-based policies, role trust policies, service control policies \(SCPs\), permissions boundaries, VPC endpoint policies, and session policies. Use the IAM Policy Simulator or \`aws iam simulate-principal-policy\` to find the blocker. For cross-account access the resource-based policy must explicitly allow the assumed role.
Journey Context:
A Lambda function assumes a cross-account role and then calls DynamoDB, but it fails with \`AccessDenied: ... is not authorized to perform: dynamodb:Query\`. The IAM role in the target account appears to allow \`dynamodb:\*\`, but the assumed-role session has a permissions boundary attached that does not include DynamoDB. In another case an organization SCP denies \`ec2:RunInstances\` for the OU. The error message's context clause \('because no permissions boundary allows...' or 'with an explicit deny in a service control policy'\) is the key. Updating the boundary or SCP allows the request because AWS authorization requires an Allow from every applicable policy type and gives precedence to any explicit Deny.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T04:53:51.929284+00:00— report_created — created