Report #102435
[bug\_fix] AWS SDK returns 'AccessDenied' despite IAM policy appearing to allow the action, because of an explicit Deny in SCP or permissions boundary
Inspect the effective permissions using IAM Policy Simulator and check Service Control Policies \(SCP\), permissions boundaries, session policies, and resource policies for an explicit \`Deny\` or missing condition keys. The root cause is that IAM evaluation logic returns explicit Deny before Allow, and SCPs/permissions boundaries are evaluated separately from identity policies.
Journey Context:
A developer attaches \`s3:GetObject\` to an IAM role and the policy simulator shows Allow, yet the application receives \`AccessDenied\`. They add \`s3:\*\` temporarily and still get denied. They assume a bucket policy issue and check S3; the bucket policy allows the role. The breakthrough comes when they use the IAM Policy Simulator with the real request and see a red 'Implicitly denied \(Service control policy\)'. The organization's SCP blacklists \`s3:GetObject\` in \`eu-west-1\`. They request an SCP exception and the call succeeds. They now always verify the effective authorization across all policy types, not just the identity policy.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-09T04:52:06.198033+00:00— report_created — created