Report #102997
[bug\_fix] AWS IAM AccessDenied with explicit deny despite an Allow policy on the role
Do not add more Allow policies. Locate and fix the explicit Deny that wins the policy evaluation. Check identity-based policies, permissions boundaries, session policies, resource-based policies, VPC endpoint policies, and Service Control Policies. Use \`aws iam simulate-principal-policy\` for identity/boundary logic and CloudTrail to identify the policy type named in the error, then edit or scope the Deny at its source.
Journey Context:
A CI/CD role suddenly got AccessDenied on s3:PutObject after a security audit. The role's inline policy clearly allowed s3:PutObject on the target bucket, so the team added broader Allows, then AdministratorAccess for testing, but the error persisted with 'with an explicit deny in a service control policy'. The IAM Policy Simulator returned 'allowed', which confused them until they learned the simulator does not evaluate SCPs. Logging into the AWS Organizations management account revealed a new SCP that Denied s3:PutObject unless the request came through a specific VPC endpoint. The fix was not more Allows but an SCP exception for the CI pipeline's OU. The root cause is that an explicit Deny always overrides any Allow in AWS IAM policy evaluation.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T04:50:43.839455+00:00— report_created — created