Getting Access Denied When Trying to Create Invalidation in CloudFront

0
5
Asked By TechieNinja42 On

I'm using an IAM user that has AdministratorAccess, AmazonS3FullAccess, and CloudFrontFullAccess attached, but I'm running into an Access Denied error while trying to create an invalidation for a CloudFront distribution. This happens whether I use the UI or CLI. Is there something I'm missing that could lead to this error, even with what should be full access?

4 Answers

Answered By PolicyPro77 On

Make sure to check if there's an explicit deny in any SCP or resource policy. Just a heads up, distributions might have their own policies too.

Answered By CloudWizard88 On

First off, check if your IAM user has any permission boundaries set up. Also, see if there are any Service Control Policies (SCPs) applied by your organization. These can sometimes restrict actions even when you have the right policies attached.

TechieNinja42 -

No boundaries on the user. I've contacted the org admin about SCPs, so hopefully, they can shed some light on this. Thanks!

Answered By DevGuruX On

You could also try using *CloudFront:* in your permissions. If that doesn't work, then it's likely an org policy or something else that is blocking you.

TechieNinja42 -

I checked, and that permission is included in CloudFrontFullAccess. I'll have to speak with the account owner to see if they know of any issues on their end.

Answered By InfoSeeker99 On

Take a look at the CloudTrail logs in us-east-1. Those logs often give a reason for the denied access, even if the messages can be a bit cryptic.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.