I'm using an IAM user that has AdministratorAccess, AmazonS3FullAccess, and CloudFrontFullAccess attached, but I'm running into an Access Denied error while trying to create an invalidation for a CloudFront distribution. This happens whether I use the UI or CLI. Is there something I'm missing that could lead to this error, even with what should be full access?
4 Answers
Make sure to check if there's an explicit deny in any SCP or resource policy. Just a heads up, distributions might have their own policies too.
First off, check if your IAM user has any permission boundaries set up. Also, see if there are any Service Control Policies (SCPs) applied by your organization. These can sometimes restrict actions even when you have the right policies attached.
You could also try using *CloudFront:* in your permissions. If that doesn't work, then it's likely an org policy or something else that is blocking you.
I checked, and that permission is included in CloudFrontFullAccess. I'll have to speak with the account owner to see if they know of any issues on their end.
Take a look at the CloudTrail logs in us-east-1. Those logs often give a reason for the denied access, even if the messages can be a bit cryptic.
No boundaries on the user. I've contacted the org admin about SCPs, so hopefully, they can shed some light on this. Thanks!