Sorry I'm a bit of a clutz at AWS. I have an IAM user that belongs to a group. with the 'AdministratorAccess' policy attached to it. I further verify that this policy includes full access to IAM. However when i am logged in under that IAM user and I try to create a role for my redshift cluster so that it can load s3 data I get the following error:

User: arn:aws:iam::xxxxxxx is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::xxxxxxx:role/redshift-s3-reader with an explicit deny in an identity-based policy

Can someone help me out? I dont see why there would be an explicit deny clause in an all access role like AdministractorAccess

CodePudding user response：

Explicit denies take effect over any allow, even AdministratorAccess. The evaluation flow is described on this AWS document. If you're experiencing a denial, then whoever setup the user must have (intentionally or not) included either an inline policy, group policy, etc that contains an explicit deny for iam:CreateRole

CodePudding user response：

Access Keys use by this IAM user were compromised a month ago (accidentally uploaded to github) which resulted in AWS putting the account in "quarantine". Included in this "quarantine" was an explicit deny to create new IAM roles which you need to remove yourself.