"route53:ListHostedZones with an explicit deny" error in the AWS console despite having AmazonRoute53FullAccess permissions

ernest

12/7/23, 10:52 PM

I'm trying to run this command in the AWS console:

aws route53 list-hosted-zones

I'm using my access key/secret and it worked fine in a demo account. I checked with my team and I have the AmazongRoute53FullAccess permissions:

Here's the full error message:

PS C:\Users...> aws route53 list-hosted-zones --no-paginate

An error occurred (AccessDenied) when calling the ListHostedZones operation: User: arn:aws:iam::362327418951:user/userName is not authorized to perform: route53:ListHostedZones with an explicit deny in an identity-based policy

397

1 + 3

amazon-web-services

aws-cli

bennettp123

12/8/23, 12:17 PM

Check the CC-MFA-USER policy. My AWS account has one with a similar name attached to all IAM Users. It's based on [this example](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html)—it allows users to self-manage their MFA settings, but everything else is explicitly denied until you log in using multi-factor auth. There's a few different methods to use MFA with the AWS CLI, but these look the most promising: [option one](https://stackoverflow.com/a/41965046/2454476), [option two](https://stackoverflow.com/a/34796136/2454476)

ernest

12/8/23, 9:13 PM

@bennettp123 yup. that was it. thanks so much for the help. please submit the answer so I can accept it. Thanks again.

bennettp123

12/9/23, 4:31 AM

Sure thing, thanks @ernest!

Score:1

Server

bennettp123

12/9/23, 4:31 AM

Check the CC-MFA-USER policy.

Based on the names of the policies attached to your account, I suspect there's a policy that denies access unless authenticated using MFA.

AWS provides an example policy: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html

In the example above, the last statement denies access unless you are authenticated using MFA:

{
    "Sid": "BlockMostAccessUnlessSignedInWithMFA",
    "Effect": "Deny",
    "NotAction": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:ListMFADevices",
        "iam:ListUsers",
        "iam:ListVirtualMFADevices",
        "iam:ResyncMFADevice"
    ],
    "Resource": "*",
    "Condition": {
        "BoolIfExists": {
            "aws:MultiFactorAuthPresent": "false"
        }
    }
}

There's a few options for using MFA with the AWS CLI:

https://stackoverflow.com/a/41965046/2454476 — this seems like the easiest option, but I haven't used it myself, and it may not be available on older versions of the CLI
https://stackoverflow.com/a/34796136/2454476 — this should work with any version of the CLI, but there's a few extra steps involved.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: "route53:ListHostedZones with an explicit deny" error in the AWS console despite having AmazonRoute53FullAccess permissions

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.