Score:0

"route53:ListHostedZones with an explicit deny" error in the AWS console despite having AmazonRoute53FullAccess permissions

us flag

I'm trying to run this command in the AWS console:

aws route53 list-hosted-zones

I'm using my access key/secret and it worked fine in a demo account. I checked with my team and I have the AmazongRoute53FullAccess permissions:

enter image description here

Here's the full error message:

PS C:\Users...> aws route53 list-hosted-zones --no-paginate

An error occurred (AccessDenied) when calling the ListHostedZones operation: User: arn:aws:iam::362327418951:user/userName is not authorized to perform: route53:ListHostedZones with an explicit deny in an identity-based policy

bennettp123 avatar
cn flag
Check the CC-MFA-USER policy. My AWS account has one with a similar name attached to all IAM Users. It's based on [this example](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html)—it allows users to self-manage their MFA settings, but everything else is explicitly denied until you log in using multi-factor auth. There's a few different methods to use MFA with the AWS CLI, but these look the most promising: [option one](https://stackoverflow.com/a/41965046/2454476), [option two](https://stackoverflow.com/a/34796136/2454476)
ernest avatar
us flag
@bennettp123 yup. that was it. thanks so much for the help. please submit the answer so I can accept it. Thanks again.
bennettp123 avatar
cn flag
Sure thing, thanks @ernest!
Score:1
cn flag

Check the CC-MFA-USER policy.

Based on the names of the policies attached to your account, I suspect there's a policy that denies access unless authenticated using MFA.

AWS provides an example policy: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html

In the example above, the last statement denies access unless you are authenticated using MFA:

{
    "Sid": "BlockMostAccessUnlessSignedInWithMFA",
    "Effect": "Deny",
    "NotAction": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:ListMFADevices",
        "iam:ListUsers",
        "iam:ListVirtualMFADevices",
        "iam:ResyncMFADevice"
    ],
    "Resource": "*",
    "Condition": {
        "BoolIfExists": {
            "aws:MultiFactorAuthPresent": "false"
        }
    }
}

There's a few options for using MFA with the AWS CLI:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.