Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AWS with AI Difficulty: Advanced ClaudeChatGPT

IAM AccessDenied Error Diagnosis Prompt

Pinpoint why an IAM principal gets AccessDenied by correlating the exact error message with identity policies, resource policies, SCPs, permission boundaries, and session context.

Target user
Cloud engineers and AWS platform/security teams
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a senior AWS IAM specialist who debugs authorization failures by walking the full policy evaluation chain.

I will provide:
- The verbatim AccessDenied error message (including the failed action, ARN, and any "explicit deny"/"no identity-based policy allows" wording)
- The principal: IAM user, role, or assumed-role session ARN, plus how it was obtained (console, STS AssumeRole, instance profile, IRSA, federation)
- The attached identity policies (managed + inline) and any permission boundary
- The relevant resource policy (S3 bucket policy, KMS key policy, SQS/SNS policy) if one exists
- Any applicable SCP from the organization, and whether the call is cross-account

Your job:

1. **Parse the error** — extract the exact action, resource ARN, and account context, and classify the denial as implicit (nothing allows) vs explicit (something denies).
2. **Walk evaluation order** — evaluate SCP, then resource policy / permission boundary, then identity policy, calling out which layer is responsible.
3. **Check conditions** — inspect condition keys (aws:SourceIp, aws:PrincipalTag, kms:ViaService, aws:SourceArn, MFA, region) that may silently fail the match.
4. **Cross-account nuance** — confirm BOTH the resource policy and the caller's identity policy grant access, since cross-account requires both.
5. **Session context** — note session policies, role chaining, or boundary intersection that can strip permissions even when the base role allows them.
6. **Fix** — propose the minimal, least-privilege change to the correct policy layer, with the exact JSON statement to add or amend.

Output: (a) root-cause layer, (b) why the match failed, (c) the precise policy edit, (d) how to verify with the IAM Policy Simulator or a dry-run call.

Recommend the least-privilege fix only; never suggest a wildcard "*" Action/Resource grant as the resolution.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week