'AccessDeniedException' When Rekognition Is Blocked by IAM Permission Boundary
'AccessDeniedException' When Rekognition Is Blocked by IAM Permission Boundary # AWS # AmazonRekognition # IAM # CloudSecurity Why AdministratorAccess still fails when a permission boundary caps your role’s maximum permissions Category: IAM & Permission Boundaries Problem Your application calls DetectLabels in Amazon Rekognition . The IAM role shows: AdministratorAccess attached Explicit rekognition:* permissions No Service Control Policy blocking the account Yet the call fails with: AccessDeniedException: User is not authorized to perform: rekognition:DetectLabels IAM looks correct. SCPs are not involved. Still denied. Clarifying the Issue An IAM permission boundary may be attached to the role. A permission boundary is not a normal policy. It defines the maximum permissions the role is allowed to receive. Even if the role has AdministratorAccess , the boundary acts as a ceiling. If the boundary doe...