CODEWITHSUNDEEP
amazon-web-servicesaws-policiesaws-control-toweraws-app-config
Flamby
Flamby

Reputation: 13

AWS Mobile APP push notification explicity deny issue

I am trying to use push notification on the AWS Mobile APP for some alarms set up but receive this error message:

"Operation could not be performed
    
User: arn:aws:sts::AAAAAAA:assumed-role/AWSReservedSSO_AWSAdministratorAccess_BBBBBB/CCCCCC is not authorized to perform: notifications:CreateNotificationConfiguration on resource: arn:aws:notifications:us-east-1:AAAAAAA:configuration/* with an explicit deny"*

With AAAAAAA being the AWS account targeted | BBBBB being the Admin Access ID | CCCCC being the Admin email address.

Context:

The user CCCCC used (i.e. me) has full admin access. It has the AWS Policy AdministratorAccess attached which is

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Our AWS environment was set up by a 3rd party using AWS Control Tower Organizations.

I have checked the following:

  1. The Permissions boundaries of the AWSAdministratorAccess permission set my user is mapped against - None set up.
  2. All service Control Policies to any explicit deny for any mention of "notifications" - None found.
  3. All enabled Controls using AWS Control Tower for the account AAAAAAA for any reference of explicit deny of "notifications" - None found.

The closest thing I found would be that when in the AWS Mobile APP and selecting "notifications", it does not let you choose a region, however the error message implies I'm trying to access a resource in us-east-1 whereas my environment is in ap-southeast-2 and one of the AWS Control Tower enabled control is "[AWS-GR_REGION_DENY] Deny access to AWS based on the requested AWS Region"

SCP details:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": [
            "ap-southeast-2"
          ]
        },
        "ArnNotLike": {
          "aws:PrincipalARN": [
            "arn:aws:iam::*:role/AWSControlTowerExecution"
          ]
        }
      },
      "Resource": "*",
      "Effect": "Deny",
      "NotAction": [
        "a4b:*",
        "access-analyzer:*",
        "account:*",
        "acm:*",
        "activate:*",
        "artifact:*",
        "aws-marketplace-management:*",
        "aws-marketplace:*",
        "aws-portal:*",
        "billing:*",
        "billingconductor:*",
        "budgets:*",
        "ce:*",
        "chatbot:*",
        "chime:*",
        "cloudfront:*",
        "cloudtrail:LookupEvents",
        "compute-optimizer:*",
        "config:*",
        "consoleapp:*",
        "consolidatedbilling:*",
        "cur:*",
        "datapipeline:GetAccountLimits",
        "devicefarm:*",
        "directconnect:*",
        "ec2:DescribeRegions",
        "ec2:DescribeTransitGateways",
        "ec2:DescribeVpnGateways",
        "ecr-public:*",
        "fms:*",
        "freetier:*",
        "globalaccelerator:*",
        "health:*",
        "iam:*",
        "importexport:*",
        "invoicing:*",
        "iq:*",
        "kms:*",
        "license-manager:ListReceivedLicenses",
        "lightsail:Get*",
        "mobileanalytics:*",
        "networkmanager:*",
        "notifications-contacts:*",
        "notifications:*",
        "organizations:*",
        "payments:*",
        "pricing:*",
        "quicksight:DescribeAccountSubscription",
        "resource-explorer-2:*",
        "route53-recovery-cluster:*",
        "route53-recovery-control-config:*",
        "route53-recovery-readiness:*",
        "route53:*",
        "route53domains:*",
        "s3:CreateMultiRegionAccessPoint",
        "s3:DeleteMultiRegionAccessPoint",
        "s3:DescribeMultiRegionAccessPointOperation",
        "s3:GetAccountPublicAccessBlock",
        "s3:GetBucketLocation",
        "s3:GetBucketPolicyStatus",
        "s3:GetBucketPublicAccessBlock",
        "s3:GetMultiRegionAccessPoint",
        "s3:GetMultiRegionAccessPointPolicy",
        "s3:GetMultiRegionAccessPointPolicyStatus",
        "s3:GetStorageLensConfiguration",
        "s3:GetStorageLensDashboard",
        "s3:ListAllMyBuckets",
        "s3:ListMultiRegionAccessPoints",
        "s3:ListStorageLensConfigurations",
        "s3:PutAccountPublicAccessBlock",
        "s3:PutMultiRegionAccessPointPolicy",
        "savingsplans:*",
        "shield:*",
        "sso:*",
        "sts:*",
        "support:*",
        "supportapp:*",
        "supportplans:*",
        "sustainability:*",
        "tag:GetResources",
        "tax:*",
        "trustedadvisor:*",
        "vendor-insights:ListEntitledSecurityProfiles",
        "waf-regional:*",
        "waf:*",
        "wafv2:*"
      ],
      "Sid": "GRREGIONDENY"
    }
  ]
}

I am running out of ideas and have not been able to find the solution yet despite googling this issue, reading AWS documentation etc.

Any help would be appreciated. Thanks!

Upvotes: 0

Views: 31

Answers (0)

Related Questions