AWS introduces additional policy details to access denied error messages
News
This article announces that AWS now includes policy ARNs in access denied error messages for IAM and AWS Organizations policies.
- Policy ARNs now displayed in access denied errors for same account and organization scenarios
- Helps quickly identify which specific policy caused the denied access
- Supports SCPs, RCPs, identity-based policies, session policies, and permission boundaries
- Eliminates need to guess among multiple policies of the same type
- Rolling out gradually across AWS services and regions
This enhancement simplifies troubleshooting access denied errors by providing direct policy identification instead of just policy type information.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Jan 22
2026
2026
AWS expands Resource Control Policies support for Cognito and CloudWatch Logs
Mar 4
2026
2026
Enhanced access denied error messages with policy ARNs
Feb 12
2026
2026
AWS expands Resource Control Policies support to Amazon DynamoDB
Jun 16
2025
2025
Amazon S3 extends additional context for HTTP 403 Access Denied error messages to AWS Organizations
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.