Enhanced access denied error messages with policy ARNs
Security Blog
This article announces enhanced access denied error messages that now include the Amazon Resource Name (ARN) of the denying policy, improving troubleshooting capabilities.
- Policy ARNs now included in access denied error messages for IAM and AWS Organizations policies
- Covers service control policies, resource control policies, permissions boundaries, session policies, and identity-based policies
- Limited to same-account and same-organization scenarios for security
- Only policy ARN is revealed, not the full policy document or permissions
- Eliminates need to review all policies of same type to identify the culprit
- Accelerates troubleshooting and improves cross-team communication with specific policy reference
- Rolling out gradually across all AWS services and regions starting early 2026
This enhancement streamlines access denied error troubleshooting by providing the exact policy ARN causing denial, reducing investigation time and improving security validation.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
Jan 21
2026
2026
AWS introduces additional policy details to access denied error messages
Aug 21
2024
2024
Amazon S3 adds additional context to HTTP 403 Access Denied error messages
Jun 16
2025
2025
Amazon S3 extends additional context for HTTP 403 Access Denied error messages to AWS Organizations
Jun 11
2024
2024
IAM Access Analyzer Update: Extending custom policy checks & guided revocation
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.