"route53:ListHostedZones with an explicit deny" error in the AWS console despite having AmazonRoute53FullAccess permissions

Question

I'm trying to run this command in the AWS console:

aws route53 list-hosted-zones

I'm using my access key/secret and it worked fine in a demo account. I checked with my team and I have the AmazongRoute53FullAccess permissions:

Here's the full error message:

PS C:\Users...> aws route53 list-hosted-zones --no-paginate

An error occurred (AccessDenied) when calling the ListHostedZones operation: User: arn:aws:iam::362327418951:user/userName is not authorized to perform: route53:ListHostedZones with an explicit deny in an identity-based policy

Answer 1

Check the CC-MFA-USER policy.

Based on the names of the policies attached to your account, I suspect there's a policy that denies access unless authenticated using MFA.

AWS provides an example policy: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_mfa-selfmanage.html

In the example above, the last statement denies access unless you are authenticated using MFA:

{
    "Sid": "BlockMostAccessUnlessSignedInWithMFA",
    "Effect": "Deny",
    "NotAction": [
        "iam:CreateVirtualMFADevice",
        "iam:EnableMFADevice",
        "iam:ListMFADevices",
        "iam:ListUsers",
        "iam:ListVirtualMFADevices",
        "iam:ResyncMFADevice"
    ],
    "Resource": "*",
    "Condition": {
        "BoolIfExists": {
            "aws:MultiFactorAuthPresent": "false"
        }
    }
}

There's a few options for using MFA with the AWS CLI:

• https://stackoverflow.com/a/41965046/2454476 — this seems like the easiest option, but I haven't used it myself, and it may not be available on older versions of the CLI
• https://stackoverflow.com/a/34796136/2454476 — this should work with any version of the CLI, but there's a few extra steps involved.