I have a AWS organization with 2 member accounts, applied a SCP at the root OU allowing allow actions on all resources. However I’m having an issue accessing IAM from the root account of one of the member accounts receiving error “no service control policy allows the iam:ListUsers action” it seems that all IAM actions are blocked.
If I add a SCP to the account or management account specifically allowing all IAM actions on all resources then it seems I am able to perform IAM actions from the member account root user.
So I am confused as to why I need to implicitly allow IAM actions when I have a SCP that allows all actions on all resources
I add a SCP to the account or management account specifically allowing all IAM actions on all resources then it seems I was able to perform IAM actions from the member account root user.