Cluster installation failed with error code OCM3051: AWSDeniedBySCP

Resolution

Your cluster’s installation is blocked due to a Service Control Policy (SCP) which is too restrictive for performing cluster installation. Please review the cluster's installation logs for the specific action being blocked. The action being blocked can be any action (for ex: CreateInstanceProfile, RunInstances, etc.) depending on the deny statement in the SCP.

Let’s see how it works and how it can be resolved.

In order for an IAM entity (role or user) to make a successful API call, the entity must meet the following conditions:

1. The role or user has the correct permissions to request an API call.
2. The permission isn't denied by any statement in all policies that are applicable to the request context.

If your IAM entity doesn't meet these conditions, then the API call fails and throws an AccessDenied error.

A service control policy (SCP) allows you to manage permissions in your organization. The following example shows a deny statement in the SCP. In this example, the SCP is attached to a member account or to a particular Organization Unit (OU). It explicitly denies access to the “RunInstances” action:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:RunInstances"


      "Resource": "*"
    }
  ]
}

To resolve explicit deny errors, take ONE of these actions:

1. Detach the SCP from the account.
2. Modify the deny statement by adding a condition that excludes some use case. For example, this SCP in this example does NOT deny ec2:RunInstances if the IAM principal uses the role CloudOps:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:RunInstances"     
      "Resource": "*",
      "Condition": {
        "ArnNotLike": {
          "aws:PrincipalARN": "arn:aws:iam::*:role/CloudOps"
        }
      }
    }
  ]
}