Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

AccessDeniedException When Calling `PutEventSelectors` in AWS ECS

Debugging Preview Errors

🛑 AccessDeniedException When Calling PutEventSelectors in AWS ECS

Issue

When attempting to run a task in Amazon ECS that interacts with AWS CloudTrail, the following error appears in the ECS event logs:


"botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the PutEventSelectors operation: 
User: arn:aws:sts::<account_id>:assumed-role/<role_name>/<session_name> is not authorized to perform: cloudtrail:PutEventSelectors 
on resource: arn:aws:cloudtrail:<region>:<account_id>:trail/<trail_name> 
with an explicit deny in a service control policy"

Root Cause

This error occurs when the IAM role used by your ECS task is explicitly denied permission to use the cloudtrail:PutEventSelectors action. This restriction is enforced by a Service Control Policy (SCP) applied to the AWS account or organizational unit (OU).

How to Resolve

  1. Check SCPs in AWS Organizations:
    • Go to the AWS Organizations console.
    • Navigate to Policies > Service control policies.
    • Locate the SCP attached to the affected AWS account or OU.
    • Look for a statement that explicitly denies cloudtrail:PutEventSelectors.
  2. Update the SCP:

    Remove or modify the explicit deny related to cloudtrail:PutEventSelectors.

    Example of a restrictive policy that needs updating:

    {
      "Effect": "Deny",
      "Action": "cloudtrail:PutEventSelectors",
      "Resource": "*"
    }

    Ensure necessary permissions are included in the allow policy instead.

  3. Review IAM Role Permissions:
    • Go to IAM > Roles.
    • Locate the role used by your ECS task (e.g., AmazonECSTaskExecutionRole).
    • Ensure it has an inline or attached policy allowing:
    {
      "Effect": "Allow",
      "Action": "cloudtrail:PutEventSelectors",
      "Resource": "*"
    }

Additional Tips

  • Service Control Policies override IAM permissions. Even if an IAM role has the correct permissions, an explicit deny in an SCP takes precedence.
  • SCPs must be carefully scoped to avoid unintentionally blocking critical operations.

Need Help?

If you're unsure how to modify your SCPs or IAM roles, contact your AWS administrator or reach out to our support team for guidance.