Iam user not authorized to perform: firehose:CreateDeliveryStream on resource xxxx with an explicit deny

Question

I am trying to create a Firehose delivery stream from an EC2 micro instance.

AWS CLI is configured with the access keys of an IAM user ABC. This user has AWS policies attached with full access to firehose (policy copied below).

Still the stream creation fails with the error AccessDeniedException: iam user ABC not authorized to perform: firehose:CreateDeliveryStream on resource xxxx with an explicit deny

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "firehose:*",
                "firehose:CreateDeliveryStream"
            ],
            "Resource": [
                "arn:aws:firehose:us-east-1:<ACC_ID>:deliverystream/*",
                "arn:aws:firehose:us-east-1:<ACC_ID>:*",
                "arn:aws:firehose:*:<ACC_ID>:*",
                "arn:aws:firehose:*:<ACC_ID>:deliverystream/*"
            ]
        }
    ]
}

Do I need to add more permissions to this IAM user to allow it to create delivery streams?

Answer 1

I cross checked all other policies attached to this user and apparently there was a Deny policy attached to this user which was explicitly denying the access. Removed this policy and it worked!