Cyber Defense Advisors

AWS CloudFormation Policy Document Error Messages Could Be Nicer

Telling me I have an invalid policy document with no further information is not helpful — and the errors in this post seem like they would be easy to pass through

I was just getting some errors with a policy document for a VPC Endpoint. The error messages are simply this:

InvalidPolicyDocument (Service: AmazonEC2; Status Code: 400; Error Code: InvalidPolicyDocument; Request ID: xxx; Proxy: null)

Here are some obvious things that the error message could tell you:

You are missing a principal when one is required. This should be easy to figure out by parsing the document for the word “Principal.”The principal is not valid if it is not an ARN when it’s supposed to be or if it is not matching an ID properly in the account. This also seems like it would be easy to parse out?The principal needs to start with “AWS” if it doesn’t.A colon or a dash is in the wrong place.The spacing or indentation is off.There’s a problem with a condition

I don’t know what the problem is with the stack at this point so I reverted to an example in the AWS Documentation as I presume that works and removed my specific principal and resources.

AWS::EC2::VPCEndpoint

Next I changed one value at a time and redeployed my stack to see which one was causing the error.

After deploying one element of the policy at a time I realized that in addition to some of the above errors I had inadvertently added “Role” at the end of a Role name when I shouldn’t have. It seems like it should be obvious that the ARN is in the correct format, the account ID is correct, but the specific role name does not exist.

AWS, help a dev out and give a little more guidance about these errors in CloudFormation. You’ll save the world loads of time. #awswishlist

Teri Radichel

If you liked this story please clap and follow:

Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research

© 2nd Sight Lab 2022

____________________________________________

Author:

Cybersecurity for Executives in the Age of Cloud on Amazon

Need Cloud Security Training? 2nd Sight Lab Cloud Security Training

Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.

Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts

AWS CloudFormation Policy Document Error Messages Could Be Nicer was originally published in Bugs That Bite on Medium, where people are continuing the conversation by highlighting and responding to this story.