Errors related to malformed AWS Policy Documents
When creating an IAM Policy document you need to make sure you have all the required parts and pieces first of all.
AWS has a list of the elements required in a JSON policy here. A YAML policy would have the same elements but using YAML syntax instead of JSON obviously:
You’ll need to ensure you include any required elements.
The CloudFormation documentation incorrectly lists the type as Json when the description right above says it can be provided in YAML or JSON format. I guess they are referring to how it shows up in the AWS console regardless of which format you choose in CloudFormation.
Unfortunately that documentation does not include the detailed definition of the Policy Document object like it does for other CloudFormation objects. I’ve asked for that via #awswishlist.
I’d written a policy like this and was getting an error:
Although we don’t get clear specifications we can take a look at the sample policy at the bottom of the page:
In their example they do not have the dash (indicating a list) in front of the Roles element. I get the following which indicates that if you do provide specific values you need to provide a list for the roles element:
Value of property Roles must be of type List of String
So I need to add a dash before the role element. Hmm. I thought I copied another working template but let’s try it.
Nope, malformed. It would be really great if the error message could tell you more precisely what was wrong with this template wouldn’t it??
In my case I can look at policies specific to Secrets Manager.
Here I can see that the resource can be a list:
Or a single string:
Maybe you’ve already noticed my typo by now but I did not see it immediately. I added an “s” on to “Resource”. So it wasn’t my role or policy at all that was causing the problem.
Now, I’ve been writing IAM policies for about a decade. If I can overlook this typo I wonder how confusing this must be to someone who is just starting out. And I wonder why AWS cannot report in this message that a required component of the policy (Resource) is missing to give the person writing the policy a better clue as to what the problem is. It seems like this would be a simple validation check and error message to add, among others.
At any rate, this problem is solved.
Teri Radichel
If you liked this story please clap and follow:
Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research
© 2nd Sight Lab 2022
____________________________________________
Author:
Cybersecurity for Executives in the Age of Cloud on Amazon
Need Cloud Security Training? 2nd Sight Lab Cloud Security Training
Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.
Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.
Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts
