CloudFormation Deploys and Invalid IAM policy — for CloudFormation! | by Teri Radichel | Bugs That Bite | Sep, 2022

Wondering why CloudFormation doesn’t use the same policy validation logic as the AWS Console

This one really bites. I was spinning my wheels on it for a while. I deployed policy for a role that allows it to only act on certain CloudFormation stacks. The policy deployed without error in CloudFormation.

Then, while trying to run actions on the CloudFormation stacks with my role, I kept getting errors that I didn’t have permissions to run DescribeStacks on a particular stack. I was staring at the policy over and over and reviewing a stack ARN character for character to make sure I didn’t have an error in the ARN for the CloudFormation stacks and it looked OK.

I reviewed the policy in the console and in my code and it was driving me a bit nuts.

Finally, I thought just for a test I’ll manually make some change to the policy to see if it works. When I went to edit the Policy in the AWS Console, the IAM policy editor immediately told me that I had an error.

I had spelled CloudForamtion wrong! I wrote this:

clouddformation

Instead of this:

cloudformation

OK so sure, I need glasses. It’s true. However, it seems that if the AWS Console can spot the error, then probably CloudFormation can too. Don’t different groups at AWS share validation routines via an API call to the “owner” of the resource?

I would expect that the CloudFormation team could make an API call to the IAM team for policy validation and the results would be the same in either case.

Shouldn’t that just be a rule at AWS since the owner of the resource should know best how to validate it? And other teams can recommend changes the validation rules via a fork instead of rolling their own?

Too much wasted time on all these little bugs!

Teri Radichel

If you liked this story please clap and follow:

Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research

© 2nd Sight Lab 2022

____________________________________________

Author:

Cybersecurity for Executives in the Age of Cloud on Amazon

Need Cloud Security Training? 2nd Sight Lab Cloud Security Training

Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.

Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts