avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

2320

Abstract

v> </div> </div> </a> </div><p id="b6bd">For example:</p><div id="bb29"><pre> <span class="hljs-attribute">Statement</span><span class="hljs-punctuation">:</span> <span class="hljs-bullet">-</span> <span class="hljs-string">Effect: Allow</span> <span class="hljs-attribute">Action</span><span class="hljs-punctuation">:</span> <span class="hljs-string">'CreateAccount'</span> <span class="hljs-attribute">Resource</span><span class="hljs-punctuation">:</span> <span class="hljs-string">''</span></pre></div><p id="a004">Should be:</p><div id="7ea7"><pre> <span class="hljs-attribute">Statement</span><span class="hljs-punctuation">:</span> <span class="hljs-bullet">-</span> <span class="hljs-string">Effect: Allow</span> <span class="hljs-attribute">Action</span><span class="hljs-punctuation">:</span> <span class="hljs-string">'organizations:CreateAccount'</span> <span class="hljs-attribute">Resource</span><span class="hljs-punctuation">:</span> <span class="hljs-string">''</span></pre></div><p id="007e">However the same error occurs when the user has correctly added a prefix but it is misspelled. It seems like CloudFormation could easily report a “service prefix: x does not exist” for the code below instead.</p><div id="e320"><pre> <span class="hljs-attribute">Statement</span><span class="hljs-punctuation">:</span> <span class="hljs-bullet">-</span> <span class="hljs-string">Effect: Allow</span> <span class="hljs-attribute">Action</span><span class="hljs-punctuation">:</span> <span class="hljs-string">'x:CreateAccount'</span> <span class="hljs-attribute">Resource</span><span class="hljs-punctuation">:</span> <span class="hljs-string">'*'</span></pre></div><p id="a364">The other case where this error appears is also misleading. I don’t know about anyone else but for some reason I always want to use a dot instead of a colon as shown in the next block of code. It seems pretty simple to identify that the beginning of the action is a service but the syntax is incorrect with a period instead of a colon:</p><div id="eff6"><pre> <span class="hljs-attribute">Statement</span><span class="hljs-punctuation">:</span> <span class="hljs-bullet">-<

Options

/span> <span class="hljs-string">Effect: Allow</span> <span class="hljs-attribute">Action</span><span class="hljs-punctuation">:</span> <span class="hljs-string">'organizations.CreateAccount'</span> <span class="hljs-attribute">Resource</span><span class="hljs-punctuation">:</span> <span class="hljs-string">'*'</span></pre></div><p id="0a25">In all cases above, CloudFormation can report the offending piece of code in the console since the code is all there in the template. For example: “Invalid separator: organizations.CreateAccount”</p><p id="a663">These small changes would probably make it easier for developers to troubleshoot their code and quickly find problems.</p><p id="0548">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2023</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="5a42"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="faf5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

Actions/Conditions must be prefaced by a vendor, e.g., iam, ec2, etc.

Need better CloudFormation Error Messages

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Bugs | AWS Security | Secure Code | CloudFormation

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following error occurs for multipel reaons when attempting to deploy a CloudFormation template and in some cases is not accurate or helpful:

Actions/Conditions must be prefaced by a vendor, e.g., iam, sdb, ec2, etc. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: xxxxxx; Proxy: null)

It could accurately mean that someone listed an action without the proper service prefix as defined in the AWS IAM documentation:

For example:

 Statement:
          - Effect: Allow
            Action: 'CreateAccount'
            Resource: '*'

Should be:

 Statement:
          - Effect: Allow
            Action: 'organizations:CreateAccount'
            Resource: '*'

However the same error occurs when the user has correctly added a prefix but it is misspelled. It seems like CloudFormation could easily report a “service prefix: x does not exist” for the code below instead.

 Statement:
          - Effect: Allow
            Action: 'x:CreateAccount'
            Resource: '*'

The other case where this error appears is also misleading. I don’t know about anyone else but for some reason I always want to use a dot instead of a colon as shown in the next block of code. It seems pretty simple to identify that the beginning of the action is a service but the syntax is incorrect with a period instead of a colon:

 Statement:
          - Effect: Allow
            Action: 'organizations.CreateAccount'
            Resource: '*'

In all cases above, CloudFormation can report the offending piece of code in the console since the code is all there in the template. For example: “Invalid separator: organizations.CreateAccount”

These small changes would probably make it easier for developers to troubleshoot their code and quickly find problems.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Error Message
Cloudformation
AWS
Actions
Feature Request
Recommended from ReadMedium