Ambiguous Error Message When a User Doesn’t Have Permission to Pass a Specific IAM Role to an EC2 Instance

This error message needs to be more specific and doesn’t show up in CloudTrail for the User Name

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Bugs | AWS Security | AWS EC2 Troubleshooting

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I was trying to launch an EC2 instance with a specific role for the EC2 instance profile, but I had a typo in the IAM role for the user.

The error message comes back as encoded so I needed to first decode it as explained here:

Decoding AWS Error Messages

Free Content on Jobs in Cybersecurity | Sign up for the Email List

medium.com

Once I decoded the message this is what I get:

aws sts decode-authorization-message --encoded-message "$msg" --output text --profile SandboxAdmin

{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"","name":"SandboxDev","arn":"arn:aws:iam::xxxxxxxxxxxx:user/SandboxDev"},"action":"RunInstances","resource":"arn:aws:iam::xxxxxxxxxxxx:role/SandboxDevEC2Role","conditions":{"items":[{"key":"aws:Region","values":{"items":[{"value":"us-east-2"}]}},{"key":"aws:Service","values":{"items":[{"value":"ec2"}]}},{"key":"aws:Resource","values":{"items":[{"value":"role/SandboxDevEC2Role"}]}},{"key":"iam:RoleName","values":{"items":[{"value":"SandboxDevEC2Role"}]}},{"key":"aws:Type","values":{"items":[{"value":"role"}]}},{"key":"aws:Account","values":{"items":[{"value":"xxxxxxxxxxxx"}]}},{"key":"aws:ARN","values":{"items":[{"value":"arn:aws:iam::xxxxxxxxxxxxx:role/SandboxDevEC2Role"}]}}]}}}

That is not at all clear. I looked at it and thought my user did not have permission to perform the RunInstances action based on that message, but the user did have permission.

Somehow I just guessed that the role must be the problem and figured it out.

First of all, why does this have to be encoded? Shouldn’t AWS be able to display a nice, easy to read, error message in this case and pinpoint the problem?

Also, when I went over to look at CloudTrail, I searched on the user name. I did not see the RunInstances failure in the logs initially. It seemed to take a long time to show up. When it did, it was just the same message above.

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab