Ambiguous Error Message When a User Doesn’t Have Permission to Pass a Specific IAM Role to an EC2 Instance
This error message needs to be more specific and doesn’t show up in CloudTrail for the User Name
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code.
🔒 Related Stories: Bugs | AWS Security | AWS EC2 Troubleshooting
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I was trying to launch an EC2 instance with a specific role for the EC2 instance profile, but I had a typo in the IAM role for the user.
The error message comes back as encoded so I needed to first decode it as explained here:
Once I decoded the message this is what I get:
aws sts decode-authorization-message --encoded-message "$msg" --output text --profile SandboxAdmin
{"allowed":false,"explicitDeny":false,"matchedStatements":{"items":[]},"failures":{"items":[]},"context":{"principal":{"id":"","name":"SandboxDev","arn":"arn:aws:iam::xxxxxxxxxxxx:user/SandboxDev"},"action":"RunInstances","resource":"arn:aws:iam::xxxxxxxxxxxx:role/SandboxDevEC2Role","conditions":{"items":[{"key":"aws:Region","values":{"items":[{"value":"us-east-2"}]}},{"key":"aws:Service","values":{"items":[{"value":"ec2"}]}},{"key":"aws:Resource","values":{"items":[{"value":"role/SandboxDevEC2Role"}]}},{"key":"iam:RoleName","values":{"items":[{"value":"SandboxDevEC2Role"}]}},{"key":"aws:Type","values":{"items":[{"value":"role"}]}},{"key":"aws:Account","values":{"items":[{"value":"xxxxxxxxxxxx"}]}},{"key":"aws:ARN","values":{"items":[{"value":"arn:aws:iam::xxxxxxxxxxxxx:role/SandboxDevEC2Role"}]}}]}}}
That is not at all clear. I looked at it and thought my user did not have permission to perform the RunInstances action based on that message, but the user did have permission.
Somehow I just guessed that the role must be the problem and figured it out.
First of all, why does this have to be encoded? Shouldn’t AWS be able to display a nice, easy to read, error message in this case and pinpoint the problem?
Also, when I went over to look at CloudTrail, I searched on the user name. I did not see the RunInstances failure in the logs initially. It seemed to take a long time to show up. When it did, it was just the same message above.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab