Summary

The web content discusses an AWS cross-account parameter retrieval issue, where the author encountered a misleading error message when trying to access a parameter and had to adjust the IAM policy to resolve the problem.

Abstract

The author of the web content experienced an error (ParameterNotFound) when attempting to retrieve a cross-account parameter in AWS Systems Manager (SSM). The error message was inaccurate as the parameter actually existed. The root cause was a lack of permission to perform the action. To resolve this, the author had to update the IAM policy to include both ssm:DescribeParameters and ssm:GetParameter actions, which was not clearly indicated by the error message. The author suggests that AWS should improve the error message to reflect an access denied issue rather than a parameter not found error. The article also includes a brief tutorial on how to properly set up the IAM policy for cross-account parameter access, and the author expresses uncertainty about the accuracy of the post but decides to publish it in case it helps others.

Opinions

The author believes that AWS's error message could be more accurate, suggesting that it should indicate access denied rather than parameter not found.
The author is uncertain about the accuracy of the information provided in the post but chooses to publish it with the intent to help others who might encounter a similar issue.
The author implies that AWS's approach to parameter retrieval commands could be more intuitive, questioning why there isn't a single command that can handle both single and multiple parameter retrievals.
The author seems to be experienced in AWS and IAM policies, as evidenced by their ability to identify and resolve the issue, as well as by their background and credentials provided at the end of the post.

An error occurred (ParameterNotFound) when calling the GetParameter operation: (policy issue)

Inaccurate error message when trying to retrieve a cross-account parameter

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Bugs | AWS Security | Secure Code

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I wrote this a while back…and I’m not sure if it’s accurate or not. I didn’t publish it so maybe there’s a problem with this post. Maybe there’s not. I don’t remember but I’m publishing it anyway in case it helps someone. Maybe I’ll have time to revisit it later. Right.

— — — — — — — — —

I wrote about how I’m using parameters cross-account so I can build resources in one account, deploy them from a second account, into a third account.

I need the build account to be able to read the parameters in the AMI account like the latest AMI ID to use when deploying resources to a third account.

In order to achieve that, I had to grant access to the account that builds and deploys the resources in my cloud environment. I wanted to allow that account to read all the parameters required for building AMIs in my ami-builder account. So I created this policy pulled of a sample page:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeParameters"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameters"
            ],
            "Resource": "arn:aws:ssm:[region]:[AMI-builder-account-number-here]:parameter/*"
        }
    ]
}

When I try to retrieve a parameter with a specific name like this:

aws ssm get-parameter --name ami-builder-parameter

I get this error which is not accurate:

An error occurred (ParameterNotFound) when calling the GetParameter operation:

The parameter does exist. The problem is that there are two different commands to get parameters. Why it can’t be one command that optionally takes an array of parameters or doesn’t, I don’t really understand. But anyway, I also needed to add this to my policy so I can get the value of one parameter by name:

"ssm:DescribeParameters"

So my policy now looks like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeParameters"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameters",
                "ssm:GetParameter"
            ],
            "Resource": "arn:aws:ssm:[region]:[AMI-builder-account-number-here]:parameter/*"
        }
    ]
}

This might trip up someone newer to AWS.

Fix: The error message should report access denied to caller-identity [x] to perform action [y].

If this helped you or you had this problem, please clap!

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab