avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

1743

Abstract

ne is required. This should be easy to figure out by parsing the document for the word “Principal.”</li><li>The principal is not valid if it is not an ARN when it’s supposed to be or if it is not matching an ID properly in the account. This also seems like it would be easy to parse out?</li><li>The principal needs to start with “AWS” if it doesn’t.</li><li>A colon or a dash is in the wrong place.</li><li>The spacing or indentation is off.</li><li>There’s a problem with a condition</li></ol><p id="0b92">I don’t know what the problem is with the stack at this point so I reverted to an example in the AWS Documentation as I presume that works and removed my specific principal and resources.</p><div id="bd06" class="link-block"> <a href="https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html"> <div> <div> <h2>AWS::EC2::VPCEndpoint</h2> <div><h3>undefined</h3></div> <div><p>undefined</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/)"></div> </div> </div> </a> </div><p id="c4fe">Next I changed one value at a time and redeployed my stack to see which one was causing the error.</p><p id="9d75">After deploying one element of the policy at a time I realized that in addition to some of the above errors I had inadvertently added “Role” at the end of a Role name when I shouldn’t have. It seems like it should be obvious that the ARN is in the correct format, the account ID is correct, but the specific role name does not exist.</p><p id="2f2f">AWS, help a dev out an

Options

d give a little more guidance about these errors in CloudFormation. You’ll save the world loads of time. #awswishlist</p><p id="3055">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2022</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="46f6"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="7286"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*4oxP4LXk8l8c3mpRvO7ejg.png"><figcaption></figcaption></figure></article></body>

AWS CloudFormation Policy Document Error Messages Could Be Nicer

Telling me I have an invalid policy document with no further information is not helpful — and the errors in this post seem like they would be easy to pass through

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | Application Security | CloudFormation

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I was just getting some errors with a policy document for a VPC Endpoint. The error messages are simply this:

InvalidPolicyDocument (Service: AmazonEC2; Status Code: 400; Error Code: InvalidPolicyDocument; Request ID: xxx; Proxy: null)

Here are some obvious things that the error message could tell you:

  1. You are missing a principal when one is required. This should be easy to figure out by parsing the document for the word “Principal.”
  2. The principal is not valid if it is not an ARN when it’s supposed to be or if it is not matching an ID properly in the account. This also seems like it would be easy to parse out?
  3. The principal needs to start with “AWS” if it doesn’t.
  4. A colon or a dash is in the wrong place.
  5. The spacing or indentation is off.
  6. There’s a problem with a condition

I don’t know what the problem is with the stack at this point so I reverted to an example in the AWS Documentation as I presume that works and removed my specific principal and resources.

Next I changed one value at a time and redeployed my stack to see which one was causing the error.

After deploying one element of the policy at a time I realized that in addition to some of the above errors I had inadvertently added “Role” at the end of a Role name when I shouldn’t have. It seems like it should be obvious that the ARN is in the correct format, the account ID is correct, but the specific role name does not exist.

AWS, help a dev out and give a little more guidance about these errors in CloudFormation. You’ll save the world loads of time. #awswishlist

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2022

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Error Message
Bug
Cloudformation
Policydocument
Vpc Endpoint
Recommended from ReadMedium