Free AI web copilot to create summaries, insights and extended knowledge, download it at here

1565

Abstract

tack. I was staring at the policy over and over and reviewing a stack ARN character for character to make sure I didn’t have an error in the ARN for the CloudFormation stacks and it looked OK.I reviewed the policy in the console and in my code and it was driving me a bit nuts.Finally, I thought just for a test I’ll manually make some change to the policy to see if it works. When I went to edit the Policy in the AWS Console, the IAM policy editor immediately told me that I had an error.I had spelled CloudForamtion wrong! I wrote this:<div id="f3de"><pre>clouddformation</pre></div>Instead of this:<div id="0366"><pre>cloudformation</pre></div>OK so sure, I need glasses. It’s true. However, it seems that if the AWS Console can spot the error, then probably CloudFormation can too. Don’t different groups at AWS share validation routines via an API call to the “owner” of the resource?I would expect that the CloudFormation team could make an API call to the IAM team for policy validation and the results would be the same in either case.Shouldn’t that just be a rule at AWS since the owner of the resource should know best how to validate it? And other teams can recommend changes the validation rules via a fork instead of rolling their own?Too much wasted time on all these little bugs!Follow for updates.Teri Radi

Options

chel | © <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2022<div id="8b5f"><pre>About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="46f6"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: @teriradichel ❤️ LinkedIn: https://www.linkedin.com/in/teriradichel ❤️ Mastodon: @teriradichel@infosec.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="550c"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*4oxP4LXk8l8c3mpRvO7ejg.png"><figcaption></figcaption></figure></article></body>

CloudFormation Deploys and Invalid IAM policy — for CloudFormation

Wondering why CloudFormation doesn’t use the same policy validation logic as the AWS Console

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | Application Security | CloudFormation

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This one really bites. I was spinning my wheels on it for a while. I deployed policy for a role that allows it to only act on certain CloudFormation stacks. The policy deployed without error in CloudFormation.

Then, while trying to run actions on the CloudFormation stacks with my role, I kept getting errors that I didn’t have permissions to run DescribeStacks on a particular stack. I was staring at the policy over and over and reviewing a stack ARN character for character to make sure I didn’t have an error in the ARN for the CloudFormation stacks and it looked OK.

I reviewed the policy in the console and in my code and it was driving me a bit nuts.

Finally, I thought just for a test I’ll manually make some change to the policy to see if it works. When I went to edit the Policy in the AWS Console, the IAM policy editor immediately told me that I had an error.

I had spelled CloudForamtion wrong! I wrote this:

clouddformation

Instead of this:

cloudformation

OK so sure, I need glasses. It’s true. However, it seems that if the AWS Console can spot the error, then probably CloudFormation can too. Don’t different groups at AWS share validation routines via an API call to the “owner” of the resource?

I would expect that the CloudFormation team could make an API call to the IAM team for policy validation and the results would be the same in either case.

Shouldn’t that just be a rule at AWS since the owner of the resource should know best how to validate it? And other teams can recommend changes the validation rules via a fork instead of rolling their own?

Too much wasted time on all these little bugs!

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab