Summary

Teri Radichel encountered an error while redeploying the AmazonEC2ContainerServiceforEc2Role policy due to invisible characters, specifically a tab character, and resolved the issue by removing these characters.

Abstract

While attempting to copy and redeploy the AmazonEC2ContainerServiceforEc2Role policy from the AWS IAM console, Teri Radichel faced an error message indicating the presence of a tab character that could not start any token. Despite identifying and fixing the tab character issue, the policy still failed to deploy, leading to further investigation. Radichel discovered discrepancies in the representation of tab characters when using different cat command options and ultimately resolved the deployment issue by removing all hidden characters. The experience highlighted inconsistencies in how hidden characters are displayed and the potential for such issues to arise even when following standard procedures, prompting a suggestion for AWS to investigate the cause.

Opinions

Radichel finds it odd that the cat -v command on Amazon Linux does not display hidden characters, while cat -T shows specific types of tabs but not those created by the tab key during an SSH session.
The author expresses surprise at the inconsistency of the issue, as other policies with similar adjustments deployed without any problems.
Radichel suggests that AWS should look into the cause of the hidden characters issue, implying that it might be a systemic problem rather than an isolated incident.
There is a hint of frustration in the narrative, as the author had to spend time troubleshooting an issue that was "literally impossible to see otherwise."
The author values sharing knowledge and experience, as indicated by the invitation to follow for updates and the provision of various resources for those seeking help with cybersecurity.

found character ‘\t’ that cannot start any token

Error when copying and redeploying AmazonEC2ContainerServiceforEc2Role from IAM Console

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Bugs | AWS Security | Secure Code

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I copied a policy document from the AWS IAM console. Specifically this policy:

AmazonEC2ContainerServiceforEc2Role

When I tried to deploy my own copy of that policy I got this error:

while scanning for the next token
found character '\t' that cannot start any token
in "<unicode string>", line 12, column 1:
PolicyDocument:
^ (line: 12)

I ran this cat command on my file to see the tabs:

cat -T BatchECSInstanceRolePolicy.yaml

With that output it was easy to find the problem.

Which is literally impossible to see otherwise:

However, after fixing that line — with tabs — the policy still woudn’t deploy with the same error. Notice that the characters that appear for my tabs different from those shown from what existed previously:

So I deleted a bunch of those characters and now my file looks like this:

The file still won’t deploy.

What is odd, is that I copied and pasted the policy document the same way I did for a bunch of other policies I just created. I also used tabs to fix the alignment of those policies and I’m not having the same issues with those policies. They all deployed fine. So how did those hidden characters get in that file? I don’t know.

In any case, once I removed them all the policy deployed just fine.

The other thing that I find odd is that on this version of Amazon Linux, the cat -v command does not print out hidden characters but cat -T shows those specific types of tabs but not the tabs create when I hit the tab button in a remote SSH Session to access Amazon Linux. Hmm.

I don’t have more time to dig into the Hex of it all but maybe someone at AWS should to consider what may have caused this.

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab