avatarTeri Radichel

Summary

The author of the web page, who has experience with KMS and CloudFormation services, encountered a "PutKeyPolicy failed due to MalformedPolicyDocumentException" error and struggled with the lack of specificity in the error message regarding the cause of the problem.

Abstract

The author shared their experience with a challenging error message they encountered while working with KMS (Key Management Service) or CloudFormation. They received a "PutKeyPolicy failed due to MalformedPolicyDocumentException" error, which was difficult to resolve due to its lack of specificity about the cause of the error. The author had to spend time searching for the issue in their complex and lengthy key policy code. Eventually, they found a typo in a condition statement and a misalignment of dashes in a list that caused the error. The author expressed their wish for the policy parser to provide more helpful error messages to ease troubleshooting for users.

Opinions

  • The author believes that the error message they encountered was not specific enough, making it difficult to resolve the issue.
  • The author suggests that the policy parser could provide better error messages by indicating what line caused the error, even if it's just the output of a YAML or JSON parse.
  • The author found a typo in their condition statement (stringEuals instead of stringEquals) and a misalignment of dashes in a list that caused the error.
  • The author wishes for a more automated process with better error messages to help users resolve such issues.
  • The author mentioned that they keep writing down these error messages to remind themselves of the causes, but a better error message system could be more beneficial.
  • The author expressed the need to write their own parser someday to improve the error message system but has other priorities at the moment.
  • The author follows up their post with information about themselves, their company, and how to reach out to them for help with cybersecurity, cloud, or application security.

PutKeyPolicy failed due to MalformedPolicyDocumentException

A single letter in a misspelled condition…

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | Application Security | CloudFormation

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sometimes the errors you get back really could be a bit more helpful. I don’t know if this error message is coming from KMS or CloudFormation but based on my experiences to date with KMS I am guessing that CloudFormation calls a KMS API and prints out exactly what the KMS service returns.

PutKeyPolicy failed due to MalformedPolicyDocumentException

Now when you have a very long and complex key policy, it would be super nice if whatever is parsing this key policy could be a bit more specific. Don’t just pass back whatever the Yaml or JSON parse spits out but try to figure out what exactly is the error? At a minimum, indicate what line caused the error.

This is one of those issues where I stared and stared at the code and couldn’t see it. Well, I’m not kidding when I say I should probably wear glasses but it’s such a hassle to go get them. I increased the size of the font and then it was obvious. I had a typo in my condition statement.

I wrote:

stringEuals

when it should have been

stringEquals

Right before this I had another error which was caused by a misalignment of dashes in a list:

 -
 -
   -
 -

There must be a way the policy parser could help a sista out and tell me what the problem is in the error message??

Anyway, I keep writing these down because I forget what causes them and then I can return to my blog to remind myself, but it seems like this could be a bit more automated with better error messages. If nothing else I need to write my own parser someday but I’m not getting paid by AWS to do that and I have other priorities at the moment. :)

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2022

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Kms
Malformed
Policy Document
Error Message
AWS
Recommended from ReadMedium
avatarMaciej Pocwierz
How an empty S3 bucket can make your AWS bill explode

Imagine you create an empty, private AWS S3 bucket in a region of your preference. What will your AWS bill be the next morning?

4 min read
avatarAlistair Grew
The beginning of the end for Terraform?

Entering the graveyard of good software that is IBM…

5 min read
avatarMahmood Rahimi
AWS SSM Documents — An Alternative to GitHub-Hosted Runners

AWS System Manager Documents is a way you define actions that it can perform on your EC2 Instances. GitHub-Hosted Runners are VMs/EC2…

7 min read
avatarNiyi Alimi
Enforcing Tagging Using Tagging Policies and Service Control Policies (SCPs) at the Organization…

AWS Resources Tagging Enforcement using Tagging Policies and Service Control Policies (SCPs)

6 min read
avatarEric Larssen
It’s Time to Retire Terraform

Terraform exists in many people’s hearts much like a friend or a loved one, or maybe even an enemy. Whether it’s your job to maintain the…

10 min read
avatarPrashanth Viswanathan
Terraform Series : Code to create multiple EC2 instances along with EBS volumes

This set of terraform code helps to create the multiple ec2 instances in an aws environment along with EBS volumes attached to it.

2 min read