The provided policy document does not meet the requirements of the specified policy type.
Confusing (sometimes incorrect error message while deploying SCP — and possible causes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code.
🔒 Related Stories: Bugs | AWS Security | Secure Code
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I’m deploying this SCP and this works:
Now I want to optionally set the Resource to * or a specific role that I pass in, so I move the value to be the default for a parameter like this:
And I !Ref the parameter like this:
I get the following error which makes no sense to me. The policy is clearly the correct type. It just worked. I’m simply passing in a value from the parameter and it’s the same value I replaced.
Resource handler returned message: “The provided policy document does not meet the requirements of the specified policy type.
I also tried a !Sub and that didn’t work either.
I then tried a condition. No joy.
I found this on stack exchange so I added a Sid. Nope.
I found my own post on this topic before here, but this was not the problem obviously:
Somehow I end up with this trying to close extraneous screens. I liked the other version of CloudFormation with the top/bottom layout soooo much better than the side to side layout.
Apparently commas missing at ends of lines can cause this too:
Terraform issue. Nope.
So after messing around with this for far too long, I have come to the conclusion that you cannot include dynamic elements in AWS Organizations Service Control Policies like Fn::If, Fn::Join, or Fn::ImportValue. If you can, I wish AWS would provide examples on the CloudFormation page. Also, I wish this error message would more specifically state what the problem is as this is taking far too much time to reverse engineer.
Update: You can also get this error if you try to use NotResource or some other unsupported SCP policy construct.
Update: You can also get this error if you give two Sids the same name. I did that due to copying and pasting. Seems like the error could easily tell you that you have a problem due to a duplicate SID??
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
