Summary

The web content discusses troubleshooting a specific error related to deploying Service Control Policies (SCPs) in AWS Organizations, with a focus on the unclear error message "The provided policy document does not meet the requirements of the specified policy type."

Abstract

The author is attempting to deploy an SCP in AWS Organizations and encounters an error message stating that the provided policy document does not meet the requirements of the specified policy type. Despite the policy working previously, the error arises when trying to pass a value from a parameter. The author explores various solutions, such as using default parameter values, !Ref, !Sub, conditions, and even checking for missing commas. They also reference past experiences and community discussions on platforms like Stack Overflow and Medium, but the issue persists. The author concludes that dynamic elements like Fn::If, Fn::Join, or Fn::ImportValue cannot be included in SCPs and wishes AWS provided clearer examples and more specific error messages. Additionally, the author notes that duplicate SID names can cause the error, suggesting that the error message could be more precise.

Opinions

The author finds the error message confusing and sometimes incorrect, indicating frustration with the lack of clarity.
They express a preference for the previous CloudFormation layout over the current one.
The author believes AWS should provide examples of SCPs with dynamic elements on the CloudFormation page if such usage is supported.
There is a clear desire for more precise error messages from AWS to reduce the time spent troubleshooting.
The author points out that AWS error messages could be more specific, particularly when dealing with unsupported policy constructs or duplicate SID names.

The provided policy document does not meet the requirements of the specified policy type.

Confusing (sometimes incorrect error message while deploying SCP — and possible causes

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Bugs | AWS Security | Secure Code

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I’m deploying this SCP and this works:

Now I want to optionally set the Resource to * or a specific role that I pass in, so I move the value to be the default for a parameter like this:

And I !Ref the parameter like this:

I get the following error which makes no sense to me. The policy is clearly the correct type. It just worked. I’m simply passing in a value from the parameter and it’s the same value I replaced.

Resource handler returned message: “The provided policy document does not meet the requirements of the specified policy type.

I also tried a !Sub and that didn’t work either.

I then tried a condition. No joy.

I found this on stack exchange so I added a Sid. Nope.

The provided policy document does not meet the requirements of the specified policy type

I am getting an error"The provided policy document does not meet the requirements of the specified policy type.", While…

stackoverflow.com

I found my own post on this topic before here, but this was not the problem obviously:

The provided policy document does not meet the requirements of the specified policy type.

Vague error message trying to deploy an SCP

medium.com

Somehow I end up with this trying to close extraneous screens. I liked the other version of CloudFormation with the top/bottom layout soooo much better than the side to side layout.

Apparently commas missing at ends of lines can cause this too:

Invalid policy document. Policy syntax is wrong

I have a rest API resource as such, TempApi: Type: AWS::ApiGateway::RestApi Properties: Name: !Sub…

stackoverflow.com

Terraform issue. Nope.

AWS MalformedPolicyDocumentException while deploying SCP with Terraform

I have the following SCP that I would like to apply to an org: data "aws_iam_policy_document" "restrict-regions-policy"…

stackoverflow.com

So after messing around with this for far too long, I have come to the conclusion that you cannot include dynamic elements in AWS Organizations Service Control Policies like Fn::If, Fn::Join, or Fn::ImportValue. If you can, I wish AWS would provide examples on the CloudFormation page. Also, I wish this error message would more specifically state what the problem is as this is taking far too much time to reverse engineer.

Update: You can also get this error if you try to use NotResource or some other unsupported SCP policy construct.

SCP syntax

Describes the syntax of AWS Organizations service control policies (SCPs) that can restrict what users and roles can do…

docs.aws.amazon.com

Update: You can also get this error if you give two Sids the same name. I did that due to copying and pasting. Seems like the error could easily tell you that you have a problem due to a duplicate SID??

Follow for updates.

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab