Syntax errors in policy (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument;
Errors related to malformed AWS Policy Documents
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics | Code.
🔒 Related Stories: Bugs | AWS Security | Secure Code
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
When creating an IAM Policy document you need to make sure you have all the required parts and pieces first of all.
AWS has a list of the elements required in a JSON policy here. A YAML policy would have the same elements but using YAML syntax instead of JSON obviously:
You’ll need to ensure you include any required elements.
The CloudFormation documentation incorrectly lists the type as Json when the description right above says it can be provided in YAML or JSON format. I guess they are referring to how it shows up in the AWS console regardless of which format you choose in CloudFormation.
Unfortunately that documentation does not include the detailed definition of the Policy Document object like it does for other CloudFormation objects. I’ve asked for that via #awswishlist.
I’d written a policy like this and was getting an error:
Although we don’t get clear specifications we can take a look at the sample policy at the bottom of the page:
In their example they do not have the dash (indicating a list) in front of the Roles element. I get the following which indicates that if you do provide specific values you need to provide a list for the roles element:
Value of property Roles must be of type List of String
So I need to add a dash before the role element. Hmm. I thought I copied another working template but let’s try it.
Nope, malformed. It would be really great if the error message could tell you more precisely what was wrong with this template wouldn’t it??
In my case I can look at policies specific to Secrets Manager.
Here I can see that the resource can be a list:
Or a single string:
Maybe you’ve already noticed my typo by now but I did not see it immediately. I added an “s” on to “Resource”. So it wasn’t my role or policy at all that was causing the problem.
Now, I’ve been writing IAM policies for about a decade. If I can overlook this typo I wonder how confusing this must be to someone who is just starting out. And I wonder why AWS cannot report in this message that a required component of the policy (Resource) is missing to give the person writing the policy a better clue as to what the problem is. It seems like this would be a simple validation check and error message to add, among others.
At any rate, this problem is solved.
I wrote about another MalformedPolicyDocument error here:
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2022
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab