avatarTeri Radichel

Summarize

The policy failed legacy parsing

Another non-sensical Policy Document error message in CloudFormation

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | Application Security | CloudFormation

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I may have written about this before but this one of the worst error messages for Policy Documents in existence. How is an end user reading this error message supposed to know what to do with this?

The policy failed legacy parsing (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: xxx;  Proxy: null)

This error message occurred because I failed to use a sub in my policy when using an AWS pseudo parameter. That’s it. Here’s the policy:

Instead of this:

Resource:
  - !Sub 'arn:aws:iam::${AWS::AccountId}:role/Lambda*'
  - !Sub 'arn:aws:iam::${AWS::AccountI}:role/Batch*'

I had this:

Resource:
  - 'arn:aws:iam::${AWS::AccountId}:role/Lambda*'
  - 'arn:aws:iam::${AWS::AccountId}:role/Batch*'

One thing I wonder is, why do we need the sub at all? Can’t AWS tell that it needs to substitute something when it runs across ${ ??

Anyway, that’s at least one fix if you see: “The policy failed legacy parsing” while deploying a CloudFormation template.

Update: Here’s another one. When you using AWS Pseudo parameters for account and region, if you forget to add two colons you get this error.

In other words this:

AWS:AccountId

Should be this:

AWS::AccountId

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2022

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Bug
Error Message
Cloudformation
Legacy Parsing
Parameter
Recommended from ReadMedium