~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Bugs | AWS Security | Secure Code | CloudFormation

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following error occurs for multipel reaons when attempting to deploy a CloudFormation template and in some cases is not accurate or helpful:

Actions/Conditions must be prefaced by a vendor, e.g., iam, sdb, ec2, etc. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: xxxxxx; Proxy: null)

It could accurately mean that someone listed an action without the proper service prefix as defined in the AWS IAM documentation:

Actions, resources, and condition keys for AWS services

Each AWS service can define actions, resources, and condition context keys for use in IAM policies. This topic…

amazon.com

For example:

 Statement:
          - Effect: Allow
            Action: 'CreateAccount'
            Resource: '*'

Should be:

 Statement:
          - Effect: Allow
            Action: 'organizations:CreateAccount'
            Resource: '*'

However the same error occurs when the user has correctly added a prefix but it is misspelled. It seems like CloudFormation could easily report a "service prefix: x does not exist" for the code below instead.

 Statement:
          - Effect: Allow
            Action: 'x:CreateAccount'
            Resource: '*'

The other case where this error appears is also misleading. I don't know about anyone else but for some reason I always want to use a dot instead of a colon as shown in the next block of code. It seems pretty simple to identify that the beginning of the action is a service but the syntax is incorrect with a period instead of a colon:

 Statement:
          - Effect: Allow
            Action: 'organizations.CreateAccount'
            Resource: '*'

In all cases above, CloudFormation can report the offending piece of code in the console since the code is all there in the template. For example: "Invalid separator: organizations.CreateAccount"

These small changes would probably make it easier for developers to troubleshoot their code and quickly find problems.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
None