Comments (2)
Bumping as this caught me out today expecting valid JSON on stdout with -o.
I've raised a PR with the simplest fix I could see :)
from cfn_nag.
The problem was found in the template and corrected which fixed the error in the output. Original template:
Wrong:
---
AWSTemplateFormatVersion: "2010-09-09"
Description: My IAM role
Resources:
Role:
Type: AWS::IAM::Role
Properties:
Description: My Description
PermissionsBoundary: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/my-policy-boundary
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess
- !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: AliasBasedKMSAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- kms:List*
- kms:Describe*
- kms:Decrypt
- kms:Encrypt
Resource: !Sub arn:${AWS::Partition}:kms:*:${AWS::AccountId}:key/*
Condition:
ForAnyValue:StringEquals:
kms:ResourceAliases:
- !Ref RDSKMSKeyAlias
Right:
---
AWSTemplateFormatVersion: "2010-09-09"
Description: My IAM role
Resources:
Role:
Type: AWS::IAM::Role
Properties:
Description: My Description
PermissionsBoundary: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/my-policy-boundary
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess
- !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: AliasBasedKMSAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- kms:List*
- kms:Describe*
- kms:Decrypt
- kms:Encrypt
Resource: !Sub arn:${AWS::Partition}:kms:*:${AWS::AccountId}:key/*
Condition:
ForAnyValue:StringEquals:
kms:ResourceAliases: !Ref RDSKMSKeyAlias
Specifically, cfn-nag was puking on this having a list instead of a string:
Condition:
ForAnyValue:StringEquals:
kms:ResourceAliases: ...
from cfn_nag.
Related Issues (20)
- It does not work for Windows Machine and Docker Desktop
- W58 requires excessive `logs:CreateLogGroup` permission
- Brew install throws checksum warning
- Nag does not support Yaml Merge <<
- gem install on alpine3.16.1: ERROR: Failed to build gem native extension
- How can I disable cfn_nag ENTIRELY? HOT 2
- issue when trying to use the docker image
- Is not a proper path (RuntimeError)
- Homebrew checksum not provided.
- False positive for `lambda:InvokeFunctionUrl` when `AuthType` is `NONE`.
- Add support for Fn::Transform within resources
- cfn_nag support for lastest Ruby version: Psych::DisallowedClass error
- Brew grem install fails on fresh environements HOT 1
- Is this project dead? HOT 5
- CFN nag error when running it on a template that contains intrinsic function Fn::ForEach HOT 6
- Issue: FAIL F16 - S3 Bucket policy should not allow * principal
- ARM based Docker images
- F27 on StorageEncrypted for Replica DB's
- Budgets Action Issue
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cfn_nag.