A Overview of cfn-policy-validator: Validating CloudFormation IAM Policies

Eden Hare
12 min readAug 31, 2022

Disclaimer:

I am a Senior DevOps Consultant with AWS Professional Services. This is an original work derived from publicly available documentation.

In many CloudFormation templates we create IAM roles and policies. These can be identity or resource policies. Verifying we have a functional policy defined within CloudFormation template is often challenging, as we are likely using one or more stack parameters or CloudFormation intrinsic functions. This article examines the challenges with creating an IAM policy within our CloudFormation template and verifying that policy.

An IAM Policy Refresher

An IAM policy defines the permissions for the principal; an IAM user, group, role, or service; which is policy is attached to. There is a well-defined structure for a policy definition, which is validated at different times depending upon how the policy was created.
Some services implement policy validation using the IAM Access Analyzer within the AWS Management Console, ensuring the policy grammar is correct. Typically, if the policy grammar contains an error, you are prompted to correct the error before the policy can be saved.

This validation does not occur in the same fashion when creating a policy through CloudFormation, Terraform or other IaC tool. Instead, requests to the various APIs are checked for valid JSON, properties etc. This is why when we launch a CloudFormation template containing an IAM role with an error, some number of resources are created, and then deleted when the IAM policy error is found. Consequently, it is to our advantage if we can identify IAM policy errors before the CloudFormation is processed.

Policies can be applied directly to a resource or to a user, group or role. Both types follow the same policy grammar rules, although there are some differences.

The basic policy grammar looks like this:

policy  = {
<version_block?>
<id_block?>
<statement_block>
}

<version_block> = "Version" : ("2008-10-17" | "2012-10-17")

<id_block> = "Id" : <policy_id_string>

<statement_block> = "Statement" : [ <statement>, <statement>, ... ]

<statement> = {

--

--

Eden Hare

Eden is the co-author of seven books and author of more than 100 articles and book chapters in technical, management, and information security publications.