A Overview of cfn-policy-validator: Validating CloudFormation IAM Policies

Disclaimer:

I am a Senior DevOps Consultant with AWS Professional Services. This is an original work derived from publicly available documentation.

In many CloudFormation templates we create IAM roles and policies. These can be identity or resource policies. Verifying we have a functional policy defined within CloudFormation template is often challenging, as we are likely using one or more stack parameters or CloudFormation intrinsic functions. This article examines the challenges with creating an IAM policy within our CloudFormation template and verifying that policy.

An IAM Policy Refresher

An IAM policy defines the permissions for the principal; an IAM user, group, role, or service; which is policy is attached to. There is a well-defined structure for a policy definition, which is validated at different times depending upon how the policy was created.
Some services implement policy validation using the IAM Access Analyzer within the AWS Management Console, ensuring the policy grammar is correct. Typically, if the policy grammar contains an error, you are prompted to correct the error before the policy can be saved.