How do I resolve "MalformedPolicyDocument" errors in AWS CloudFormation?

4 minute read
0

When I try to create or update an AWS CloudFormation stack, I get a "MalformedPolicyDocument" error message. I still get the error, even after I validate the template.

Short description

The ValidateTemplate API in AWS CloudFormation can validate only the syntax of your template. The API can't validate the property values that you specify for a resource. Because a policy document is configured as part of the property value, the validity of the policy isn't verified.

You get the "MalformedPolicyDocument" error when the policy document isn't syntactically or semantically correct, according to the grammar of the policy language.

To resolve this error, you must confirm that the policy document is valid for the particular resource type that it's a part of.

Resolution

Look for error message details in your stack events

  1. Open the AWS CloudFormation console.
  2. From the navigation pane, choose Stacks.
  3. Choose the stack that returned the error, and then choose the Events tab.
  4. Search the Status reason column for a message that explains the cause of the error.

If you still can't find the cause of the error, then complete the steps in the Get more information on the AWS CloudTrail event that caused the error section.

Get more information on the AWS CloudTrail event that caused the error

You can get a more information by checking the errorMessage property of the CloudTrail event for the operation on your resource type that caused the error.

For example, if "MalformedPolicyDocument" results from an error in an inline policy that's attached to an AWS Identity and Access Management (IAM) role, complete the following steps:

  1. Open the AWS CloudTrail console.
  2. From the navigation pane, choose Event history.
  3. In the Filter search box, select Event name as the lookup attribute, and then enter PutRolePolicy in the corresponding text box.
  4. For Time range, set the time of the CloudTrail event to the time that you see in the error message shown in AWS CloudFormation events.
  5. In the Event name column, choose your event.
  6. From the Event record, check the value of the errorMessage property for a detailed message.

Validate the policy passed in the CloudTrail event

The CloudTrail event for the API-level action on the resource that's causing the error usually contains the resolved form of the policy document. You can copy this resolved policy document, and then create a new policy in the AWS Management Console directly for that particular resource.

For example, if "MalformedPolicyDocument" results from an error in an inline policy attached to an IAM role, complete the following steps:

  1. Open the CloudTrail console.
  2. From the navigation pane, choose Event history.
  3. In the Filter search box, select Event name as the lookup attribute, and then enter PutRolePolicy in the corresponding text box.
  4. For Time range, set the time of the CloudTrail event to the time that you see in the error message shown in AWS CloudFormation events.
  5. In the Event name column, choose your event.
  6. From the Event record, copy the value of the policyDocument property under the requestParameters.
  7. In a text editor, remove any "" escape characters from the policy document.
  8. Open the IAM console.
  9. From the navigation pane, choose Policies.
  10. Choose Create policy, and then choose the JSON tab.
  11. Enter the policy document that you copied from step 6, and then choose Review policy.
  12. Check the contents of the error message shown in the red dialogue box at the beginning of the page. The error message provides a more detailed explanation of the validation failure of the policy.

Related information

Grammar of the IAM JSON policy language

IAM JSON policy elements reference

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago