The following IAM enforcement policy is attached with the AWS IAM role that I assume as an SSO user. When I use AWS CLI, I can create the Security group. But when I try to create this security group using CloudFormation with the same tag name/value and running using the same AWS Profile, I get error You are not authorized to perform this operation.
IAM enforcement policy attached to the role that I assume:
{
"Effect": "Allow",
"Action": "ec2:CreateSecurityGroup",
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"StringLike": {
"aws:RequestTag/Name": "*UserDefined*"
}
}
}
AWS CLI script. Security group is created successfully:
VPC_ID='vpc-12345678901234567'
AWS_PROFILE='my-aws-profile'
AWS_REGION='eu-west-1'
aws ec2 create-security-group \
--profile ${AWS_PROFILE} \
--region ${AWS_REGION} \
--description "For Testing" \
--group-name "my-test-security-group" \
--vpc-id ${VPC_ID} \
--tag-specifications 'ResourceType=security-group,Tags=[{Key=Name,Value=UserDefined-my-test-sg}]'
CloudFormation Template to create the same security group with the same AWS Profile, but fails:
AWSTemplateFormatVersion: '2010-09-09'
Parameters:
VPC:
Type: AWS::EC2::VPC::Id
Default: vpc-12345678901234567
Resources:
MySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: my-test-security-group
GroupDescription: For Testing
VpcId: !Ref VPC
Tags:
- Key: Name
Value: UserDefined-my-test-sg
Error I get when trying to deploy the CloudFormation stack using the above template:
You are not authorized to perform this operation. User: arn:aws:sts:::assumed-role/AWSRstrictedSSO_Ops_7f991be0d78c1285/[email protected] is not authorized to perform: ec2:CreateSecurityGroup on resource: arn:aws:ec2:eu-west-1:12345678012:security-group/* because no identity-based policy allows the ec2:CreateSecurityGroup action.
What am I missing here when using CloudFormation?
It might be related to the underlying process of Cloudformation.
The CLI invoked operation is a single call to EC2 service with tags included in the request. In this case, condition that verifies aws:RequestTag/Name returns true and you are allowed to create SG.
With Cloudformation it's not so obvious and it could be that resource creation operation is separate from resource tagging operation.
I just checked and there are 3 events for SG in CloudTrail
"requestParameters": { "groupName": "my-test-security-group", "groupDescription": "For Testing", "vpcId": "vpc-824463e4" },"requestParameters": { "resourcesSet": { "items": [ { "resourceId": "sg-0dd3638be585ad490" } ] }, "tagSet": { "items": [ { "key": "aws:cloudformation:stack-name", "value": "sgTestStack" }, { "key": "aws:cloudformation:stack-id", "value": "arn:aws:cloudformation:eu-west-1:829878228038:stack/sgTestStack/e4655cd0-8329-11ee-977b-0667e136f8a7" }, { "key": "aws:cloudformation:logical-id", "value": "MySecurityGroup" } ] } },"requestParameters": { "resourcesSet": { "items": [ { "resourceId": "sg-0dd3638be585ad490" } ] }, "tagSet": { "items": [ { "key": "Name", "value": "UserDefined-my-test-sg" } ] } },