cfn-lint version: (cfn-lint --version) 0.5.0
Description of issue.
Used 'principle' instead of 'principal' in an SNS topic policy, spent 30 minutes finding the error, because the error message from CloudFormation is just an echo of the service error message, which simply says 'null':
'AWS::SNS::TopicPolicy SomeTopicPolicy CREATE_FAILED: Invalid parameter: Policy Error: null (Service: AmazonSNS; Status Code: 400; Error Code: InvalidParameter; Request ID: aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa)'
Example template:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
SomeTopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- some-topic-name
PolicyDocument:
Id: some-policy
Version: 2012-10-17
Statement:
- Sid: some-sid
Effect: Allow
Principle:
Service: events.amazonaws.com
Action:
- sns:Publish
Resource: '*'
Probably more things can be checked in the structure of IAM/S3/SNS/... policies too, cloudformation itself seems to just take opaque blobs and pass them to the underlying system. Ofc IAM/SNS should have better error messages too.
Ouch. @kddejong was just saying he'd like to see us incorporate more "sub" linters like we do with SAM. It'd be amazing to have a special purpose IAM linter broken out we could call out for resource policies, etc.
Tracking this as an enhancement. Thanks!
Worth noting we are checking identity-based policies with E2507 I haven't had a chance to convert it over for Resource based policies. I'll try tackle this in the next week.
So cool! Let me put it through the paces -- you could theoretically use this for Stack policies, too right? Though I'm not sure how you'd detect them.
Nice one! Looking forward to this one.
Most helpful comment
Worth noting we are checking identity-based policies with E2507 I haven't had a chance to convert it over for Resource based policies. I'll try tackle this in the next week.