How do I resolve "MalformedPolicyDocument" errors in AWS CloudFormation?
4 minute read
When I try to create or update an AWS CloudFormation stack, I get a "MalformedPolicyDocument" error message. I still get the error, even after I validate the template.
The ValidateTemplate API in AWS CloudFormation can validate only the syntax of your template. The API can't validate the property values that you specify for a resource. Because a policy document is configured as part of the property value, the validity of the policy isn't verified.
You get the "MalformedPolicyDocument" error when the policy document isn't syntactically or semantically correct, according to the grammar of the policy language.
To resolve this error, you must confirm that the policy document is valid for the particular resource type that it's a part of.
Look for error message details in your stack events
In the Filter search box, select Event name as the lookup attribute, and then enter PutRolePolicy in the corresponding text box.
For Time range, set the time of the CloudTrail event to the time that you see in the error message shown in AWS CloudFormation events.
In the Event name column, choose your event.
From the Event record, check the value of the errorMessage property for a detailed message.
Validate the policy passed in the CloudTrail event
The CloudTrail event for the API-level action on the resource that's causing the error usually contains the resolved form of the policy document. You can copy this resolved policy document, and then create a new policy in the AWS Management Console directly for that particular resource.
For example, if "MalformedPolicyDocument" results from an error in an inline policy attached to an IAM role, complete the following steps: