By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

CloudFormation Stack Fail - "Client.InvalidPermission.NotFound" - "RevokeSecurityGroupEgress": "The specified rule does not exist in this security group."

0

Hello,

I'm trying to deploy some **new **infrastructure (mainly ECS, Load Balancers, Security Groups) via CloudFormation/GitHub Action - that is, I'm not modifying existing resources, but creating new ones from scratch. The stack creation fails due to an apparent error with the Load Balancers. The Status Reason mentions S3 Error: Access Denied, but this doesn't seem to have anything to do with S3.

When I go to view the related CloudTrail events, the errors seem to be related to the Security Groups instead. The Event Name is RevokeSecurityGroupEgress , the Error Code is Client.InvalidPermission.NotFound. Clicking on the errors to see the Event Record, the errorMessage is The specified rule does not exist in this security group.

I'm not sure what is "revoking" as, again, I'm not removing rules from an existing Security Group but creating a new one from scratch.

Some screenshots:

Enter image description here Enter image description here Enter image description here

Below is my YAML code for the Security Groups and Load Balancers.

I'd appreciate any help as getting kind of desperate.

---
AWSTemplateFormatVersion: "2010-09-09"
Description: >
  Security Groups

Parameters:
  ProjectName:
    Description: Name of the project
    Type: String
    Default: qs01-ap1

  EnvironmentName:
    Description: Name of the environment
    Type: String

  ApplicationNameFrontendFileUploader:
    Description: Name of the application
    Type: String
    Default: file-uploader

  ParentStackName:
    Description: The parent stack name that will be prefixed to resource names
    Type: String

  ApplicationNameFrontendBrainScanReview:
    Description: Name of the application
    Type: String
    Default: brain-scan-review

  ApplicationNameBackendAuthService:
    Description: Name of the application
    Type: String
    Default: auth-service

  ApplicationNameBackendOrthancServer:
    Description: Name of the application
    Type: String
    Default: orthanc-server

  VPC:
    Type: AWS::EC2::VPC::Id
    Description: Current VPC Id

  VpcCIDR:
    Description: Please enter the IP range (CIDR notation) for this VPC
    Type: String

Resources:

  ####################################################################
  #              Security Groups for ECS Clusters
  #
  ####################################################################

  FileUploaderECSSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: !Sub Security group for ${ApplicationNameFrontendFileUploader} ECS cluster
      VpcId: !Ref VPC
      Tags:
        - Key: Name
          Value: !Sub ${ProjectName}-${ParentStackName}-${ApplicationNameFrontendFileUploader}-ecs-sg
        - Key: ProjectName
          Value: !Ref ProjectName
        - Key: ApplicationName
          Value: !Ref ApplicationNameFrontendFileUploader
        - Key: qsa:cloudformation:stack-name
          Value: !Ref AWS::StackName
        - Key: qsa:cloudformation:stack-id
          Value: !Ref AWS::StackId

  FileUploaderECSSecurityGroupALBInboundRule:
    Type: 'AWS::EC2::SecurityGroupIngress'
    Properties:
      Description: Allow inbound traffic from the load balancer to the ECS Cluster
      GroupId: !Ref FileUploaderECSSecurityGroup
      IpProtocol: tcp
      FromPort: 80
      ToPort: 80
      SourceSecurityGroupId: !Ref ALBFileUploaderSecurityGroup

  ECSSecurityGroupECROutboundRule:
    Type: 'AWS::EC2::SecurityGroupEgress'
    Properties:
      Description: Allow outbound traffic from the ECS Cluster to the ECR
      GroupId: !Ref FileUploaderECSSecurityGroup
      IpProtocol: tcp
      FromPort: 443
      ToPort: 443
      DestinationSecurityGroupId: !Ref EndpointEcrSecurityGroup

  ####################################################################
  #              Security Groups for Endpoints
  #
  ####################################################################

  EndpointEcrSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VPC
      GroupDescription: Access to AWS ECR API and DKR Endpoints
      SecurityGroupEgress:
      - CidrIp: 127.0.0.1/32
        Description: Set as default to remove - All to all - outbound rule
        IpProtocol: '-1'
      Tags:
        - Key: Name
          Value: !Sub ${ProjectName}-${ParentStackName}-ecr-endpoint-sg
        - Key: ProjectName
          Value: !Ref ProjectName
        - Key: qsa:cloudformation:stack-name
          Value: !Ref AWS::StackName
        - Key: qsa:cloudformation:stack-id
          Value: !Ref AWS::StackId

  EndpointEcrFileUploaderClusterInboundRule443:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      Description: Allow access from File Uploader Cluster to VPC Endpoint for ECR
      GroupId: !Ref EndpointEcrSecurityGroup
      IpProtocol: tcp
      FromPort: 443
      ToPort: 443
      SourceSecurityGroupId: !Ref FileUploaderECSSecurityGroup

  EndpointEcrSecurityGroupIPv4EgressRule:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
      Description: Restrict IPv4 outbound traffic to localhost only
      GroupId: !Ref EndpointEcrSecurityGroup
      IpProtocol: '-1'
      CidrIp: 127.0.0.1/32

  EndpointEcrSecurityGroupIPv6EgressRule:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
      Description: Restrict IPv6 outbound traffic to localhost only
      GroupId: !Ref EndpointEcrSecurityGroup
      IpProtocol: '-1'
      CidrIpv6: ::1/128

  ####################################################################
  #              Security Groups for Load Balancers
  ####################################################################

  ALBFileUploaderSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VPC
      GroupDescription: ALB SG for File Uploader
      Tags:
        - Key: Name
          Value: !Sub ${ParentStackName}-ECR-Endpoint
        - Key: Project
          Value: Common
        - Key: qsa:cloudformation:stack-name
          Value: !Ref AWS::StackName
        - Key: qsa:cloudformation:stack-id
          Value: !Ref AWS::StackId

  ALBFileUploaderSecurityGroupInboundRule:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      Description: Allow IPv4 inbound traffic from the internet to the ALB
      GroupId: !Ref ALBFileUploaderSecurityGroup
      IpProtocol: tcp
      FromPort: 443
      ToPort: 443
      CidrIp: 0.0.0.0/0

  ALBFileUploaderSecurityGroupInboundRule2:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      Description: Allow IPv6 inbound traffic from the internet to the ALB
      GroupId: !Ref ALBFileUploaderSecurityGroup
      IpProtocol: tcp
      FromPort: 443
      ToPort: 443
      CidrIpv6: ::/0

  ALBFileUploaderSecurityGroupOutboundRule:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
      Description: Allow outbound traffic from the ALB to the ECS Cluster Instance Listener Port
      GroupId: !Ref ALBFileUploaderSecurityGroup
      IpProtocol: tcp
      FromPort: 80
      ToPort: 80
      DestinationSecurityGroupId: !Ref FileUploaderECSSecurityGroup

  ALBFileUploaderSecurityGroupOutboundRule2:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
      Description: Allow outbound traffic from the ALB to the ECS Cluster Instance Health Check Port
      GroupId: !Ref ALBFileUploaderSecurityGroup
      IpProtocol: tcp
      FromPort: 443
      ToPort: 443
      DestinationSecurityGroupId: !Ref FileUploaderECSSecurityGroup

  ALBFileUploaderSecurityGroupOutboundRule3:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
      Description: Block all other IPv6 outbound traffic
      GroupId: !Ref ALBFileUploaderSecurityGroup
      IpProtocol: -1
      CidrIpv6: ::1/128  # Just IPv6 localhost


Outputs:
  FileUploaderECSSecurityGroup:
    Description: Security group for the ECS cluster
    Value: !Ref FileUploaderECSSecurityGroup

  FileUploaderALBSecurityGroup:
    Description: Security group for the ALB
    Value: !Ref ALBFileUploaderSecurityGroup

  EndpointEcrSecurityGroup:
    Description: Security group for the ECR endpoint
    Value: !Ref EndpointEcrSecurityGroup

---
AWSTemplateFormatVersion: "2010-09-09"
Description: Load Balancers for the qs01-ap1 project
Parameters:
  ProjectName:
    Description: Name of the project
    Type: String
    Default: qs01-ap1

  ParentStackName:
    Description: The parent stack name that will be prefixed to resource names
    Type: String

  ApplicationNameFrontendFileUploader:
    Description: Name of the application
    Type: String
    Default: file-uploader

  ApplicationNameFrontendBrainScanReview:
    Description: Name of the application
    Type: String
    Default: brain-scan-review

  ApplicationNameBackendAuthService:
    Description: Name of the application
    Type: String
    Default: auth-service

  ApplicationNameBackendOrthancServer:
    Description: Name of the application
    Type: String
    Default: orthanc-server

  FileUploaderALBSecurityGroup:
    Description: Security group for the File Uploader ALB
    Type: AWS::EC2::SecurityGroup::Id
  
  PublicSubnets:
    Description: A reference to the VPC Public Subnets
    Type: List<AWS::EC2::Subnet::Id>

  PrivateSubnets:
    Description: A reference to the VPC Private Subnets
    Type: List<AWS::EC2::Subnet::Id>

  FileUploaderSubnets:
    Description: A reference to the VPC File Uploader Subnets
    Type: List<AWS::EC2::Subnet::Id>

Resources:
  PublicALBFileUploader:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Scheme: internet-facing
      SecurityGroups: 
        - !Ref FileUploaderALBSecurityGroup
      Subnets: !Ref PublicSubnets
      Tags:
        - Key: Name
          Value: !Sub ${ParentStackName}-${ApplicationNameFrontendFileUploader}-PublicALB
        - Key: Project
          Value: !Ref ProjectName
        - Key: qsa:cloudformation:stack-name
          Value: !Ref AWS::StackName
        - Key: qsa:cloudformation:stack-id
          Value: !Ref AWS::StackId
        - Key: Application
          Value: !Ref ApplicationNameFrontendFileUploader
        - Key: ParentStackName
          Value: !Ref ParentStackName

Outputs:
  PublicALBFileUploaderARN:
    Description: The ID of the File Uploader Public ALB
    Value: !Ref PublicALBFileUploader

  PublicALBFileUploaderDNSName:
    Description: The DNS name of the File Uploader Public ALB
    Value: !GetAtt PublicALBFileUploader.DNSName

  PublicALBFileUploaderFullName:
    Description: The full name of the File Uploader Public ALB
    Value: !GetAtt PublicALBFileUploader.LoadBalancerFullName
Topics
Management & GovernanceNetworking & Content Delivery
Tags
AWS CloudFormationElastic Load BalancingApplication Load BalancerSecurity Group
Language
English
profile picture
Antonio
asked 17 days ago50 views
2 Answers
1

Hello.

I manually deployed the CloudFormation template you created in my AWS account, and it was deployed successfully.
This suggests that there is no problem with the template itself.

I'm concerned about the error "S3 Error: Access Denied."
Does the policy of the IAM role you're using with GitHub Actions have permissions to operate on S3?
To deploy CloudFormation, you need permission to access S3 where the template is stored, so I think an error will occur if this policy is not set.
https://repost.aws/knowledge-center/cfn-s3-access-denied-error

profile picture
EXPERT
Riku_Kobayashi
answered 17 days ago
0

The error you're encountering suggests that there's an issue with the security group configuration in your CloudFormation template. Specifically, the "RevokeSecurityGroupEgress" operation is failing because it's trying to remove a rule that doesn't exist in the security group.

This error can occur when you're creating new resources, not just when modifying existing ones. It's likely happening because CloudFormation is attempting to remove the default egress rule (which allows all outbound traffic) before adding your specified egress rules.

To resolve this issue, try the following:

  1. Remove the default egress rule explicitly in your template. Add this to your security group definitions:

    SecurityGroupEgress:

    • IpProtocol: -1 CidrIp: 0.0.0.0/0

  2. Then, add your specific egress rules after this.

  3. For the ALBFileUploaderSecurityGroup, you're not specifying any egress rules in the initial creation. Add the default egress rule here as well.

  4. Double-check that all security group IDs referenced in your ingress and egress rules (like EndpointEcrSecurityGroup) are correctly defined and exported from other stacks if necessary.

  5. Ensure that the IAM role used by CloudFormation has the necessary permissions to manage security groups.

If the issue persists, you may need to review the full CloudFormation template and ensure all resources are properly defined and referenced. Also, check if there are any Service Control Policies (SCPs) in your AWS Organizations that might be restricting certain actions on security groups.

Remember to test your changes incrementally, and use CloudFormation's "Change Set" feature to preview the changes before applying them.
Sources
Resolve IAM permission errors in CloudFormation | AWS re:Post
Troubleshoot missing permission errors in CloudFormation | AWS re:Post
Permission Error while deploying CloudFormation Stack with Amazon Verified Permissions | AWS re:Post

profile picture
re:Post Agent
answered 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content