Hi,
Startup founder struggling with AWS here. I got a message from AWS asking me to IAM policies for tagging my CloudFormation resources. It asked me to go to my AWS Health Dashboard and search for the affected resources, where I got a list of 150 affected stacks. However, when I go to my CloudFormation, only 11 of the 150 stacks are visible.
How can I solve this issue? Alternatively, what will happen if I don't solve this issue?
Including below the message from AWS in case useful.
Here are 3 more pieces of information, in case useful:
- Role name and permission were shown as N/A in the AWS Health Dashboard notification
- I have provisioned all my users with CloudFormation access
- When I looked at CloudTrail, I could not find any of the affected stacks. Also, there was no event on CloudFormation::Stacks in the past 90 days in CloudTrail
Thank you so much!
AWS Message
Hello,
We are reaching out because AWS CloudFormation identified an issue when creating or modifying tags which requires your action before February 29, 2024. AWS CloudFormation enables users to model and manage infrastructure resources in an automated and secure manner. When performing a CloudFormation stack operation to create, modify, or remove tags, if the IAM principal used for that operation did not have permissions to perform the tagging operation, the tags specified in the CloudFormation template would not match the tags applied to the resource. As a result, if you are using Attribute-Based Access Control (ABAC) [1], your IAM policies may have granted permissions when you did not intend to grant, and denying permissions when you did not intend to deny. We have fixed this issue, however, to give you time to update your IAM principals, we have added your account to an allow list so that you will continue to see the existing tagging behavior until we remove your account from the allow list on February 29, 2024. After this date, CloudFormation stack operations will fail when you attempt to create, modify, or remove tags but do not have the required permissions.
When customers use tags for ABAC or for cost allocation, they require their resources to be tagged. We identified that your account has performed a CloudFormation stack operation to create, modify, or remove tags.
Please refer to the "Affected Resources" tab of your AWS Health Dashboard for a list of resources with unsuccessful tagging operations in the following format: stack_name | logical_id | type_name | missing_permission | role_name | date
For each resource, you can identify the IAM principal that you used to perform the CloudFormation stack operation, along with the specific tagging permission that is missing. If role_name and missing_permission are N/A, it indicates that we were unable to automatically identify this information for you. Please refer to the AWS Knowledge Center article [2] to identify the IAM role used to modify the associated stack. You can identify the missing permissions based on affected resource type. For example, you will need to add iam:TagRole, iam:UntagRole and/or iam:ListRoleTags permissions to tag AWS::IAM::Role resources.
We recommend that you evaluate the missing permissions and update your IAM policies [3] where appropriate to ensure that your future tagging operations are successful. Once you have added the necessary permissions, your future tagging changes will succeed, however the tags on your existing resources may not match with the tags in your CloudFormation template. We recommend that you compare the tags you specified in your template with the tag currently applied to your resources. Please refer to the AWS Knowledge Center article [2] for more details.
If you have any questions or concerns, please contact AWS Support [4].
AWS OFFICIALUpdated 2 months ago
Update: I discovered some of the other stacks in different regions, but they all say "ROLLBACK_COMPLETE". Not sure why I'm still getting a tagging error?