2 Answers
- Newest
- Most votes
- Most comments
1
To diagnose the issue my advice is to use cloudtrail and find the calls cloudformation is making and subsequently being denied - cloudtrail will reveal the full detail of what is being denied
I'll also add you may want to have a look at service catalog and launch constraints as a way of allowing "other" users to provision an approved product. There is more control over the template used and ability to share across an organization. There is a workshop to demo the features
0
I think you need to add ec2::DescribeVpcs to get a more descriptive error
answered 2 years ago
Relevant content
- Accepted Answerasked a year ago
- Accepted Answerasked 2 months ago
- asked 10 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 months ago
Thanks. Actually I did try to find corresponding cloudtrail log but could not really figure out what were denied even with this very simple example. There are not really many logs and so I am not sure whether I miss something else.
Also thanks for the suggestion about service catalog. Will take a look at the workshop.
PS Notice that it is easier to search the cloudtrail using the corresponding requestid. Will try to fix the policy based on the error.