By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SCP bad error messaging

0

Service Control Policies uninformative error messages

Hello, I am testing out implementing company-wide SCPs to enforce resources being created with the correct tags. When in effect, I noticed that the error messaging when being blocked from creating resources is confusing and does not point to tags being the issue at all. The error messages are also different for each resource.

From a systems admin perspective, this seems like it will create much more harm than good. The "insufficient permissions" error messaging will prompt developers to ask for more permissions when that is not the issue at all.

Is there any way to customize error messaging for service control policies? Or maybe someone has come up with a better solution on how to enforce tagging with good error messaging?

Enter image description here Enter image description here

Topics
Management & Governance
Tags
AWS OrganizationsTaggingService Control Policy
Language
English
Matt
asked 7 months ago406 views
1 Answer
0

The message is encoded for security purposes. The user may already have the permissions to decode it, but it won't be shown decoded in the console. In order to decode the message, open CloudShell and use the following command:

aws sts decode-authorization-message --encoded-message <encoded_message> \
--output text | jq '.'

When using CloudShell, it will assume privileges that are allocated to the logged in user / role. To decode an authorization status message, a user must be granted permissions through an IAM policy to request the DecodeAuthorizationMessage (sts:DecodeAuthorizationMessage ) action.

Decoded Message

Give your SCP statements meaningful sids (Statement IDs) to make it easier to figure out what is failing, otherwise you will have to evaluate the message once it is decode to figure out the root cause. You can use the --query flag to retrieve the parts of the message that are relevant to you.

You cannot customize the error message. You can get more information about the failed request without decoding the message by looking through your CloudTrail logs, however I would advice against granting permissions to read the CloudTrail logs in general. Granting permissions to decode sts authorization messages is the best compromise, in my opinion.

AWS
iuurquiz
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content