Questions tagged with AWS CloudTrail

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

IAM Profile can create VPC IPV6 Subnet in some regions, but fails in other regions

A minimal IAM profile has been prepared for a CloudFormation stack which creates a VPC with IPv6CidrBlock and IPv6Cidr subnet. The IAM profile is sufficient for creating the stack in us-east-1 region. The profile has been tested attached directly to an IAM user, and also attached to a IAM role which another IAM user assumes. Upon further testing the IPv6 subnet create fails in many, though not all regions. There is one additional IAM profile action, ec2:DescribeNetworkAcls, which is needed for these other regions. For example us-east-1 and eu-west-2 do not require the action. eu-central-1 and several other regions do require that IAM profile action 1. Is there any known reason for this different requirement among the regions? Is there any EC2 or VPC service setting which can be queried to see the difference? 2. Why does CloudTrail not log the failure message when the IAM profile is missing the "ec2:DescribeNetworkAcls" action? 3. For the previous failing regions, when the action is added to IAM profile, upon retest, CloudTrail does not log the successful event named "DescribeNetworkAcls" though it does log all other related events. The error shown in CloudFormation, though not CloudTrail: ``` "ResourceStatus": "CREATE_FAILED", LogicalId: Subnet, "ResourceStatusReason": "Unable to retrieve Ipv6CidrBlocks attribute for AWS::EC2::VPC, with error message You are not authorized to perform this operation. (Service: Ec2, Status Code: 403, Request ID: XXX, Extended Request ID: null)... ``` When the error occurs, adding the following IAM Policy action resolves the issue. Though still this eventName is never logged by CloudTrail: ``` "ec2:DescribeNetworkAcls" ``` Cloudformation Template: ```yaml --- AWSTemplateFormatVersion: '2010-09-09' Description: 'Test stack' Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: EnableDnsSupport: true EnableDnsHostnames: true InstanceTenancy: default VPCIPv6: Type: AWS::EC2::VPCCidrBlock Properties: AmazonProvidedIpv6CidrBlock: true VpcId: !Ref VPC Subnet: Type: AWS::EC2::Subnet DependsOn: - VPCIPv6 Properties: CidrBlock: Ipv6CidrBlock: !Select [0, !Cidr [!Select [0, !GetAtt 'VPC.Ipv6CidrBlocks'], 1, 64]] MapPublicIpOnLaunch: false VpcId: !Ref VPC ``` IAM Policy ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "CloudFormationStackActions", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:ListStackResources" ], "Resource": [ "*" ] }, { "Sid": "TESTINGVPCIPv6Subnet", "Effect": "Allow", "Action": [ "ec2:CreateVpc", "ec2:CreateSubnet", "ec2:AssociateVpcCidrBlock", "ec2:AssociateSubnetCidrBlock", "ec2:ModifyVpcAttribute", "ec2:DescribeVpcAttribute", "ec2:DescribeVpcs", "ec2:DescribeSubnets" ], "Resource": [ "*" ] } ] } ``` To reproduce: * Save the above cloud formation text to a file named "a-test-stack-template.yaml" * Set the temporary bash variable named `aws_cred_profile` with the aws credentials profile name to be used for the aws cli commands. The creds should be of the IAM user with the above IAM profile attached. Use default if there is only one set of credentials ```bash aws_cred_profile=default ``` * AWS CLI Commands to test mockup: ``` aws_region=eu-central-1 # aws cli create-stack test_env=$(aws cloudformation create-stack --region $aws_region --no-cli-pager \ --profile $aws_cred_profile --disable-rollback \ --stack-name test-$(date +%Y%b%d-%H%M%S) \ --template-body file://a-test-stack-template.yaml \ | sed -r -e 's/.*:stack\/(.*)\/.*/\1/' | sed '1d' | sed '2d') echo $test_env # repeat calls to list-stack-resources until the stack creation is complete aws cloudformation list-stack-resources --region $aws_region --no-cli-pager \ --stack-name=$test_env --max-items=3 ```
asked a year ago