Getting Cloudwatch to send CreateLogGroup messages to EventBridge - amazon-web-services

I want CloudWatch to send CreateLogGroup messages to EventBridge.
I understand this is possible, but also that Cloudwatch doesn't seem to send these messages by default. It seems you have to configure CloudTrail to get it to forward the message. But I can't find a CloudTrail configuration which works - in general deployment fails with:
AWS::CloudTrail::Trail - "Invalid request provided: Incorrect S3 bucket policy is detected for bucket"
AWSTemplateFormatVersion: '2010-09-09'
Outputs:
HelloFunction:
Value:
Ref: HelloFunction
WatcherFunction:
Value:
Ref: WatcherFunction
WatcherTrailBucket:
Value:
Ref: WatcherTrailBucket
Parameters:
MemorySizeDefault:
Default: '512'
Type: String
RuntimeVersion:
Default: '3.8'
Type: String
TimeoutDefault:
Default: '5'
Type: String
Resources:
HelloFunction:
Properties:
Code:
ZipFile: |
def handler(event, context):
print (event)
Handler: index.handler
MemorySize:
Ref: MemorySizeDefault
Role:
Fn::GetAtt:
- HelloFunctionRole
- Arn
Runtime:
Fn::Sub: python${RuntimeVersion}
Timeout:
Ref: TimeoutDefault
Type: AWS::Lambda::Function
HelloFunctionRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
Policies:
- PolicyDocument:
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName:
Fn::Sub: hello-function-role-policy-${AWS::StackName}
Type: AWS::IAM::Role
WatcherFunction:
Properties:
Code:
ZipFile: |
def handler(event, context):
print (event)
Handler: index.handler
MemorySize:
Ref: MemorySizeDefault
Role:
Fn::GetAtt:
- WatcherFunctionRole
- Arn
Runtime:
Fn::Sub: python${RuntimeVersion}
Timeout:
Ref: TimeoutDefault
Type: AWS::Lambda::Function
WatcherFunctionRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
Version: '2012-10-17'
Policies:
- PolicyDocument:
Statement:
- Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
Resource: '*'
Version: '2012-10-17'
PolicyName:
Fn::Sub: watcher-function-role-policy-${AWS::StackName}
Type: AWS::IAM::Role
WatcherEventRule:
Type: AWS::Events::Rule
Properties:
EventPattern:
source:
- aws.logs
detail-type:
- "AWS API Call via CloudTrail"
detail:
eventName:
- CreateLogGroup
Targets:
- Id:
Fn::Sub: watcher-event-rule-${AWS::StackName}
Arn:
Fn::GetAtt:
- WatcherFunction
- Arn
State: ENABLED
WatcherEventRulePermission:
Type: AWS::Lambda::Permission
Properties:
Action: lambda:InvokeFunction
Principal: events.amazonaws.com
FunctionName:
Ref: WatcherFunction
SourceArn:
Fn::GetAtt:
- WatcherEventRule
- Arn
WatcherTrailBucket:
Type: AWS::S3::Bucket
WatcherTrailBucketPolicy:
DependsOn:
- WatcherTrailBucket
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: WatcherTrailBucket
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:GetBucketAcl
Resource: "*"
Condition: {}
- Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: s3:PutObject
Resource: "*"
Condition:
StringEquals:
s3:x-amz-acl: bucket-owner-full-control
WatcherTrail:
Type: AWS::CloudTrail::Trail
Properties:
EventSelectors:
- ReadWriteType: All
IsLogging: true
S3BucketName:
Ref: WatcherTrailBucket
IsLogging: true
S3KeyPrefix: logs/


Your WatcherTrail runs before WatcherTrailBucketPolicy, so that's why it fails (CloudFormation does not deploy resource in the order of their definition in the template). Add explicit DependsOn dependency on the bucket policy. Also your WatcherTrailBucketPolicy is incorrect, and trial needs a name. So it should be:
WatcherTrailBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket:
Ref: WatcherTrailBucket
PolicyDocument: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {"Service": "cloudtrail.amazonaws.com"},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::${WatcherTrailBucket}",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/MyTrial"
}
}
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {"Service": "cloudtrail.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${WatcherTrailBucket}/logs/AWSLogs/${AWS::AccountId}/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceArn": "arn:aws:cloudtrail:${AWS::Region}:${AWS::AccountId}:trail/MyTrial"
}
}
}
]
}
WatcherTrail:
Type: AWS::CloudTrail::Trail
DependsOn: WatcherTrailBucketPolicy
Properties:
TrailName: MyTrial
EventSelectors:
- ReadWriteType: All
IsLogging: true
S3BucketName:
Ref: WatcherTrailBucket
IsLogging: true
S3KeyPrefix: logs/

Related

CloudFormation EventBusPolicy: The relative-id "event-bus/bus_name" is invalid for ARN

According to this doc, I try:
ebMailPolicy:
Type: AWS::Events::EventBusPolicy
Properties:
EventBusName: !Ref ebMail
StatementId: AllowForOrg
Statement:
Effect: Allow
Action: events:PutEvents
Condition:
StringEquals:
"aws:PrincipalOrgID": !Ref OrgId
Principal: "*"
The error is:
The relative-id "event-bus/bus_name" is invalid for ARN "arn:aws:events:eu-central-1:acc_id:event-bus/bus_name"
What am I doing wrong?

The doc is wrong. Correct version:
ebMailPolicy:
Type: AWS::Events::EventBusPolicy
Properties:
EventBusName: !Ref ebMail
StatementId: CrossAccSendEvents
Action: events:PutEvents
Principal: "*"
Condition:
Type: StringEquals
Key: aws:PrincipalOrgID
Value: !Ref OrgId

The AWS document does not explicitly state it but this is what we have working
EventBusPolicy:
Type: AWS::Events::EventBusPolicy
DependsOn: CustomEventBridgeBus
Properties:
StatementId: "AllowSameAWSAccount"
EventBusName: !Ref CustomEventBridgeBus
Statement:
Effect: "Allow"
Principal:
AWS: !ImportValue IntanceRoleArn
Action: "events:PutEvents"
Resource: !GetAtt CustomEventBridgeBus.Arn

User: batch.amazonaws.com is not authorized to perform: sts:AssumeRole on resource

I've been trying to create some infrastructure that includes bunch of services like EC2, ECS, S3 and Batch (few more). Everything seems to be fine, till it reaches the step to build the batch process.
I was following a medium blog and here's the CF template: Github Repo Link
This YAML is outdated and I have made some modifications here and there, but not the ones with roles.
I've had more than 3 CloudFormation stacks stuck in roll back because it can't stabilise the Compute Environment it builds from the YAML config I have. I reached out to Compute Environment to see the exact error and this is what I get:
DELETING - CLIENT_ERROR - User: batch.amazonaws.com is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::402726478692:role/service-role/AWSBatchServiceRole (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: f9d6c19d-4e77-4814-ac2c-b437e0546977; Proxy: null)
Now, It won't even delete this compute environment on automated rollback. But, my main concern is why is it not able to create? I've gone through documentation and few questions here regarding the same topic, but nothing seemed to work.
Here's the excerpt from my YAML config. This part is for compute environment:
ComputeEnvironment:
Type: "AWS::Batch::ComputeEnvironment"
Properties:
Type: MANAGED
ServiceRole: !Sub "arn:aws:iam::${AWS::AccountId}:role/service-role/AWSBatchServiceRole"
ComputeEnvironmentName: !Sub "${Environment}-batch-processing_3"
ComputeResources:
MaxvCpus: 1
SecurityGroupIds:
- !Ref SecurityGroup
Type: EC2
Subnets: !Ref Subnets
MinvCpus: 1
InstanceRole: !Ref ECSInstanceProfile
InstanceTypes:
- "c6gd.medium"
Tags: {"Name": !Sub "${Environment} - Batch Instance" }
DesiredvCpus: 1
State: ENABLED
JobQueue:
DependsOn: ComputeEnvironment
Type: "AWS::Batch::JobQueue"
Properties:
ComputeEnvironmentOrder:
- Order: 1
ComputeEnvironment: !Ref ComputeEnvironment
State: ENABLED
Priority: 1
JobQueueName: "HighPriority"
Job:
Type: "AWS::Batch::JobDefinition"
Properties:
Type: container
JobDefinitionName: !Sub "${Environment}-batch-s3-processor"
ContainerProperties:
Memory: 2048
Privileged: false
JobRoleArn: !Ref JobRole
ReadonlyRootFilesystem: true
Vcpus: 1
Image: !Sub "${AWS::AccountId}.dkr.ecr.us-west-2.amazonaws.com/${DockerImage}"
RetryStrategy:
Attempts: 1
JobRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
RoleName: !Sub "${Environment}-BatchJobRole"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Action:
- "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "ecs-tasks.amazonaws.com"
- "batch.amazonaws.com"
Policies:
-
PolicyName: !Sub "${Environment}-s3-access"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "s3:*"
- "iam:*"
- "batch:*"
Resource: !Sub "arn:aws:s3:::batch-${AWS::AccountId}-${AWS::Region}/*"
ECSInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles:
- !Ref ECSRole
ECSRole:
Type: "AWS::IAM::Role"
Properties:
Path: "/"
RoleName: !Sub "${Environment}-batch-ecs-role"
SourceAccount:
Ref: AWS::AccountId
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
-
Action: "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "ec2.amazonaws.com"
- "batch.amazonaws.com"
Policies:
- PolicyName: !Sub "${Environment}-full-access-for-batch-resource"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "s3:*"
- "iam:*"
- "batch:*"
Resource: !Sub "arn:aws:s3:::batch-${AWS::AccountId}-${AWS::Region}/*"
- PolicyName: !Sub ${Environment}-ecs-batch-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "ecs:CreateCluster"
- "ecs:DeregisterContainerInstance"
- "ecs:DiscoverPollEndpoint"
- "ecs:Poll"
- "ecs:RegisterContainerInstance"
- "ecs:StartTelemetrySession"
- "ecs:StartTask"
- "ecs:Submit*"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
- "logs:DescribeLogStreams"
- "logs:CreateLogGroup"
- "ecr:BatchCheckLayerAvailability"
- "ecr:BatchGetImage"
- "ecr:GetDownloadUrlForLayer"
- "ecr:GetAuthorizationToken"
- "s3:*"
- "batch:*"
Resource: "*"
- PolicyName: !Sub "${Environment}-ecs-instance-policy"
PolicyDocument:
Statement:
-
Effect: "Allow"
Action:
- "ecs:DescribeContainerInstances"
- "ecs:ListClusters"
- "ecs:RegisterTaskDefinition"
- "s3:*"
- "batch:*"
Resource: "*"
-
Effect: "Allow"
Action:
- "ecs:*"
- "s3:*"
- "batch:*"
Resource: "*"
As you can see I've tried giving more than enough permissions in these policies which is already a bad practice, but I still can't get it to Assume Role. Any help would be appreciated.
EDIT: I have checked and I can see the AWSBatchServiceRole and I have added AWSBatchServiceRole and AWSBatchFullAccess permissions to it and in the Trust Relationship, I do have Sts:AssumeRole in there. This is the JSON from Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "batch.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}

One of my friend figured it out and it worked. It was a dumb mistake.
Changed arn:aws:iam::${AWS::AccountId}:role/service-role/AWSBatchServiceRole to arn:aws:iam::${AWS::AccountId}:role/AWSBatchServiceRole and it worked.
service-role/ isn't required, at least not now.

Setting minimum role for elasticsearch instance put method

I have this cloudformation template and it works as expected. It will add 1 record to elasticsearch index.
But I am not sure if the Role is defined correctly. I need to set the minimum permissions for this function.
AWSTemplateFormatVersion: "2010-09-09"
Description: "Gateway and Lambda function for mailgun API"
Resources:
lambdaIAMRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- "sts:AssumeRole"
Effect: "Allow"
Principal:
Service:
- "lambda.amazonaws.com"
Policies:
- PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- "logs:CreateLogGroup"
- "logs:CreateLogStream"
- "logs:PutLogEvents"
Effect: "Allow"
Resource:
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/furl:*"
PolicyName: "lambda"
lambdaFunction:
Type: "AWS::Lambda::Function"
Properties:
Code:
ZipFile: |
def handler(event,context):
from elasticsearch import Elasticsearch
es = Elasticsearch(
['search-test-XXXX.us-east-1.es.amazonaws.com'],
http_auth=('root', 'XXXX)'),
scheme="https",
port=443,
)
doc = {
'author': 'kimchy',
'text': 'Elasticsearch: cool. bonsai cool.'
}
res = es.index(index="test-index", id=1, body=doc)
Description: "EmailThis"
FunctionName: elast
Handler: "index.handler"
MemorySize: 128
Role: !GetAtt "lambdaIAMRole.Arn"
Runtime: "python3.6"
Timeout: 100
Layers:
- "arn:aws:lambda:us-east-1:770693421928:layer:Klayers-python38-elasticsearch:12"

Yes, the permissions in the role match those from standard AWSLambdaBasicExecutionRole.
However, your role will not work, as it has incorrect resource. Instead of:
Resource:
- !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/furl:*"
there should be:
Resource:
- !Sub "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/elast:*"
since elast is the name of your function, and not furl.

DynamoDB Cloudformation Permission

I currently have the following cloudformation .yaml file:
Resources:
DynamoTable:
Type: "AWS::DynamoDB::Table"
Properties:
...
...
...
How do I give other resources permission to query this table?

Resources:
Service:
Type: "AWS::CloudFormation::Stack"
Properties:
Parameters:
...
...
TaskPolicyArn: !Ref ThisServicePolicy
DynamoTable:
Type: "AWS::DynamoDB::Table"
Properties:
AttributeDefinitions:
...
...
...
ThisServicePolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: SomePolicyName
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "dynamodb:GetItem"
- "dynamodb:BatchGetItem"
- "dynamodb:Query"
Resource: "*"

Getting Cloudformation error: Embedded stack was not successfully created

I've made a parent (nested) stack template that references 4 child templates. When I launch the stack through aws cloudformation create-stack, I get the following error for the parent stack:
Embedded stack AlignmentLambdaFunction was not successfully created: The following resource(s) failed to create: [CloudspanLambdaFunction, HaploLambdaExecutionRole, AlignmentLambdaExecutionRole].
And I get this error within one of the nested stacks that was getting created from the parent: Policy contains a statement with one or more invalid principals (for MasterGCPStorageKey (which is a resource in the Lambda child above)
I don't understand the source of the error. I thought maybe it was because of needing a DependsOn for the ExecutionRoles, but that didn't resolve the error.
Parent Stack:
AWSTemplateFormatVersion: "2010-09-09"
Description: "Master template for wgs-pipeline. Calls to other stack templates."
Parameters:
CloudspanLambdaFuncS3BucketName:
Type: String
CloudspanLambdaFuncS3KeyName:
Default: 'sfn.deployable.zip'
Type: String
CloudspanLambdaFuncModuleName:
Default: 'cloudspan'
Type: String
AlignmentLambdaFuncS3BucketName:
Type: String
AlignmentLambdaFuncS3KeyName:
Type: String
AlignmentLambdaFuncModuleName:
Type: String
HaploLambdaFuncS3BucketName:
Type: String
HaploLambdaFuncS3KeyName:
Type: String
HaploLambdaFuncModuleName:
Type: String
KMSAdminUserARN:
Type: String
KMSEndUserARN:
Type: String
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
InternetGateway:
Type: AWS::EC2::InternetGateway
RouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId:
Ref: 'VPC'
VPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId:
Ref: 'VPC'
InternetGatewayId:
Ref: 'InternetGateway'
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: EC2 Security Group for instances launched in the VPC by Batch
VpcId:
Ref: 'VPC'
StepFunctionsActivitiesInstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow http to client host
VpcId:
Ref: VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: 128.218.0.0/16
Subnet:
Type: AWS::EC2::Subnet
Properties:
CidrBlock: 10.0.0.0/24
VpcId:
Ref: 'VPC'
AvailabilityZone:
Ref: GPCESubnetAZ1
MapPublicIpOnLaunch: 'True'
DependsOn: VPC
Route:
Type: AWS::EC2::Route
Properties:
RouteTableId:
Ref: 'RouteTable'
DestinationCidrBlock: 0.0.0.0/0
GatewayId:
Ref: 'InternetGateway'
DependsOn:
- RouteTable
- InternetGateway
SubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
RouteTableId:
Ref: 'RouteTable'
SubnetId:
Ref: 'Subnet'
DependsOn:
- RouteTable
- Subnet
# Beginning of reference to child stacks
ClouspanLambdaFunction:
Type: "AWS::CloudFormation::Stack"
Properties:
Parameters:
CloudspanLambdaFuncS3BucketName:
Ref: CloudspanLambdaFuncS3BucketName
CloudspanLambdaFuncS3KeyName:
Ref: CloudspanLambdaFuncS3KeyName
CloudspanLambdaFuncModuleName:
Ref: CloudspanLambdaFuncModuleName
KMSAdminUserARN:
Ref: KMSAdminUserARN
KMSEndUserARN:
Ref: KMSEndUserARN
TemplateURL: https://s3.amazonaws.com/CFNTemplate/lambda_resources.stack.yaml
TimeoutInMinutes: 1
AlignmentLambdaFunction:
Type: "AWS::CloudFormation::Stack"
Properties:
Parameters:
AlignmentLambdaFuncS3BucketName:
Ref: AlignmentLambdaFuncS3BucketName
AlignmentLambdaFuncS3KeyName:
Ref: AlignmentLambdaFuncS3KeyName
AlignmentLambdaFuncModuleName:
Ref: AlignmentLambdaFuncModuleName
KMSAdminUserARN:
Ref: KMSAdminUserARN
KMSEndUserARN:
Ref: KMSEndUserARN
TemplateURL: https://s3.amazonaws.com/CFNTemplate/lambda_resources.stack.yaml
TimeoutInMinutes: 1
HaploLambdaFunction:
Type: "AWS::CloudFormation::Stack"
Properties:
Parameters:
HaploLambdaFuncS3BucketName:
Ref: HaploLambdaFuncS3BucketName
HaploLambdaFuncS3KeyName:
Ref: HaploLambdaFuncS3KeyName
HaploLambdaFuncModuleName:
Ref: HaploLambdaFuncModuleName
KMSAdminUserARN:
Ref: KMSAdminUserARN
KMSEndUserARN:
Ref: KMSEndUserARN
TemplateURL: https://s3.amazonaws.com/CFNTemplate/lambda_resources.stack.yaml
TimeoutInMinutes: 1
Lambda Child Stack (relevant for error):
AWSTemplateFormatVersion: '2010-09-09'
Description: lambda function and execution role stack.
Parameters:
CloudspanLambdaFuncS3BucketName:
Type: String
Default: 'claudia-test-transfer'
CloudspanLambdaFuncS3KeyName:
Default: 'sfn.deployable.zip'
Type: String
CloudspanLambdaFuncModuleName:
Default: 'cloudspan'
Type: String
AlignmentLambdaFuncS3BucketName:
Type: String
Default: 'claudia-test-transfer'
AlignmentLambdaFuncS3KeyName:
Type: String
Default: 'alignment_processing.deployable.zip'
AlignmentLambdaFuncModuleName:
Type: String
Default: 'alignment_processing'
HaploLambdaFuncS3BucketName:
Type: String
Default: 'claudia-test-transfer'
HaploLambdaFuncS3KeyName:
Type: String
Default: 'sentieon_haplotyper.deployable.zip'
HaploLambdaFuncModuleName:
Type: String
Default: 'sentieon_haplotyper'
KMSAdminUserARN:
Type: String
KMSEndUserARN:
Type: String
Resources:
CloudspanLambdaFunction:
Type: "AWS::Lambda::Function"
Properties:
Handler:
Fn::Join: [ ".", [ Ref: CloudspanLambdaFuncModuleName, "handler"] ]
Role:
Fn::GetAtt: [ CloudspanLambdaExecutionRole, Arn ]
Code:
S3Bucket:
Ref: CloudspanLambdaFuncS3BucketName
S3Key:
Ref: CloudspanLambdaFuncS3KeyName
Runtime: "python3.6"
Timeout: "60"
DependsOn: CloudspanLambdaExecutionRole
AlignmentLambdaFunction:
Type: "AWS::Lambda::Function"
Properties:
Handler:
Fn::Join: [ ".", [ Ref: AlignmentLambdaFuncModuleName, "handler"] ]
Role:
Fn::GetAtt: [ AlignmentLambdaExecutionRole, Arn ]
Code:
S3Bucket:
Ref: AlignmentLambdaFuncS3BucketName
S3Key:
Ref: AlignmentLambdaFuncS3KeyName
Runtime: "python3.6"
Timeout: "60"
DependsOn: AlignmentLambdaExecutionRole
HaploLambdaFunction:
Type: "AWS::Lambda::Function"
Properties:
Handler:
Fn::Join: [ ".", [ Ref: HaploLambdaFuncModuleName, "handler"] ]
Role:
Fn::GetAtt: [ HaploLambdaExecutionRole, Arn ]
Code:
S3Bucket:
Ref: HaploLambdaFuncS3BucketName
S3Key:
Ref: HaploLambdaFuncS3KeyName
Runtime: "python3.6"
Timeout: "60"
DependsOn: HaploLambdaExecutionRole
CloudspanLambdaExecutionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: "sts:AssumeRole"
Policies:
- PolicyName: CanListBuckets
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "s3:GetBucketLocation"
- "s3:ListAllMyBuckets"
Resource: "arn:aws:s3:::*"
- PolicyName: CanLog
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:*
Resource: arn:aws:logs:*:*:*
AlignmentLambdaExecutionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: "sts:AssumeRole"
Policies:
- PolicyName: CanListBuckets
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "s3:GetBucketLocation"
- "s3:ListAllMyBuckets"
Resource: "arn:aws:s3:::*"
- PolicyName: CanCallBatch
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "batch:*"
Resource: "*"
- PolicyName: CanLog
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:*
Resource: arn:aws:logs:*:*:*
HaploLambdaExecutionRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: "sts:AssumeRole"
Policies:
- PolicyName: CanListBuckets
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "s3:GetBucketLocation"
- "s3:ListAllMyBuckets"
Resource: "arn:aws:s3:::*"
- PolicyName: CanCallBatch
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "batch:*"
Resource: "*"
- PolicyName: CanLog
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- logs:*
Resource: arn:aws:logs:*:*:*
MasterGCPStorageKey:
Type: "AWS::KMS::Key"
Properties:
Description: Symmetric Master Key for GCP Storage Credentials off-line encryption/on-line decryption protocol
Enabled: True
EnableKeyRotation: True
KeyPolicy:
Version: "2012-10-17"
Statement:
- Sid: "Allow Lambda Excution Role access to GCP Storage decryption key"
Effect: "Allow"
Principal:
# ARN of CloudspanLambdaExecutionRole
AWS:
Fn::GetAtt: [ CloudspanLambdaExecutionRole, Arn ]
Action:
- kms:Decrypt
- kms:DescribeKey
# in this context "*" means "this" CMK
Resource: "*"
- Sid: "Allow Administrator to admin the GCP Storage decryption key"
Effect: "Allow"
Principal:
# ARN of the KMS admin IAM user
AWS:
Ref: KMSAdminUserARN
Action:
- "kms:Create*"
- "kms:Describe*"
- "kms:Enable*"
- "kms:List*"
- "kms:Put*"
- "kms:Update*"
- "kms:Revoke*"
- "kms:Disable*"
- "kms:Get*"
- "kms:Delete*"
- "kms:TagResource"
- "kms:UntagResource"
- "kms:ScheduleKeyDeletion"
- "kms:CancelKeyDeletion"
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt"
- "kms:GenerateDataKey*"
- "kms:DescribeKey"
# in this context "*" means "this" CMK
Resource: "*"
- Sid: "Allow End User to encrypt the GCP Storage creds"
Effect: "Allow"
Principal:
# ARN of the KMS IAM end user
AWS:
Ref: KMSEndUserARN
Action:
- "kms:Encrypt"
- "kms:ReEncrypt"
- "kms:DescribeKey"
# in this context "*" means "this" CMK
Resource: "*"
DependsOn: CloudspanLambdaExecutionRole

I also was getting the following error after re-deploying a CloudFormation stack I had removed (via Serverless):
We encountered the following errors while processing your request:
Policy contains a statement with one or more invalid principals.
In my case, the original role which was assigned to my KMS encryption key was removed. KMS still keeps a reference to the removed role, and apparently adding a newly created role of the same type creates this error.
I solved this by simply removing the old reference to the removed role, under IAM > Encryption Keys > YOUR_KEY_NAME > Key Policy > Key Users