MalformedPolicyDocument
cloud
config_error
ai_generated
true
MalformedPolicyDocument:策略中的主体无效:'AWS': 'arn:aws:iam::123456789012:role/MyRole' - ARN 不符合预期格式
MalformedPolicyDocument: Invalid principal in policy: 'AWS': 'arn:aws:iam::123456789012:role/MyRole' - ARN does not match expected format
ID: cloud/aws-iam-role-trust-policy-invalid-principal
92%修复率
87%置信度
1证据数
2023-06-25首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| AWS IAM API 2010-05-08 | active | — | — | — |
| AWS CLI 2.15.0 | active | — | — | — |
根因分析
IAM 角色信任策略包含格式错误的主体 ARN,或错误地使用了服务主体;对于跨账户信任,主体必须是 'AWS': '123456789012'(账户 ID),而不是完整的角色 ARN。
English
The IAM role trust policy contains a principal ARN that is malformed or uses a service principal incorrectly; for cross-account trust, the principal must be 'AWS': '123456789012' (account ID) not a full role ARN.
官方文档
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html解决方案
-
将主体更改为账户 ID:'AWS': '123456789012'。示例信任策略片段:{"Effect": "Allow", "Principal": {"AWS": "123456789012"}, "Action": "sts:AssumeRole"} -
如果使用服务主体(例如 EC2),请使用 'Service': 'ec2.amazonaws.com' 而不是 'AWS'。
-
使用 AWS CLI 更新信任策略:aws iam update-assume-role-policy --role-name MyRole --policy-document file://trust-policy.json
无效尝试
常见但无效的做法:
-
90% 失败
The policy is malformed because the principal format is incorrect.
-
30% 失败
Overly permissive; security audits will flag this.