Search code examples
amazon-web-servicesaws-cloudformationamazon-iamamazon-sns

Resource Definition is Malformed

I am writing a cloudformation template that builds an ECR repository. I have built it with event patterns that notify me when an image is pushed to the repo ONLY when the image scan has High or Critical vulnerabilities. To keep it simple, I first built it so that instead of sending notifications to SNS, it just made a log entry in Cloudwatch logs. That all worked well, but now that I am trying to get it to send an e-mail via SNS I am having issues. I have tried a few different approaches in the Topic Policy like !GetAtt ScanReportTopic.arn as a value for Resources, I also tried Resources: "*", and a few other things.

I am not sure what else to try. Here is the template I am working with (email obfuscated)


Resources:

  EventBusTestRuleCritical:
    Type: AWS::Events::Rule
    Properties: 
      EventBusName: default
      EventPattern:
        source:
          - aws.ecr
        detail-type:
          - ECR Image Scan
        detail:
          finding-severity-counts:
            CRITICAL:
            - exists: true
      Targets: 
        - Arn: !Ref ScanReportTopic
          Id: ScanReporting
  
  EventBusTestRuleHigh:
    Type: AWS::Events::Rule
    Properties: 
      EventBusName: default
      EventPattern:
        source:
          - aws.ecr
        detail-type:
          - ECR Image Scan
        detail:
          finding-severity-counts:
            HIGH:
            - exists: true
      Targets: 
        - Arn: !Ref ScanReportTopic
          Id: ScanReporting

  ECRTestRepo:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: TestScanRepo #Optional
      ImageScanningConfiguration:
        scanOnPush: "true"

  ScanReportTopic:
    Type: AWS::SNS::Topic
    Properties:
      DisplayName: scanTopic #Optional
      Subscription:
      - Endpoint: [email protected]
        Protocol: email
      # TopicName: Optional
  
  TopicPolicy:
  Type: AWS::SNS::TopicPolicy
  Properties:
    Topics:
      - 
        !Ref ScanReportTopic
    PolicyDocument:
      Id: !Ref ScanReportTopic
      Statement:
      - Sid: __default_statement_ID
        Effect: Allow
        Action: sns:Publish
        Resource: !Ref ScanReportTopic
        Principal: !Sub 'arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/default'
Solution

  • Everything under TopicPolicy needs indented more:

      TopicPolicy:
    Type: AWS::SNS::TopicPolicy
    Properties:
      Topics:
        - 
          !Ref ScanReportTopic
      PolicyDocument:
        Id: !Ref ScanReportTopic
        Statement:
        - Sid: __default_statement_ID
          Effect: Allow
          Action: sns:Publish
          Resource: !Ref ScanReportTopic
          Principal: !Sub 'arn:aws:events:${AWS::Region}:${AWS::AccountId}:event-bus/default'

    CloudFormation Linter in VSCode shows errors inline while authoring templates along with autocompletion and documentation links:

    Visual Studio Code extension