The provided policy document does not meet the requirements of the specified policy type

Question

I am getting an error"The provided policy document does not meet the requirements of the specified policy type.", While trying to create SCP policy.

I idea is limit who can update the existing function and also who can pass the role for a new function.

Org --> Org_OU --> Account.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Lambda-update",
            "Effect": "Deny",
            "Action": [
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration"
            ],
            "Resource": "arn:aws:lambda:us-west-2:AccountNumberXXX:function:load-file",
            "Condition": {
                "ArnNotEquals": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::AccountNumberXXX:role/Admin",
                        "arn:aws:iam::AccountNumberXXX:role/SuperAdmin"
                    ]
                }
            }
        },
        {
            "Sid": "lambda-PassRole",
            "Effect": "Deny",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::AccountNumberXXX:role/lambda-role",
            "Condition": {
                "ArnNotEquals": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::AccountNumberXXX:role/Admin",
                        "arn:aws:iam::AccountNumberXXX:role/SuperAdmin"
                    ]
                }
            }
        }
    ]
}

score 2 · Answer 1 · answered Sep 13 '22 at 16:12

2

Figured out the issue is with the "-" in the Sid. After removing those, i was able to create the policy.

answered Sep 13 '22 at 16:12

Pradeep

69
1
5

The provided policy document does not meet the requirements of the specified policy type

1 Answers1