What is the valid syntax for a KMS Key Policy to avoid MalformedPolicyDocument errors?


I am trying to create an AWS KMS Key Policy and have been plagued trying to get Cloudformation to accept the key policy. Everything I have been able to find and read says this policy should be valid and the syntax is correct as it runs, but returns MalformedPolicyDocumentExceptionnull (Service: AWSKMS; Status Code: 400;

Has anyone else run into this, if so, any thoughts or suggestions on how I can resolve the errors? I’ve been stuck and banging my head on this one and can’t see what I’m missing and my google-fu is failing me.

Code Snippet:


After much trial and error and reaching out to other partners I found the solution for the above issue.

The Condition on snippet above was incorrect and should have been formatted as follows:

Once changed to this the policy went in without issue.

Leave a Reply