Update [16:00UTC]: AWS were quick to release a fix (aws-cfn-bootstrap-1.4-26) and -25 is still in the yum repositories. Unless you were unlucky and froze your environment today, the problem should solve itself.


The latest version of aws-cfn-bootstrap package aws-cfn-bootstrap-1.4-25.17.amzn1.noarch that was signed November 2 around 21:00 UTC changed how cfn-signal works. cfn-signal now picks up the the instance profile role’s api keys and try to sign the request by default. This causes the signal to fail if the instances IAM role does not have cloudformation:SignalResource permission.

cfn-signal has always supported signed requests but if access keys were not provided the following authentication method was used.

cfn-signal does not require credentials, so you do not need to use the –access-key, –secret-key, –role, or –credential-file options. However, if no credentials are specified, AWS CloudFormation checks for stack membership and limits the scope of the call to the stack that the instance belongs to.

 

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-signal.html

 

This will only affect users that either build ami’s or update system packages on bootup. If you normally do a yum update replace it with yum -y upgrade –security or yum -y upgrade –exclude=aws-cfn-bootstrap

You could also add the Iam policy statement below to your instance role.

 

{

“Action”: [

“cloudformation:DescribeStackResource”,

“cloudformation:SignalResource”

],

“Effect”: “Allow”,

“Resource”: {

“Fn::Sub”: “arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*”

}

}

Please contact Nordcloud for more information on CloudFormation