diff --git a/src/cfnlint/data/schemas/other/iam/policy.json b/src/cfnlint/data/schemas/other/iam/policy.json index 99f30247c8..2f7b06784f 100644 --- a/src/cfnlint/data/schemas/other/iam/policy.json +++ b/src/cfnlint/data/schemas/other/iam/policy.json @@ -70,76 +70,88 @@ "Condition": { "additionalProperties": false, "patternProperties": { - "ForAllValues:^(Not)?IpAddress$": { - "$ref": "#/definitions/ConditionSetValue" + "^Date(Not)?Equals(IfExists)?$": { + "$ref": "#/definitions/ConditionValue" }, - "ForAllValues:^Arn(Not)?Equals$": { - "$ref": "#/definitions/ConditionSetValue" + "^Date(Less|Greater)Than(Equals)?(IfExists)?$": { + "$ref": "#/definitions/ConditionValue" + }, + "^(Not)?IpAddress(Exists)?(IfExists)?$": { + "$ref": "#/definitions/ConditionValue" + }, + "^Arn(Not)?Equals(Exists)?(IfExists)?$": { + "$ref": "#/definitions/ConditionValue" }, - "ForAllValues:^Arn(Not)?Like$": { + "^Arn(Not)?Like(Exists)?(IfExists)?$": { + "$ref": "#/definitions/ConditionValue" + }, + "^Date(Not)?Equals(Exists)?(IfExists)?$": { + "$ref": "#/definitions/ConditionValue" + }, + "^ForAllValues:(Not)?IpAddress(IfExists)?$": { "$ref": "#/definitions/ConditionSetValue" }, - "ForAllValues:^Date(Not)?Equals$": { + "^ForAllValues:Arn(Not)?Equals(IfExists)?$": { "$ref": "#/definitions/ConditionSetValue" }, - "ForAllValues:^Number(Less|Greater)Than(Equals)?$": { + "^ForAllValues:Arn(Not)?Like(IfExists)?$": { "$ref": "#/definitions/ConditionSetValue" }, - "ForAllValues:^Number(Not)?Equals$": { + "^ForAllValues:Date(Not)?Equals(IfExists)?$": { "$ref": "#/definitions/ConditionSetValue" }, - "ForAllValues:^String(Not)?Equals(IgnoreCase)?$": { + "^ForAllValues:Numeric(Less|Greater)Than(Equals)?(IfExists)?$": { "$ref": "#/definitions/ConditionSetValue" }, - "ForAllValues:^String(Not)?Like$": { + "^ForAllValues:Numeric(Not)?Equals(IfExists)?$": { "$ref": "#/definitions/ConditionSetValue" }, - "ForAnyValues:^(Not)?IpAddress$": { + "^ForAllValues:String(Not)?Equals(IgnoreCase)?(IfExists)?$": { "$ref": "#/definitions/ConditionSetValue" }, - "ForAnyValues:^Arn(Not)?Equals$": { + "^ForAllValues:String(Not)?Like(IfExists)?$": { "$ref": "#/definitions/ConditionSetValue" }, - "ForAnyValues:^Arn(Not)?Like$": { + "^ForAnyValue:(Not)?IpAddress(IfExists)?$": { "$ref": "#/definitions/ConditionSetValue" }, - "ForAnyValues:^Date(Not)?Equals$": { + "^ForAnyValue:Arn(Not)?Equals(IfExists)?$": { "$ref": "#/definitions/ConditionSetValue" }, - "ForAnyValues:^Number(Less|Greater)Than(Equals)?$": { + "^ForAnyValue:Arn(Not)?Like(IfExists)?$": { "$ref": "#/definitions/ConditionSetValue" }, - "ForAnyValues:^Number(Not)?Equals$": { + "^ForAnyValue:Date(Not)?Equals(IfExists)?$": { "$ref": "#/definitions/ConditionSetValue" }, - "ForAnyValues:^String(Not)?Equals(IgnoreCase)?$": { + "^ForAnyValue:Numeric(Less|Greater)Than(Equals)?(IfExists)?$": { "$ref": "#/definitions/ConditionSetValue" }, - "ForAnyValues:^String(Not)?Like?$": { + "^ForAnyValue:Numeric(Not)?Equals(IfExists)?$": { "$ref": "#/definitions/ConditionSetValue" }, - "^(Not)?IpAddress(Exists)?$": { - "$ref": "#/definitions/ConditionValue" + "^ForAnyValue:String(Not)?Equals(IgnoreCase)?(IfExists)?$": { + "$ref": "#/definitions/ConditionSetValue" }, - "^Arn(Not)?Equals(Exists)?$": { - "$ref": "#/definitions/ConditionValue" + "^ForAnyValue:String(Not)?Like?(IfExists)?$": { + "$ref": "#/definitions/ConditionSetValue" }, - "^Arn(Not)?Like(Exists)?$": { + "^Null(IfExists)?$": { "$ref": "#/definitions/ConditionValue" }, - "^Date(Not)?Equals(Exists)?$": { + "^Bool(IfExists)?$": { "$ref": "#/definitions/ConditionValue" }, - "^Number(Less|Greater)Than(Equals)?(Exists)?$": { + "^Numeric(Less|Greater)Than(Equals)?(Exists)?(IfExists)?$": { "$ref": "#/definitions/ConditionValue" }, - "^Number(Not)?Equals(Exists)?$": { + "^Numeric(Not)?Equals(Exists)?(IfExists)?$": { "$ref": "#/definitions/ConditionValue" }, - "^String(Not)?Equals(IgnoreCase)?(Exists)?$": { + "^String(Not)?Equals(IgnoreCase)?(Exists)?(IfExists)?$": { "$ref": "#/definitions/ConditionValue" }, - "^String(Not)?Like(Exists)?$": { + "^String(Not)?Like(Exists)?(IfExists)?$": { "$ref": "#/definitions/ConditionValue" } }, diff --git a/test/unit/rules/resources/iam/test_identity_policy.py b/test/unit/rules/resources/iam/test_identity_policy.py index ec145becd6..c526e1baf2 100644 --- a/test/unit/rules/resources/iam/test_identity_policy.py +++ b/test/unit/rules/resources/iam/test_identity_policy.py @@ -175,7 +175,18 @@ def test_string_statements_with_condition(self): "Action": "*", "Resource": "*", "Condition": { - "iam:PassedToService": "cloudformation.amazonaws.com" + "iam:PassedToService": "cloudformation.amazonaws.com", + "StringEquals": {"aws:PrincipalTag/job-category": "iamuser-admin"}, + "StringLike": {"s3:prefix": ["", "home/", "home/${aws:username}/"]}, + "ArnLike": {"aws:SourceArn": "arn:aws:cloudtrail:*:111122223333:trail/*"}, + "NumericLessThanEquals": {"s3:max-keys": "10"}, + "DateGreaterThan": {"aws:TokenIssueTime": "2020-01-01T00:00:01Z"}, + "Bool": { "aws:SecureTransport": "false"}, + "BinaryEquals": { "key" : "QmluYXJ5VmFsdWVJbkJhc2U2NA=="}, + "IpAddress": {"aws:SourceIp": "203.0.113.0/24"}, + "ArnEquals": {"aws:SourceArn": "arn:aws:sns:REGION:123456789012:TOPIC-ID"}, + "StringLikeIfExists": { "ec2:InstanceType": [ "t1.*", "t2.*" ]}, + "Null":{"aws:TokenIssueTime":"true"} } } ] diff --git a/test/unit/rules/resources/iam/test_resource_policy.py b/test/unit/rules/resources/iam/test_resource_policy.py index 1a7ea216ae..1651f94e2f 100644 --- a/test/unit/rules/resources/iam/test_resource_policy.py +++ b/test/unit/rules/resources/iam/test_resource_policy.py @@ -60,8 +60,8 @@ def test_object_multiple_effect(self): }, "Condition": { "Null": { - "s3:x-amz-server-side-encryption": [False], - "aws:TagKeys": False, + "s3:x-amz-server-side-encryption": ["false"], + "aws:TagKeys": "false", } }, }