feat(iam): add feature flag to validate PolicyStatement SID is alphanumeric

- Add IAM_POLICY_STATEMENT_VALIDATE_SID feature flag
- Validate SIDs are alphanumeric (A-Z, a-z, 0-9) when flag enabled
- Fix invalid SIDs in aws-ecs cluster.ts
- Add comprehensive test coverage for SID validation
- Add README documentation and integ test

Closes #34819

Author: camerondurham

CHANGELOG.md

@@ -2,6 +2,16 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## Unreleased
+
+### Features
+
+* **iam:** add feature flag to validate PolicyStatement SID is alphanumeric ([#34819](https://github.com/aws/aws-cdk/issues/34819))
+  - New feature flag `@aws-cdk/aws-iam:policyStatementValidateSid` enforces IAM SID validation
+  - SIDs must be alphanumeric (A-Z, a-z, 0-9) per AWS IAM requirements
+  - Validation occurs at synthesis time when flag is enabled
+  - Fixed invalid SIDs in aws-ecs cluster.ts to be alphanumeric
+
 ## [1.158.0](https://github.com/aws/aws-cdk/compare/v1.157.0...v1.158.0) (2022-05-27)
 
 

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/PolicyStatementSidStack.assets.json

@@ -0,0 +1,83 @@
+{
+ "Resources": {
+  "TestRole6C9272DF": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
+  "TestRoleDefaultPolicyD1C92014": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": "s3:GetObject",
+       "Effect": "Allow",
+       "Resource": "*",
+       "Sid": "ValidAlphanumericSid"
+      },
+      {
+       "Action": "dynamodb:PutItem",
+       "Effect": "Allow",
+       "Resource": "*",
+       "Sid": "AnotherValidSid123"
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "TestRoleDefaultPolicyD1C92014",
+    "Roles": [
+     {
+      "Ref": "TestRole6C9272DF"
+     }
+    ]
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}