From 78f1ade169eb840e773b2ead2ae53e82ab7ebc3d Mon Sep 17 00:00:00 2001 From: camerondurham Date: Fri, 21 Nov 2025 09:48:03 -0700 Subject: [PATCH] feat(iam): add feature flag to validate PolicyStatement SID is alphanumeric - Add IAM_POLICY_STATEMENT_VALIDATE_SID feature flag - Validate SIDs are alphanumeric (A-Z, a-z, 0-9) when flag enabled - Fix invalid SIDs in aws-ecs cluster.ts - Add comprehensive test coverage for SID validation - Add README documentation and integ test Closes #34819 --- CHANGELOG.md | 10 + .../PolicyStatementSidStack.assets.json | 20 + .../PolicyStatementSidStack.template.json | 83 ++ .../cdk.out | 1 + ...efaultTestDeployAssert798739BA.assets.json | 20 + ...aultTestDeployAssert798739BA.template.json | 36 + .../integ.json | 14 + .../manifest.json | 722 ++++++++++++++++++ .../tree.json | 1 + .../test/integ.policy-statement-sid.ts | 33 + packages/aws-cdk-lib/aws-iam/README.md | 34 + .../aws-iam/lib/policy-document.ts | 7 + .../aws-iam/lib/policy-statement.ts | 10 + .../aws-iam/test/policy-statement.test.ts | 91 +++ packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md | 21 + packages/aws-cdk-lib/cx-api/lib/features.ts | 15 + .../recommended-feature-flags.json | 1 + 17 files changed, 1119 insertions(+) create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/PolicyStatementSidStack.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/PolicyStatementSidStack.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/cdk.out create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/iampolicystatementsidDefaultTestDeployAssert798739BA.assets.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/iampolicystatementsidDefaultTestDeployAssert798739BA.template.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/integ.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/manifest.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/tree.json create mode 100644 packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.ts diff --git a/CHANGELOG.md b/CHANGELOG.md index 13b7ef86149c1..1ab62a01a65b5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,16 @@ All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines. +## Unreleased + +### Features + +* **iam:** add feature flag to validate PolicyStatement SID is alphanumeric ([#34819](https://github.com/aws/aws-cdk/issues/34819)) + - New feature flag `@aws-cdk/aws-iam:policyStatementValidateSid` enforces IAM SID validation + - SIDs must be alphanumeric (A-Z, a-z, 0-9) per AWS IAM requirements + - Validation occurs at synthesis time when flag is enabled + - Fixed invalid SIDs in aws-ecs cluster.ts to be alphanumeric + ## [1.158.0](https://github.com/aws/aws-cdk/compare/v1.157.0...v1.158.0) (2022-05-27) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/PolicyStatementSidStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/PolicyStatementSidStack.assets.json new file mode 100644 index 0000000000000..6bb2a2f8289f7 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/PolicyStatementSidStack.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "87f6e236057dc7291d44fafad477e7011b9da3563e84c15051c0617957860d2b": { + "displayName": "PolicyStatementSidStack Template", + "source": { + "path": "PolicyStatementSidStack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-f41c3c10": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "87f6e236057dc7291d44fafad477e7011b9da3563e84c15051c0617957860d2b.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/PolicyStatementSidStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/PolicyStatementSidStack.template.json new file mode 100644 index 0000000000000..f1e07646c318c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/PolicyStatementSidStack.template.json @@ -0,0 +1,83 @@ +{ + "Resources": { + "TestRole6C9272DF": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "TestRoleDefaultPolicyD1C92014": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": "s3:GetObject", + "Effect": "Allow", + "Resource": "*", + "Sid": "ValidAlphanumericSid" + }, + { + "Action": "dynamodb:PutItem", + "Effect": "Allow", + "Resource": "*", + "Sid": "AnotherValidSid123" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "TestRoleDefaultPolicyD1C92014", + "Roles": [ + { + "Ref": "TestRole6C9272DF" + } + ] + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/cdk.out new file mode 100644 index 0000000000000..523a9aac37cbf --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"48.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/iampolicystatementsidDefaultTestDeployAssert798739BA.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/iampolicystatementsidDefaultTestDeployAssert798739BA.assets.json new file mode 100644 index 0000000000000..d182bb6b49399 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/iampolicystatementsidDefaultTestDeployAssert798739BA.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "iampolicystatementsidDefaultTestDeployAssert798739BA Template", + "source": { + "path": "iampolicystatementsidDefaultTestDeployAssert798739BA.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-d8d86b35": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/iampolicystatementsidDefaultTestDeployAssert798739BA.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/iampolicystatementsidDefaultTestDeployAssert798739BA.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/iampolicystatementsidDefaultTestDeployAssert798739BA.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/integ.json new file mode 100644 index 0000000000000..c44ae61f37585 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/integ.json @@ -0,0 +1,14 @@ +{ + "version": "48.0.0", + "testCases": { + "iam-policy-statement-sid/DefaultTest": { + "stacks": [ + "PolicyStatementSidStack" + ], + "diffAssets": true, + "assertionStack": "iam-policy-statement-sid/DefaultTest/DeployAssert", + "assertionStackName": "iampolicystatementsidDefaultTestDeployAssert798739BA" + } + }, + "minimumCliVersion": "2.1027.0" +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/manifest.json new file mode 100644 index 0000000000000..c02a3dd289961 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/manifest.json @@ -0,0 +1,722 @@ +{ + "version": "48.0.0", + "artifacts": { + "PolicyStatementSidStack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "PolicyStatementSidStack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "PolicyStatementSidStack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "PolicyStatementSidStack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/87f6e236057dc7291d44fafad477e7011b9da3563e84c15051c0617957860d2b.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "PolicyStatementSidStack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "PolicyStatementSidStack.assets" + ], + "metadata": { + "/PolicyStatementSidStack/TestRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": { + "assumedBy": { + "principalAccount": "*", + "assumeRoleAction": "*" + } + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachInlinePolicy": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPolicy": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addToPrincipalPolicy": [ + {} + ] + } + } + ], + "/PolicyStatementSidStack/TestRole/ImportTestRole": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/PolicyStatementSidStack/TestRole/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TestRole6C9272DF" + } + ], + "/PolicyStatementSidStack/TestRole/DefaultPolicy": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "attachToRole": [ + "*" + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + }, + { + "type": "aws:cdk:analytics:method", + "data": { + "addStatements": [ + {} + ] + } + } + ], + "/PolicyStatementSidStack/TestRole/DefaultPolicy/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "TestRoleDefaultPolicyD1C92014" + } + ], + "/PolicyStatementSidStack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/PolicyStatementSidStack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "PolicyStatementSidStack" + }, + "iampolicystatementsidDefaultTestDeployAssert798739BA.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "iampolicystatementsidDefaultTestDeployAssert798739BA.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "iampolicystatementsidDefaultTestDeployAssert798739BA": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "iampolicystatementsidDefaultTestDeployAssert798739BA.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "iampolicystatementsidDefaultTestDeployAssert798739BA.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "iampolicystatementsidDefaultTestDeployAssert798739BA.assets" + ], + "metadata": { + "/iam-policy-statement-sid/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/iam-policy-statement-sid/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "iam-policy-statement-sid/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + }, + "aws-cdk-lib/feature-flag-report": { + "type": "cdk:feature-flag-report", + "properties": { + "module": "aws-cdk-lib", + "flags": { + "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": { + "userValue": true, + "recommendedValue": true, + "explanation": "Pass signingProfileName to CfnSigningProfile" + }, + "@aws-cdk/core:newStyleStackSynthesis": { + "recommendedValue": true, + "explanation": "Switch to new stack synthesis method which enables CI/CD", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:stackRelativeExports": { + "recommendedValue": true, + "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": { + "userValue": true, + "recommendedValue": true, + "explanation": "Disable implicit openListener when custom security groups are provided" + }, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": { + "recommendedValue": true, + "explanation": "Force lowercasing of RDS Cluster names in CDK", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": { + "recommendedValue": true, + "explanation": "Allow adding/removing multiple UsagePlanKeys independently", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeVersionProps": { + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeLayerVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:checkSecretUsage": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations" + }, + "@aws-cdk/core:target-partitions": { + "recommendedValue": [ + "aws", + "aws-cn" + ], + "explanation": "What regions to include in lookup tables of environment agnostic stacks" + }, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": { + "userValue": true, + "recommendedValue": true, + "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified" + }, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names." + }, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": { + "userValue": true, + "recommendedValue": true, + "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID." + }, + "@aws-cdk/aws-iam:minimizePolicies": { + "userValue": true, + "recommendedValue": true, + "explanation": "Minimize IAM policies by combining Statements" + }, + "@aws-cdk/core:validateSnapshotRemovalPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Error on snapshot removal policies on resources that do not support it." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate key aliases that include the stack name" + }, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist." + }, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict KMS key policy for encrypted Queues a bit more" + }, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment" + }, + "@aws-cdk/core:enablePartitionLiterals": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make ARNs concrete if AWS partition is known" + }, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": { + "userValue": true, + "recommendedValue": true, + "explanation": "Event Rules may only push to encrypted SQS queues in the same account" + }, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": { + "userValue": true, + "recommendedValue": true, + "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker" + }, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature to create default policy names for imported roles that depend on the stack the role is in." + }, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging" + }, + "@aws-cdk/aws-route53-patters:useCertificate": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`" + }, + "@aws-cdk/customresources:installLatestAwsSdkDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "Whether to install the latest SDK by default in AwsCustomResource" + }, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use unique resource name for Database Proxy" + }, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Remove CloudWatch alarms from deployment group" + }, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID." + }, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": { + "userValue": true, + "recommendedValue": true, + "explanation": "Define user data for a launch template by default when a machine image is provided." + }, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": { + "userValue": true, + "recommendedValue": true, + "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret." + }, + "@aws-cdk/aws-redshift:columnId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Whether to use an ID to track Redshift column changes" + }, + "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies" + }, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict access to the VPC default security group" + }, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a unique id for each RequestValidator added to a method" + }, + "@aws-cdk/aws-kms:aliasNameRef": { + "userValue": true, + "recommendedValue": true, + "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key" + }, + "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition" + }, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a launch template when creating an AutoScalingGroup" + }, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include the stack prefix in the stack name generation process" + }, + "@aws-cdk/aws-efs:denyAnonymousAccess": { + "userValue": true, + "recommendedValue": true, + "explanation": "EFS denies anonymous clients accesses" + }, + "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains" + }, + "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default" + }, + "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet." + }, + "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change." + }, + "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id." + }, + "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials." + }, + "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'." + }, + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false." + }, + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default pipeline type to V2." + }, + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only." + }, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-eks:nodegroupNameAttribute": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix." + }, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default volume type of the EBS volume will be GP3" + }, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, remove default deployment alarm settings" + }, + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default" + }, + "@aws-cdk/aws-s3:keepNotificationInImportedBucket": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack." + }, + "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": { + "recommendedValue": true, + "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:explicitStackTags": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack." + }, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": { + "userValue": false, + "recommendedValue": false, + "explanation": "When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**" + }, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)**" + }, + "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration" + }, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas" + }, + "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together." + }, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn." + }, + "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`" + }, + "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values." + }, + "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications." + }, + "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN." + }, + "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2." + }, + "@aws-cdk/core:aspectStabilization": { + "recommendedValue": true, + "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource." + }, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere" + }, + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections" + }, + "@aws-cdk/aws-iam:policyStatementValidateSid": { + "recommendedValue": true, + "explanation": "Validate PolicyStatement SID is alphanumeric" + }, + "@aws-cdk/core:enableAdditionalMetadataCollection": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues." + }, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": { + "userValue": false, + "recommendedValue": false, + "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement" + }, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication." + }, + "@aws-cdk/pipelines:reduceStageRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from Stage addActions trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-events:requireEventBusPolicySid": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals." + }, + "@aws-cdk/core:aspectPrioritiesMutating": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING." + }, + "@aws-cdk/aws-dynamodb:retainTableReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise." + }, + "@aws-cdk/cognito:logUserPoolClientSecretValue": { + "recommendedValue": false, + "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs." + }, + "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": { + "recommendedValue": true, + "explanation": "When enabled, scopes down the trust policy for the cross-account action role", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter" + }, + "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": { + "userValue": true, + "recommendedValue": true, + "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions." + }, + "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC." + }, + "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": { + "recommendedValue": false, + "explanation": "When enabled, use resource IDs for VPC V2 migration" + }, + "@aws-cdk/aws-s3:publicAccessBlockedByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined." + }, + "@aws-cdk/aws-lambda:useCdkManagedLogGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK creates and manages loggroup for the lambda function" + }, + "@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault": { + "recommendedValue": true, + "explanation": "When enabled, Network Load Balancer will be created with a security group by default." + }, + "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": { + "recommendedValue": true, + "explanation": "When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": { + "recommendedValue": true, + "explanation": "When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement" + } + } + } + } + }, + "minimumCliVersion": "2.1031.2" +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/tree.json new file mode 100644 index 0000000000000..e85953dede878 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.js.snapshot/tree.json @@ -0,0 +1 @@ +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"aws-cdk-lib.App","version":"0.0.0"},"children":{"PolicyStatementSidStack":{"id":"PolicyStatementSidStack","path":"PolicyStatementSidStack","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"TestRole":{"id":"TestRole","path":"PolicyStatementSidStack/TestRole","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Role","version":"0.0.0","metadata":[{"assumedBy":{"principalAccount":"*","assumeRoleAction":"*"}},{"addToPolicy":[{}]},{"addToPrincipalPolicy":[{}]},{"attachInlinePolicy":["*"]},{"attachInlinePolicy":["*"]},{"addToPolicy":[{}]},{"addToPrincipalPolicy":[{}]}]},"children":{"ImportTestRole":{"id":"ImportTestRole","path":"PolicyStatementSidStack/TestRole/ImportTestRole","constructInfo":{"fqn":"aws-cdk-lib.Resource","version":"0.0.0","metadata":["*"]}},"Resource":{"id":"Resource","path":"PolicyStatementSidStack/TestRole/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnRole","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Role","aws:cdk:cloudformation:props":{"assumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"}}],"Version":"2012-10-17"}}}},"DefaultPolicy":{"id":"DefaultPolicy","path":"PolicyStatementSidStack/TestRole/DefaultPolicy","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.Policy","version":"0.0.0","metadata":["*",{"attachToRole":["*"]},{"attachToRole":["*"]},{"addStatements":[{}]},{"addStatements":[{}]}]},"children":{"Resource":{"id":"Resource","path":"PolicyStatementSidStack/TestRole/DefaultPolicy/Resource","constructInfo":{"fqn":"aws-cdk-lib.aws_iam.CfnPolicy","version":"0.0.0"},"attributes":{"aws:cdk:cloudformation:type":"AWS::IAM::Policy","aws:cdk:cloudformation:props":{"policyDocument":{"Statement":[{"Action":"s3:GetObject","Effect":"Allow","Resource":"*","Sid":"ValidAlphanumericSid"},{"Action":"dynamodb:PutItem","Effect":"Allow","Resource":"*","Sid":"AnotherValidSid123"}],"Version":"2012-10-17"},"policyName":"TestRoleDefaultPolicyD1C92014","roles":[{"Ref":"TestRole6C9272DF"}]}}}}}}},"BootstrapVersion":{"id":"BootstrapVersion","path":"PolicyStatementSidStack/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"PolicyStatementSidStack/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}},"iam-policy-statement-sid":{"id":"iam-policy-statement-sid","path":"iam-policy-statement-sid","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"iam-policy-statement-sid/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"iam-policy-statement-sid/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}},"DeployAssert":{"id":"DeployAssert","path":"iam-policy-statement-sid/DefaultTest/DeployAssert","constructInfo":{"fqn":"aws-cdk-lib.Stack","version":"0.0.0"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"iam-policy-statement-sid/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnParameter","version":"0.0.0"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"iam-policy-statement-sid/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"aws-cdk-lib.CfnRule","version":"0.0.0"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.2"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.ts new file mode 100644 index 0000000000000..dc403a9356129 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.ts @@ -0,0 +1,33 @@ +import { App, Stack } from 'aws-cdk-lib'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; +import { Construct } from 'constructs'; +import { PolicyStatement, Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam'; + +class PolicyStatementSidStack extends Stack { + constructor(scope: Construct, id: string) { + super(scope, id); + + const role = new Role(this, 'TestRole', { + assumedBy: new ServicePrincipal('lambda.amazonaws.com'), + }); + + role.addToPolicy(new PolicyStatement({ + sid: 'ValidAlphanumericSid', + actions: ['s3:GetObject'], + resources: ['*'], + })); + + role.addToPolicy(new PolicyStatement({ + sid: 'AnotherValidSid123', + actions: ['dynamodb:PutItem'], + resources: ['*'], + })); + } +} + +const app = new App(); +new IntegTest(app, 'iam-policy-statement-sid', { + testCases: [new PolicyStatementSidStack(app, 'PolicyStatementSidStack')], + diffAssets: true, +}); +app.synth(); diff --git a/packages/aws-cdk-lib/aws-iam/README.md b/packages/aws-cdk-lib/aws-iam/README.md index 1aee02ab60425..133e71a202cb5 100644 --- a/packages/aws-cdk-lib/aws-iam/README.md +++ b/packages/aws-cdk-lib/aws-iam/README.md @@ -543,6 +543,40 @@ const newPolicy = new iam.Policy(this, 'MyNewPolicy', { }); ``` +## PolicyStatement SID Validation + +The `Sid` (statement ID) element in IAM policy statements must be alphanumeric (A-Z, a-z, 0-9) according to AWS IAM requirements. CDK provides a feature flag to validate SIDs at synthesis time. + +To enable SID validation, set the feature flag in your `cdk.json`: + +```json +{ + "context": { + "@aws-cdk/aws-iam:policyStatementValidateSid": true + } +} +``` + +When enabled, invalid SIDs will throw an error during synthesis: + +```ts +// This will throw an error when the feature flag is enabled +new iam.PolicyStatement({ + sid: 'Allow access for S3.', // Invalid: contains spaces and period + actions: ['s3:GetObject'], + resources: ['*'], +}); + +// Valid SID - alphanumeric only +new iam.PolicyStatement({ + sid: 'AllowAccessForS3', // Valid: alphanumeric only + actions: ['s3:GetObject'], + resources: ['*'], +}); +``` + +This validation helps catch SID errors early in development rather than at deployment time. + ## Permissions Boundaries [Permissions diff --git a/packages/aws-cdk-lib/aws-iam/lib/policy-document.ts b/packages/aws-cdk-lib/aws-iam/lib/policy-document.ts index 663a0e083b462..234c9b40bb1f5 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/policy-document.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/policy-document.ts @@ -78,6 +78,13 @@ export class PolicyDocument implements cdk.IResolvable { this.freezeStatements(); this._maybeMergeStatements(context.scope); + // Validate statement SIDs if feature flag is enabled + if (cdk.FeatureFlags.of(context.scope).isEnabled(cxapi.IAM_POLICY_STATEMENT_VALIDATE_SID)) { + for (const statement of this.statements) { + statement._validateSid(); + } + } + // In the previous implementation of 'merge', sorting of actions/resources on // a statement always happened, even on singular statements. In the new // implementation of 'merge', sorting only happens when actually combining 2 diff --git a/packages/aws-cdk-lib/aws-iam/lib/policy-statement.ts b/packages/aws-cdk-lib/aws-iam/lib/policy-statement.ts index 5ee99ed959097..79788bed83c2a 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/policy-statement.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/policy-statement.ts @@ -232,6 +232,16 @@ export class PolicyStatement { } } + /** + * Validate that the SID is alphanumeric + * @internal + */ + public _validateSid() { + if (this._sid !== undefined && !cdk.Token.isUnresolved(this._sid) && !/^[0-9A-Za-z]*$/.test(this._sid)) { + throw new UnscopedValidationError(`Statement ID (sid) must be alphanumeric. Got '${this._sid}'. The Sid element supports ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9).`); + } + } + private validatePolicyActions(actions: string[]) { // In case of an unresolved list of actions return early if (cdk.Token.isUnresolved(actions)) return; diff --git a/packages/aws-cdk-lib/aws-iam/test/policy-statement.test.ts b/packages/aws-cdk-lib/aws-iam/test/policy-statement.test.ts index 322ac286e045a..557aa6543e893 100644 --- a/packages/aws-cdk-lib/aws-iam/test/policy-statement.test.ts +++ b/packages/aws-cdk-lib/aws-iam/test/policy-statement.test.ts @@ -1,4 +1,6 @@ +import * as cdk from '../../core'; import { Stack } from '../../core'; +import * as cxapi from '../../cx-api'; import { AnyPrincipal, Group, PolicyDocument, PolicyStatement, Effect } from '../lib'; describe('IAM policy statement', () => { @@ -260,4 +262,93 @@ describe('IAM policy statement', () => { expect(mod).toThrow(/can no longer be modified/); } }); + + describe('SID validation', () => { + test('does not validate when feature flag is disabled', () => { + const app = new cdk.App(); + const stack = new Stack(app, 'Stack'); + const doc = new PolicyDocument(); + doc.addStatements(new PolicyStatement({ + sid: 'Invalid-SID-With-Dashes', + actions: ['s3:GetObject'], + resources: ['*'], + })); + + expect(() => stack.resolve(doc)).not.toThrow(); + }); + + test('validates alphanumeric SID when feature flag is enabled', () => { + const app = new cdk.App({ + context: { [cxapi.IAM_POLICY_STATEMENT_VALIDATE_SID]: true }, + }); + const stack = new Stack(app, 'Stack'); + const doc = new PolicyDocument(); + doc.addStatements(new PolicyStatement({ + sid: 'ValidSID123', + actions: ['s3:GetObject'], + resources: ['*'], + })); + + expect(() => stack.resolve(doc)).not.toThrow(); + }); + + test('throws error for invalid SID when feature flag is enabled', () => { + const app = new cdk.App({ + context: { [cxapi.IAM_POLICY_STATEMENT_VALIDATE_SID]: true }, + }); + const stack = new Stack(app, 'Stack'); + const doc = new PolicyDocument(); + doc.addStatements(new PolicyStatement({ + sid: 'Invalid-SID', + actions: ['s3:GetObject'], + resources: ['*'], + })); + + expect(() => stack.resolve(doc)).toThrow(/Statement ID \(sid\) must be alphanumeric/); + }); + + test('allows empty SID', () => { + const app = new cdk.App({ + context: { [cxapi.IAM_POLICY_STATEMENT_VALIDATE_SID]: true }, + }); + const stack = new Stack(app, 'Stack'); + const doc = new PolicyDocument(); + doc.addStatements(new PolicyStatement({ + sid: '', + actions: ['s3:GetObject'], + resources: ['*'], + })); + + expect(() => stack.resolve(doc)).not.toThrow(); + }); + + test('allows undefined SID', () => { + const app = new cdk.App({ + context: { [cxapi.IAM_POLICY_STATEMENT_VALIDATE_SID]: true }, + }); + const stack = new Stack(app, 'Stack'); + const doc = new PolicyDocument(); + doc.addStatements(new PolicyStatement({ + actions: ['s3:GetObject'], + resources: ['*'], + })); + + expect(() => stack.resolve(doc)).not.toThrow(); + }); + + test('allows tokens in SID', () => { + const app = new cdk.App({ + context: { [cxapi.IAM_POLICY_STATEMENT_VALIDATE_SID]: true }, + }); + const stack = new Stack(app, 'Stack'); + const doc = new PolicyDocument(); + doc.addStatements(new PolicyStatement({ + sid: cdk.Fn.ref('SomeParameter'), + actions: ['s3:GetObject'], + resources: ['*'], + })); + + expect(() => stack.resolve(doc)).not.toThrow(); + }); + }); }); diff --git a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md index cc1e25b8ed4b4..e252035f31517 100644 --- a/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md +++ b/packages/aws-cdk-lib/cx-api/FEATURE_FLAGS.md @@ -110,6 +110,7 @@ Flags come in three types: | [@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId](#aws-cdkaws-ecs-patternsuniquetargetgroupid) | When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement | 2.221.0 | fix | | [@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint](#aws-cdkaws-stepfunctions-taskshttpinvokedynamicjsonpathendpoint) | When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks. | 2.221.0 | fix | | [@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault](#aws-cdkaws-elasticloadbalancingv2networkloadbalancerwithsecuritygroupbydefault) | When enabled, Network Load Balancer will be created with a security group by default. | 2.222.0 | new default | +| [@aws-cdk/aws-iam:policyStatementValidateSid](#aws-cdkaws-iampolicystatementvalidatesid) | Validate PolicyStatement SID is alphanumeric | V2NEXT | fix | @@ -190,6 +191,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true, "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true, "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true, + "@aws-cdk/aws-iam:policyStatementValidateSid": true, "@aws-cdk/core:enableAdditionalMetadataCollection": true, "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": false, "@aws-cdk/aws-s3:setUniqueReplicationRoleName": true, @@ -2338,4 +2340,23 @@ When this feature flag is enabled, Network Load Balancer will be created with a **Compatibility with old behavior:** Disable the feature flag to create Network Load Balancer without a security group by default. +### @aws-cdk/aws-iam:policyStatementValidateSid + +*Validate PolicyStatement SID is alphanumeric* + +Flag type: Backwards incompatible bugfix + +When enabled, PolicyStatement SID validation enforces alphanumeric characters only (A-Z, a-z, 0-9) +per IAM requirements. Invalid SIDs will throw an error at synthesis time. + +When disabled, no SID validation occurs, maintaining backward compatibility with existing code +that may use invalid SID characters. + + +| Since | Unset behaves like | Recommended value | +| ----- | ----- | ----- | +| (not in v1) | | | +| V2NEXT | `false` | `true` | + + diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index b6997ba80ea13..b4d9484bbd2da 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -132,6 +132,7 @@ export const Enable_IMDS_Blocking_Deprecated_Feature = '@aws-cdk/aws-ecs:enableI export const Disable_ECS_IMDS_Blocking = '@aws-cdk/aws-ecs:disableEcsImdsBlocking'; export const ALB_DUALSTACK_WITHOUT_PUBLIC_IPV4_SECURITY_GROUP_RULES_DEFAULT = '@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault'; export const IAM_OIDC_REJECT_UNAUTHORIZED_CONNECTIONS = '@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections'; +export const IAM_POLICY_STATEMENT_VALIDATE_SID = '@aws-cdk/aws-iam:policyStatementValidateSid'; export const ENABLE_ADDITIONAL_METADATA_COLLECTION = '@aws-cdk/core:enableAdditionalMetadataCollection'; export const LAMBDA_CREATE_NEW_POLICIES_WITH_ADDTOROLEPOLICY = '@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy'; export const SET_UNIQUE_REPLICATION_ROLE_NAME = '@aws-cdk/aws-s3:setUniqueReplicationRoleName'; @@ -1469,6 +1470,20 @@ export const FLAGS: Record = { compatibilityWithOldBehaviorMd: 'Disable the feature flag to allow unsecure OIDC connection.', }, + ////////////////////////////////////////////////////////////////////// + [IAM_POLICY_STATEMENT_VALIDATE_SID]: { + type: FlagType.BugFix, + summary: 'Validate PolicyStatement SID is alphanumeric', + detailsMd: ` + When enabled, PolicyStatement SID validation enforces alphanumeric characters only (A-Z, a-z, 0-9) + per IAM requirements. Invalid SIDs will throw an error at synthesis time. + + When disabled, no SID validation occurs, maintaining backward compatibility with existing code + that may use invalid SID characters.`, + introducedIn: { v2: 'V2NEXT' }, + recommendedValue: true, + }, + ////////////////////////////////////////////////////////////////////// [ENABLE_ADDITIONAL_METADATA_COLLECTION]: { type: FlagType.VisibleContext, diff --git a/packages/aws-cdk-lib/recommended-feature-flags.json b/packages/aws-cdk-lib/recommended-feature-flags.json index c5596954fc9a0..8f2b2043117ea 100644 --- a/packages/aws-cdk-lib/recommended-feature-flags.json +++ b/packages/aws-cdk-lib/recommended-feature-flags.json @@ -68,6 +68,7 @@ "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": true, "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": true, "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": true, + "@aws-cdk/aws-iam:policyStatementValidateSid": true, "@aws-cdk/core:enableAdditionalMetadataCollection": true, "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": false, "@aws-cdk/aws-s3:setUniqueReplicationRoleName": true,