fix(iam): throw error when statement id is invalid (#34819)

camerondurham · camerondurham · commit 597aa4fc3a57 · 2025-06-26T22:38:06.000-07:00
Resolves #34819 by throwing error when PolicyStatement Statement id contains characters not allowed by the API. See docs in https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.ts
@@ -0,0 +1,71 @@
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+
+/**
+ * Integration test to verify that PolicyStatements with valid alphanumeric SIDs
+ * can be successfully deployed to AWS.
+ * 
+ * This test validates that the SID validation logic doesn't interfere with
+ * actual CloudFormation deployment of valid PolicyStatements.
+ */
+
+const app = new cdk.App();
+const stack = new cdk.Stack(app, 'PolicyStatementSidTest');
+
+const role = new iam.Role(stack, 'TestRole', {
+  assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+  inlinePolicies: {
+    TestPolicy: new iam.PolicyDocument({
+      statements: [
+        new iam.PolicyStatement({
+          sid: 'ValidSid123',
+          effect: iam.Effect.ALLOW,
+          actions: ['s3:GetObject'],
+          resources: ['arn:aws:s3:::example-bucket/*'],
+        }),
+        new iam.PolicyStatement({
+          sid: 'ALLCAPS',
+          effect: iam.Effect.ALLOW,
+          actions: ['s3:ListBucket'],
+          resources: ['arn:aws:s3:::example-bucket'],
+        }),
+        new iam.PolicyStatement({
+          sid: '123456',
+          effect: iam.Effect.ALLOW,
+          actions: ['logs:CreateLogGroup'],
+          resources: ['*'],
+        }),
+        new iam.PolicyStatement({
+          sid: 'abc123DEF',
+          effect: iam.Effect.ALLOW,
+          actions: ['logs:CreateLogStream'],
+          resources: ['*'],
+        }),
+        // Test statement without SID (should still work)
+        new iam.PolicyStatement({
+          effect: iam.Effect.ALLOW,
+          actions: ['logs:PutLogEvents'],
+          resources: ['*'],
+        }),
+      ],
+    }),
+  },
+});
+
+const managedPolicy = new iam.ManagedPolicy(stack, 'TestManagedPolicy', {
+  statements: [
+    new iam.PolicyStatement({
+      sid: 'ManagedPolicySid1',
+      effect: iam.Effect.ALLOW,
+      actions: ['dynamodb:GetItem'],
+      resources: ['*'],
+    }),
+  ],
+});
+
+role.addManagedPolicy(managedPolicy);
+
+new integ.IntegTest(app, 'PolicyStatementSidIntegTest', {
+  testCases: [stack],
+});
diff --git a/packages/@aws-cdk/aws-msk-alpha/lib/cluster.ts b/packages/@aws-cdk/aws-msk-alpha/lib/cluster.ts
@@ -631,7 +631,7 @@ export class Cluster extends ClusterBase {
       this.saslScramAuthenticationKey.addToResourcePolicy(
         new iam.PolicyStatement({
           sid:
-            'Allow access through AWS Secrets Manager for all principals in the account that are authorized to use AWS Secrets Manager',
+            'AllowAccountSecretsManagerKMSOperations',
           principals: [new iam.AnyPrincipal()],
           actions: [
             'kms:Encrypt',
diff --git a/packages/@aws-cdk/aws-msk-alpha/test/__snapshots__/cluster.test.ts.snap b/packages/@aws-cdk/aws-msk-alpha/test/__snapshots__/cluster.test.ts.snap
@@ -1030,7 +1030,7 @@ exports[`MSK Cluster created with authentication enabled with combinations of sa
                 "AWS": "*",
               },
               "Resource": "*",
-              "Sid": "Allow access through AWS Secrets Manager for all principals in the account that are authorized to use AWS Secrets Manager",
+              "Sid": "AllowAccountSecretsManagerKMSOperations",
             },
           ],
           "Version": "2012-10-17",
diff --git a/packages/@aws-cdk/aws-msk-alpha/test/cluster.test.ts b/packages/@aws-cdk/aws-msk-alpha/test/cluster.test.ts
@@ -507,7 +507,7 @@ describe('MSK Cluster', () => {
                 Effect: 'Allow',
                 Principal: { AWS: '*' },
                 Resource: '*',
-                Sid: 'Allow access through AWS Secrets Manager for all principals in the account that are authorized to use AWS Secrets Manager',
+                Sid: 'AllowAccountSecretsManagerKMSOperations',
               },
             ],
             'Version': '2012-10-17',
diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.add-cluster-user.js.snapshot/ScramSecretTestStack.template.json b/packages/@aws-cdk/aws-msk-alpha/test/integ.add-cluster-user.js.snapshot/ScramSecretTestStack.template.json
@@ -469,7 +469,7 @@
         "AWS": "*"
        },
        "Resource": "*",
-       "Sid": "Allow access through AWS Secrets Manager for all principals in the account that are authorized to use AWS Secrets Manager"
+       "Sid": "AllowAccountSecretsManagerKMSOperations"
       },
       {
        "Action": [
diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.add-cluster-user.js.snapshot/tree.json b/packages/@aws-cdk/aws-msk-alpha/test/integ.add-cluster-user.js.snapshot/tree.json
diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.add-cluster-user.ts.snapshot/ScramSecretTestStack.template.json b/packages/@aws-cdk/aws-msk-alpha/test/integ.add-cluster-user.ts.snapshot/ScramSecretTestStack.template.json
@@ -469,7 +469,7 @@
         "AWS": "*"
        },
        "Resource": "*",
-       "Sid": "Allow access through AWS Secrets Manager for all principals in the account that are authorized to use AWS Secrets Manager"
+       "Sid": "AllowAccountSecretsManagerKMSOperations"
       },
       {
        "Action": [
diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.add-cluster-user.ts.snapshot/tree.json b/packages/@aws-cdk/aws-msk-alpha/test/integ.add-cluster-user.ts.snapshot/tree.json
diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/aws-cdk-msk-auth-integ.template.json b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/aws-cdk-msk-auth-integ.template.json
@@ -529,7 +529,7 @@
         "AWS": "*"
        },
        "Resource": "*",
-       "Sid": "Allow access through AWS Secrets Manager for all principals in the account that are authorized to use AWS Secrets Manager"
+       "Sid": "AllowAccountSecretsManagerKMSOperations"
       }
      ],
      "Version": "2012-10-17"
diff --git a/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/tree.json b/packages/@aws-cdk/aws-msk-alpha/test/integ.cluster-authentication.js.snapshot/tree.json
diff --git a/packages/aws-cdk-lib/aws-ecs/lib/cluster.ts b/packages/aws-cdk-lib/aws-ecs/lib/cluster.ts
@@ -360,14 +360,14 @@ export class Cluster extends Resource implements ICluster {
     };
 
     key.addToResourcePolicy(new PolicyStatement({
-      sid: 'Allow generate data key access for Fargate tasks.',
+      sid: 'AllowGenerateDataKeyAccessForFargateTasks',
       principals: [new ServicePrincipal('fargate.amazonaws.com')],
       resources: ['*'],
       actions: ['kms:GenerateDataKeyWithoutPlaintext'],
       conditions: clusterConditions,
     }));
     key.addToResourcePolicy(new PolicyStatement({
-      sid: 'Allow grant creation permission for Fargate tasks.',
+      sid: 'AllowGrantCreationPermissionForFargateTasks',
       principals: [new ServicePrincipal('fargate.amazonaws.com')],
       resources: ['*'],
       actions: ['kms:CreateGrant'],
diff --git a/packages/aws-cdk-lib/aws-iam/lib/policy-statement.ts b/packages/aws-cdk-lib/aws-iam/lib/policy-statement.ts
@@ -92,6 +92,7 @@ export class PolicyStatement {
 
   constructor(props: PolicyStatementProps = {}) {
     this._sid = props.sid;
+    this.validateStatementId(this._sid);
     this._effect = props.effect || Effect.ALLOW;
 
     this.addActions(...props.actions || []);
@@ -117,6 +118,7 @@ export class PolicyStatement {
    */
   public set sid(sid: string | undefined) {
     this.assertNotFrozen('sid');
+    this.validateStatementId(sid);
     this._sid = sid;
   }
 
@@ -232,6 +234,12 @@ export class PolicyStatement {
     }
   }
 
+  private validateStatementId(sid?: string) {
+    if (sid !== undefined && !cdk.Token.isUnresolved(sid) && !/^[0-9A-Za-z]*$/.test(sid)) {
+      throw new UnscopedValidationError(`Statement ID (sid) must be alphanumeric. Got '${sid}'. The Sid element supports ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9).`);
+    }
+  }
+
   private validatePolicyActions(actions: string[]) {
     // In case of an unresolved list of actions return early
     if (cdk.Token.isUnresolved(actions)) return;
diff --git a/packages/aws-cdk-lib/aws-iam/test/policy-statement.test.ts b/packages/aws-cdk-lib/aws-iam/test/policy-statement.test.ts
@@ -260,4 +260,28 @@ describe('IAM policy statement', () => {
       expect(mod).toThrow(/can no longer be modified/);
     }
   });
+
+  test('accepts valid alphanumeric sid', () => {
+    const validSids = ['ValidSid123', 'ALLCAPS', '123456', 'abc123DEF'];
+
+    for (const sid of validSids) {
+      expect(() => new PolicyStatement({ sid })).not.toThrow();
+    }
+  });
+
+  test('throws error when sid contains non-alphanumeric characters', () => {
+    const invalidSids = ['invalid-sid', 'with space', 'with_underscore', 'with.dot', 'with!special@chars'];
+
+    for (const sid of invalidSids) {
+      expect(() => new PolicyStatement({ sid }))
+        .toThrow(`Statement ID (sid) must be alphanumeric. Got '${sid}'. The Sid element supports ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9).`);
+    }
+  });
+
+  test('throws error when setting sid to non-alphanumeric value', () => {
+    const statement = new PolicyStatement();
+
+    expect(() => statement.sid = 'invalid-sid')
+      .toThrow('Statement ID (sid) must be alphanumeric. Got \'invalid-sid\'. The Sid element supports ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9).');
+  });
 });
diff --git a/packages/aws-cdk-lib/aws-logs/lib/data-protection-policy.ts b/packages/aws-cdk-lib/aws-logs/lib/data-protection-policy.ts
@@ -64,7 +64,7 @@ export class DataProtectionPolicy {
 
     const statement = [
       {
-        Sid: 'audit-statement-cdk',
+        Sid: 'auditStatementCdk',
         DataIdentifier: identifiers,
         Operation: {
           Audit: {
@@ -73,7 +73,7 @@ export class DataProtectionPolicy {
         },
       },
       {
-        Sid: 'redact-statement-cdk',
+        Sid: 'redactStatementCdk',
         DataIdentifier: identifiers,
         Operation: {
           Deidentify: {
diff --git a/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts b/packages/aws-cdk-lib/aws-logs/test/loggroup.test.ts
@@ -577,7 +577,7 @@ describe('log group', () => {
         Version: '2021-06-01',
         Statement: [
           {
-            Sid: 'audit-statement-cdk',
+            Sid: 'auditStatementCdk',
             DataIdentifier: [
               {
                 'Fn::Join': [
@@ -597,7 +597,7 @@ describe('log group', () => {
             },
           },
           {
-            Sid: 'redact-statement-cdk',
+            Sid: 'redactStatementCdk',
             DataIdentifier: [
               {
                 'Fn::Join': [
@@ -647,7 +647,7 @@ describe('log group', () => {
         Version: '2021-06-01',
         Statement: [
           {
-            Sid: 'audit-statement-cdk',
+            Sid: 'auditStatementCdk',
             DataIdentifier: [
               {
                 'Fn::Join': [
@@ -667,7 +667,7 @@ describe('log group', () => {
             },
           },
           {
-            Sid: 'redact-statement-cdk',
+            Sid: 'redactStatementCdk',
             DataIdentifier: [
               {
                 'Fn::Join': [
@@ -722,7 +722,7 @@ describe('log group', () => {
         Version: '2021-06-01',
         Statement: [
           {
-            Sid: 'audit-statement-cdk',
+            Sid: 'auditStatementCdk',
             DataIdentifier: [
               {
                 'Fn::Join': [
@@ -756,7 +756,7 @@ describe('log group', () => {
             },
           },
           {
-            Sid: 'redact-statement-cdk',
+            Sid: 'redactStatementCdk',
             DataIdentifier: [
               {
                 'Fn::Join': [
@@ -814,7 +814,7 @@ describe('log group', () => {
         },
         Statement: [
           {
-            Sid: 'audit-statement-cdk',
+            Sid: 'auditStatementCdk',
             DataIdentifier: [
               'EmployeeId',
             ],
@@ -825,7 +825,7 @@ describe('log group', () => {
             },
           },
           {
-            Sid: 'redact-statement-cdk',
+            Sid: 'redactStatementCdk',
             DataIdentifier: [
               'EmployeeId',
             ],
@@ -874,7 +874,7 @@ describe('log group', () => {
         },
         Statement: [
           {
-            Sid: 'audit-statement-cdk',
+            Sid: 'auditStatementCdk',
             DataIdentifier: [
               'EmployeeId',
               {
@@ -895,7 +895,7 @@ describe('log group', () => {
             },
           },
           {
-            Sid: 'redact-statement-cdk',
+            Sid: 'redactStatementCdk',
             DataIdentifier: [
               'EmployeeId',
               {

Original file line number	Diff line number	Diff line change
`@@ -469,7 +469,7 @@`
`469`	`469`	`"AWS": "*"`
`470`	`470`	`},`
`471`	`471`	`"Resource": "*",`
`472`		`- "Sid": "Allow access through AWS Secrets Manager for all principals in the account that are authorized to use AWS Secrets Manager"`
	`472`	`+ "Sid": "AllowAccountSecretsManagerKMSOperations"`
`473`	`473`	`},`
`474`	`474`	`{`
`475`	`475`	`"Action": [`
Original file line number	Diff line number	Diff line change
`@@ -529,7 +529,7 @@`
`529`	`529`	`"AWS": "*"`
`530`	`530`	`},`
`531`	`531`	`"Resource": "*",`
`532`		`- "Sid": "Allow access through AWS Secrets Manager for all principals in the account that are authorized to use AWS Secrets Manager"`
	`532`	`+ "Sid": "AllowAccountSecretsManagerKMSOperations"`
`533`	`533`	`}`
`534`	`534`	`],`
`535`	`535`	`"Version": "2012-10-17"`