Skip to content

feat(iam): add feature flag to validate PolicyStatement SID is alphanumeric#36150

Open
camerondurham wants to merge 4 commits intoaws:mainfrom
camerondurham:feat/iam-sid-validation-flag-main
Open

feat(iam): add feature flag to validate PolicyStatement SID is alphanumeric#36150
camerondurham wants to merge 4 commits intoaws:mainfrom
camerondurham:feat/iam-sid-validation-flag-main

Conversation

@camerondurham
Copy link
Copy Markdown

@camerondurham camerondurham commented Nov 21, 2025

Resolves #34819 by throwing error when PolicyStatement Statement id contains characters not allowed by the API.

Note this does duplicate #34828. I realized that PR makes too many changes to existing integ tests. This change is intended to be less intrusive.

Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html

The Sid element supports ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9).

Issue # (if applicable)

Closes #34819

Reason for this change

CDK build allows users to write invalid statement ids containing dashes when building policy statements, then failed on deployment. To reduce time to a successful deployment, I believe the CDK should throw an exception at build time to help user make a fix locally before a failed deployment.

Description of changes

Validate that statement id matches requirements specified in https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html in the constructor.

Add tests that verify only valid statement ids are set in constructor.

Describe any new or updated permissions being added

n/a

Description of how you validated changes

yes, added unit tests

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team November 21, 2025 16:50
@github-actions github-actions Bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p2 beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK labels Nov 21, 2025
aws-cdk-automation
aws-cdk-automation previously requested changes Nov 21, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@camerondurham
Copy link
Copy Markdown
Author

camerondurham commented Nov 21, 2025

Will fix later today after work.

This was referenced Nov 21, 2025
Open
Open
@camerondurham camerondurham force-pushed the feat/iam-sid-validation-flag-main branch from 5860098 to 78f1ade Compare November 22, 2025 03:10
@aws-cdk-automation aws-cdk-automation dismissed their stale review November 22, 2025 03:12

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Nov 22, 2025
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Nov 22, 2025
@github-actions github-actions Bot mentioned this pull request Dec 1, 2025
Open
@camerondurham camerondurham mentioned this pull request Dec 4, 2025
Closed
1 task
@pahud pahud mentioned this pull request Dec 10, 2025
Open
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Dec 11, 2025
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.
To suppress a specific rule, see Suppressing Rules.

TestsPassed ✅SkippedFailed
Security Guardian Results48 ran48 passed
TestResult
No test annotations available

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Dec 11, 2025
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.
To suppress a specific rule, see Suppressing Rules.

TestsPassed ✅SkippedFailed
Security Guardian Results with resolved templates48 ran48 passed
TestResult
No test annotations available

@vishaalmehrishi vishaalmehrishi self-assigned this May 5, 2026
vishaalmehrishi
vishaalmehrishi previously requested changes May 5, 2026
View reviewed changes
Comment thread packages/aws-cdk-lib/cx-api/lib/features.ts Outdated
Comment thread packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.ts
@mergify mergify Bot dismissed vishaalmehrishi’s stale review May 5, 2026 15:41

Pull request has been modified.

vishaalmehrishi
vishaalmehrishi previously requested changes May 5, 2026
View reviewed changes
Comment thread CHANGELOG.md Outdated
@camerondurham camerondurham force-pushed the feat/iam-sid-validation-flag-main branch from 0f282ac to f65aa85 Compare May 5, 2026 18:31
@mergify mergify Bot dismissed vishaalmehrishi’s stale review May 5, 2026 18:31

Pull request has been modified.

vishaalmehrishi
vishaalmehrishi previously approved these changes May 6, 2026
View reviewed changes
@vishaalmehrishi vishaalmehrishi removed the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label May 6, 2026
camerondurham and others added 2 commits May 6, 2026 10:49
@camerondurham @vishaalmehrishi
feat(iam): add feature flag to validate PolicyStatement SID is alphan…
6d2047e 
…umeric

- Add IAM_POLICY_STATEMENT_VALIDATE_SID feature flag
- Validate SIDs are alphanumeric (A-Z, a-z, 0-9) when flag enabled
- Fix invalid SIDs in aws-ecs cluster.ts
- Add comprehensive test coverage for SID validation
- Add README documentation and integ test

Closes aws#34819
@camerondurham @vishaalmehrishi
fix(iam): address SID flag review comments
eae33a5
@vishaalmehrishi vishaalmehrishi force-pushed the feat/iam-sid-validation-flag-main branch from f65aa85 to eae33a5 Compare May 6, 2026 08:49
@mergify mergify Bot dismissed vishaalmehrishi’s stale review May 6, 2026 08:50

Pull request has been modified.

@alvazjor
Copy link
Copy Markdown
Contributor

alvazjor commented May 6, 2026

Thanks for working on this @camerondurham — catching invalid SIDs at synth time instead of deploy time is a real improvement. I have a suggestion that would simplify this PR significantly by removing the need for a feature flag entirely.

The issue I see with the current approach

The validation currently lives in PolicyDocument.resolve(), which fires for every policy document — identity policies, resource policies, key policies, topic policies, etc. The problem is that the [0-9A-Za-z]* rule is specific to IAM identity policies. Other services have documented broader SID rules:

  • KMS explicitly documents that key policy SIDs can include spaces: "The Sid element in a key policy statement can include spaces. (Spaces are prohibited in the Sid element of an IAM policy document.)"
  • SNS requires unique SIDs but documents no character restriction.
  • S3, SQS, Lambda — no documented SID character restriction.

I suspect the feature flag was introduced because applying the validation universally would break resource policies that legitimately use broader SID characters (your prior PR #34828 had to modify existing integ tests for this reason, if I'm reading the history correctly). If that's the case, there's a simpler path that avoids the flag altogether.

Proposed alternative: move validation to validateForIdentityPolicy()

CDK already has the infrastructure to distinguish identity policies from resource policies:

  • PolicyStatement.validateForIdentityPolicy() is called from Policy (inline policies) and ManagedPolicy during synth via node.addValidation()
  • PolicyStatement.validateForResourcePolicy() is called separately for resource policies

If you move the SID check into validateForIdentityPolicy(), it only fires where IAM actually enforces the rule. Non-alphanumeric SIDs in identity policies always fail at deploy time (IAM returns a 400), so this becomes a straight bug fix — no feature flag needed per our contribution guidelines:

Input that was accepted by synth but always failed at deploy time → feature flag NOT required; fail-fast synth-time validation is preferred.

The change would look like this in policy-statement.ts:

public validateForIdentityPolicy(): string[] {
  const errors = this.validateForAnyPolicy();
  // ... existing checks ...

  // IAM strictly enforces alphanumeric SIDs for identity policies
  if (this._sid !== undefined && !cdk.Token.isUnresolved(this._sid) && !/^[0-9A-Za-z]*$/.test(this._sid)) {
    errors.push(
      `Statement ID (sid) '${this._sid}' must be alphanumeric (A-Z, a-z, 0-9) when used in an identity-based policy. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html`,
    );
  }
  return errors;
}

What this eliminates

  • The feature flag definition in cx-api/lib/features.ts
  • The exported constant (IAM_POLICY_STATEMENT_VALIDATE_SID)
  • The _validateSid() method
  • The flag check in PolicyDocument.resolve()
  • All changes to FEATURE_FLAGS.md and recommended-feature-flags.json
  • The flag context in the integ test

Summary

The bug is real, the fix is welcome, but if it is possible to be scoped to where the rule actually applies, we wont need a feature flag at all. Happy to answer questions if anything is unclear.

@camerondurham
Copy link
Copy Markdown
Author

camerondurham commented May 7, 2026

Great point @alvazjor , that's my bad I missed the SID restriction didn't apply to every type of policy document just the IAM ones.

I've moved SID validation to a dedicated function and removed the feature flag. I ran builds / new integ and framework tests but was not able to completely run deploy-mode on changes.

This PR should now just be scoped to IAM Identity policies only and the feature flag behavior removed.

Let me know if there's any additional feedback, thank you!

camerondurham
camerondurham commented May 7, 2026
View reviewed changes
Comment thread packages/aws-cdk-lib/aws-iam/test/policy-statement.test.ts
});

expect(statement.validateForIdentityPolicy()).toEqual([
"Statement ID (sid) 'Invalid-SID' must be alphanumeric (A-Z, a-z, 0-9) when used in an identity-based policy. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html",
Copy link
Copy Markdown
Author

@camerondurham camerondurham May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This URL may change in the future and this would immediately become stale. Should this be removed? Are agents / llms good enough to look up and use latest AWS docs automatically so this is irreleant?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vishaalmehrishi vishaalmehrishi vishaalmehrishi left review comments

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@vishaalmehrishi vishaalmehrishi

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. effort/medium Medium work item – several days of effort p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(aws-iam): Invalid Policy Statement Id strings should fail at build time

4 participants

@camerondurham @alvazjor @vishaalmehrishi @aws-cdk-automation