Validate identity base SIDs (#4016)

kddejong · web-flow · commit 6cd4bc17143d · 2025-03-13T07:55:10.000-07:00
diff --git a/src/cfnlint/data/schemas/other/iam/policy.json b/src/cfnlint/data/schemas/other/iam/policy.json
@@ -9,6 +9,7 @@
    "items": {
     "type": "string"
    },
+   "minItems": 1,
    "type": [
     "string",
     "array"
diff --git a/src/cfnlint/data/schemas/other/iam/policy_identity.json b/src/cfnlint/data/schemas/other/iam/policy_identity.json
@@ -43,7 +43,8 @@
      "$ref": "policy#/definitions/Resource"
     },
     "Sid": {
-     "$ref": "policy#/definitions/Statement/properties/Sid"
+     "$ref": "policy#/definitions/Statement/properties/Sid",
+     "pattern": "^[A-Za-z0-9]+$"
     }
    }
   }
diff --git a/src/cfnlint/rules/resources/iam/IdentityPolicy.py b/src/cfnlint/rules/resources/iam/IdentityPolicy.py
@@ -27,6 +27,9 @@ def __init__(self):
                 "Resources/AWS::IAM::Role/Properties/Policies/*/PolicyDocument",
                 "Resources/AWS::IAM::User/Properties/Policies/*/PolicyDocument",
                 "Resources/AWS::SSO::PermissionSet/Properties/InlinePolicy",
+                "Resources/AWS::IAM::UserPolicy/Properties/PolicyDocument",
+                "Resources/AWS::IAM::RolePolicy/Properties/PolicyDocument",
+                "Resources/AWS::IAM::GroupPolicy/Properties/PolicyDocument",
             ],
             "identity",
             "policy_identity.json",
diff --git a/test/unit/rules/resources/iam/test_identity_policy.py b/test/unit/rules/resources/iam/test_identity_policy.py
@@ -3,11 +3,12 @@
 SPDX-License-Identifier: MIT-0
 """
 
+from collections import deque
 from unittest import TestCase
 
 from cfnlint.context import Context
 from cfnlint.helpers import FUNCTIONS
-from cfnlint.jsonschema import CfnTemplateValidator
+from cfnlint.jsonschema import CfnTemplateValidator, ValidationError
 from cfnlint.rules.resources.iam.IdentityPolicy import IdentityPolicy
 
 
@@ -238,3 +239,45 @@ def test_duplicate_sid(self):
         self.assertEqual(len(errs), 1, errs)
         self.assertEqual(errs[0].message, "array items are not unique for keys ['Sid']")
         self.assertListEqual(list(errs[0].path), ["Statement"])
+
+    def test_pattern_sid(self):
+        validator = CfnTemplateValidator()
+
+        policy = {
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Sid": "A ",
+                    "Effect": "Allow",
+                    "Action": "*",
+                    "Resource": "*",
+                },
+            ],
+        }
+
+        errs = list(
+            self.rule.validate(
+                validator=validator, policy=policy, schema={}, policy_type=None
+            )
+        )
+        self.assertListEqual(
+            errs,
+            [
+                ValidationError(
+                    message="'A ' does not match '^[A-Za-z0-9]+$'",
+                    validator="pattern",
+                    path=deque(["Statement", 0, "Sid"]),
+                    schema_path=deque(
+                        [
+                            "properties",
+                            "Statement",
+                            "items",
+                            "properties",
+                            "Sid",
+                            "pattern",
+                        ]
+                    ),
+                    rule=IdentityPolicy(),
+                )
+            ],
+        )

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,8 @@`
`43`	`43`	`"$ref": "policy#/definitions/Resource"`
`44`	`44`	`},`
`45`	`45`	`"Sid": {`
`46`		`- "$ref": "policy#/definitions/Statement/properties/Sid"`
	`46`	`+ "$ref": "policy#/definitions/Statement/properties/Sid",`
	`47`	`+ "pattern": "^[A-Za-z0-9]+$"`
`47`	`48`	`}`
`48`	`49`	`}`
`49`	`50`	`}`