cfn-lint
cfn-lint copied to clipboard
aws-cloudformation
Statement IDs (SID) must be alpha-numeric
cfn-lint version: cfn-lint 0.15.0
When creating a AWS::IAM::ManagedPolicy and using the Sid statement, cfn-lint is not detecting an invalidly-formed Sid statement
Please provide as much information as possible:
- Template linting issues:
- Please provide a CloudFormation sample that generated the issue.
ManagedPolicyCodeSuiteKmsKey:
Type: AWS::IAM::ManagedPolicy
Condition: CreateCodePipelineRole
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: Allow use of KMS key in Operations Production Account
Effect: Allow
Resource: !Sub 'arn:aws:kms::123123123123:key/*'
Action:
- "kms:Encrypt"
- "kms:Decrypt"
- "kms:ReEncrypt*"
- "kms:GenerateDataKey*"
- "kms:DescribeKey"
- If present, please add links to the (official) documentation for clarification. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html#policies-grammar-notes-strings
sid_string
Provides a way to include information about an individual statement. For IAM policies, basic alphanumeric characters (A-Z,a-z,0-9) are the only allowed characters in the Sid value. Other AWS services that support resource policies may have other requirements for the Sid value. For example, some services require this value to be unique within an AWS account, and some services allow additional characters such as spaces in the Sid value.
-
Validate if the issue still exists with the latest version of
cfn-lintand/or the latest Spec files I do not know how to install latest version, I just ranpip install -
Feature request:
- My CloudFormation template fails to Create or Update because the Sid uses invalid characters, and cfn-lint does not detect that.
**NOTE: I have executed cfn-lint -u and it downloaded updates, but the problem remains.
Below is the output from CloudFormation:
The following resource(s) failed to update: [ManagedPolicyCodeSuiteKmsKey].
--
| 11:20:11 UTC+1000 | UPDATE_FAILED | AWS::IAM::ManagedPolicy | ManagedPolicyCodeSuiteKmsKey | Statement IDs (SID) must be alpha-numeric. Check that your input satisfies the regular expression [0-9A-Za-z]* (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: a632726a-42d2-11e9-8725-21992a944eb3)
Hi @felipe1982 ,
This is indeed not checked yet. Although I'm working on a generic approach to catch these formatting rules (https://github.com/aws-cloudformation/cfn-python-lint/pull/625). We can add in this property in that rule once it's merged.
Thanx for the clear issue, this makes it pretty easy to solve 👍
Thank you for an awesome tool to use when developing and also for CI. Your issue template helped me create the issue so thanks.
Ah, a few notes:
- The
AllowedPatternrule cannot be used since the IAM policy is not specified in the Spec file (it's ajson - It's not as simple as it looks, the documentation says:
For example, some services require this value to be unique within an AWS account, and some services allow additional characters such as spaces in the Sid value.
🤔
Would setting the rule level to experimental / informational help with the ambiguity between services' differing requirements?
It could help if we could only do this generically. Looking at just the extra allowed characters in the SID comment. I'm curious if that is just a service based policy instead of an identity based policy issue. If we know the type of services/resources that allow additional characters we may be able to come up with a rule that switches the REGEX based on the type of resource. The question may be is does every service that allow additional characters follow the same standards of what characters they allow.
The best way I've found to do this in the past is to deploy each service and see if they take a space or not. Or will build the construct of a rule that could be used for additional services/resources but just starts with ManagedPolicy as we know that one won't work.
