Update IAM resource ARN patterns (#3389)

* Update IAM resource policy pattern
aws-cloudformation · Jun 24, 2024 · 3d9be79 · 3d9be79
1 parent 9bd2a20
commit 3d9be79
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 5 deletions.
diff --git a/src/cfnlint/data/schemas/other/iam/policy.json b/src/cfnlint/data/schemas/other/iam/policy.json
@@ -16,7 +16,7 @@
    ]
   },
   "AwsArn": {
-   "pattern": "^(arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:]*:(?:\\d{12}|\\*|aws)?:.+|\\*)$",
+   "pattern": "(^arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:]*(:(?:\\d{12}|\\*|aws)?:.+|)|\\*)$",
    "type": "string"
   },
   "AwsPrincipalArn": {

diff --git a/test/fixtures/results/quickstart/nist_application.json b/test/fixtures/results/quickstart/nist_application.json
@@ -89,7 +89,7 @@
     },
     {
         "Filename": "test/fixtures/templates/quickstart/nist_application.yaml",
-        "Id": "ec06918e-fb60-f3d0-e930-a45d55f4f680",
+        "Id": "81670f17-4f0b-a2b6-f94e-4385058cb73d",
         "Level": "Error",
         "Location": {
             "End": {
@@ -106,7 +106,7 @@
                 "LineNumber": 198
             }
         },
-        "Message": "{'Ref': 'pSecurityAlarmTopic'} does not match '^(arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:]*:(?:\\\\d{12}|\\\\*|aws)?:.+|\\\\*)$' when 'Ref' is resolved",
+        "Message": "{'Ref': 'pSecurityAlarmTopic'} does not match '(^arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:]*(:(?:\\\\d{12}|\\\\*|aws)?:.+|)|\\\\*)$' when 'Ref' is resolved",
         "ParentId": null,
         "Rule": {
             "Description": "IAM identity polices are embedded JSON in CloudFormation. This rule validates those embedded policies.",

diff --git a/test/fixtures/results/quickstart/non_strict/nist_application.json b/test/fixtures/results/quickstart/non_strict/nist_application.json
@@ -89,7 +89,7 @@
     },
     {
         "Filename": "test/fixtures/templates/quickstart/nist_application.yaml",
-        "Id": "ec06918e-fb60-f3d0-e930-a45d55f4f680",
+        "Id": "81670f17-4f0b-a2b6-f94e-4385058cb73d",
         "Level": "Error",
         "Location": {
             "End": {
@@ -106,7 +106,7 @@
                 "LineNumber": 198
             }
         },
-        "Message": "{'Ref': 'pSecurityAlarmTopic'} does not match '^(arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:]*:(?:\\\\d{12}|\\\\*|aws)?:.+|\\\\*)$' when 'Ref' is resolved",
+        "Message": "{'Ref': 'pSecurityAlarmTopic'} does not match '(^arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:]*(:(?:\\\\d{12}|\\\\*|aws)?:.+|)|\\\\*)$' when 'Ref' is resolved",
         "ParentId": null,
         "Rule": {
             "Description": "IAM identity polices are embedded JSON in CloudFormation. This rule validates those embedded policies.",

diff --git a/test/unit/rules/resources/iam/test_identity_policy.py b/test/unit/rules/resources/iam/test_identity_policy.py
@@ -102,6 +102,7 @@ def test_object_statements(self):
                                 "arn:${AWS::Partition}:iam::123456789012:role/object-role"
                             ]
                         },
+                        "arn:aws:medialive:*",
                     ],
                 }
             ],
-Original file line number
+Diff line change
@@ Expand Up / @@ -102,6 +102,7 @@ def test_object_statements(self): @@
                                     "arn:${AWS::Partition}:iam::123456789012:role/object-role"
                                 ]
                             },
+                            "arn:aws:medialive:*",
                         ],
                     }
                 ],
@@ Expand Down @@