fix(iam): throw error when statement id is invalid (#34819)

Resolves #34819 by throwing error when PolicyStatement Statement id
contains characters not allowed by the API.

See docs in https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html

Author: camerondurham

packages/@aws-cdk-testing/framework-integ/test/aws-iam/test/integ.policy-statement-sid.ts

@@ -0,0 +1,71 @@
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as cdk from 'aws-cdk-lib';
+import * as integ from '@aws-cdk/integ-tests-alpha';
+
+/**
+ * Integration test to verify that PolicyStatements with valid alphanumeric SIDs
+ * can be successfully deployed to AWS.
+ * 
+ * This test validates that the SID validation logic doesn't interfere with
+ * actual CloudFormation deployment of valid PolicyStatements.
+ */
+
+const app = new cdk.App();
+const stack = new cdk.Stack(app, 'PolicyStatementSidTest');
+
+const role = new iam.Role(stack, 'TestRole', {
+  assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'),
+  inlinePolicies: {
+    TestPolicy: new iam.PolicyDocument({
+      statements: [
+        new iam.PolicyStatement({
+          sid: 'ValidSid123',
+          effect: iam.Effect.ALLOW,
+          actions: ['s3:GetObject'],
+          resources: ['arn:aws:s3:::example-bucket/*'],
+        }),
+        new iam.PolicyStatement({
+          sid: 'ALLCAPS',
+          effect: iam.Effect.ALLOW,
+          actions: ['s3:ListBucket'],
+          resources: ['arn:aws:s3:::example-bucket'],
+        }),
+        new iam.PolicyStatement({
+          sid: '123456',
+          effect: iam.Effect.ALLOW,
+          actions: ['logs:CreateLogGroup'],
+          resources: ['*'],
+        }),
+        new iam.PolicyStatement({
+          sid: 'abc123DEF',
+          effect: iam.Effect.ALLOW,
+          actions: ['logs:CreateLogStream'],
+          resources: ['*'],
+        }),
+        // Test statement without SID (should still work)
+        new iam.PolicyStatement({
+          effect: iam.Effect.ALLOW,
+          actions: ['logs:PutLogEvents'],
+          resources: ['*'],
+        }),
+      ],
+    }),
+  },
+});
+
+const managedPolicy = new iam.ManagedPolicy(stack, 'TestManagedPolicy', {
+  statements: [
+    new iam.PolicyStatement({
+      sid: 'ManagedPolicySid1',
+      effect: iam.Effect.ALLOW,
+      actions: ['dynamodb:GetItem'],
+      resources: ['*'],
+    }),
+  ],
+});
+
+role.addManagedPolicy(managedPolicy);
+
+new integ.IntegTest(app, 'PolicyStatementSidIntegTest', {
+  testCases: [stack],
+});

packages/aws-cdk-lib/aws-iam/lib/policy-statement.ts

@@ -92,6 +92,7 @@ export class PolicyStatement {
 
   constructor(props: PolicyStatementProps = {}) {
     this._sid = props.sid;
+    this.validateStatementId(this._sid);
     this._effect = props.effect || Effect.ALLOW;
 
     this.addActions(...props.actions || []);
@@ -117,6 +118,7 @@ export class PolicyStatement {
    */
   public set sid(sid: string | undefined) {
     this.assertNotFrozen('sid');
+    this.validateStatementId(sid);
     this._sid = sid;
   }
 
@@ -232,6 +234,12 @@ export class PolicyStatement {
     }
   }
 
+  private validateStatementId(sid?: string) {
+    if (sid !== undefined && !cdk.Token.isUnresolved(sid) && !/^[0-9A-Za-z]*$/.test(sid)) {
+      throw new UnscopedValidationError(`Statement ID (sid) must be alphanumeric. Got '${sid}'. The Sid element supports ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9).`);
+    }
+  }
+
   private validatePolicyActions(actions: string[]) {
     // In case of an unresolved list of actions return early
     if (cdk.Token.isUnresolved(actions)) return;

packages/aws-cdk-lib/aws-iam/test/policy-statement.test.ts

@@ -260,4 +260,28 @@ describe('IAM policy statement', () => {
       expect(mod).toThrow(/can no longer be modified/);
     }
   });
+
+  test('accepts valid alphanumeric sid', () => {
+    const validSids = ['ValidSid123', 'ALLCAPS', '123456', 'abc123DEF'];
+
+    for (const sid of validSids) {
+      expect(() => new PolicyStatement({ sid })).not.toThrow();
+    }
+  });
+
+  test('throws error when sid contains non-alphanumeric characters', () => {
+    const invalidSids = ['invalid-sid', 'with space', 'with_underscore', 'with.dot', 'with!special@chars'];
+
+    for (const sid of invalidSids) {
+      expect(() => new PolicyStatement({ sid }))
+        .toThrow(`Statement ID (sid) must be alphanumeric. Got '${sid}'. The Sid element supports ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9).`);
+    }
+  });
+
+  test('throws error when setting sid to non-alphanumeric value', () => {
+    const statement = new PolicyStatement();
+
+    expect(() => statement.sid = 'invalid-sid')
+      .toThrow('Statement ID (sid) must be alphanumeric. Got \'invalid-sid\'. The Sid element supports ASCII uppercase letters (A-Z), lowercase letters (a-z), and numbers (0-9).');
+  });
 });