Add additionalProps false to IAM conditions (#3767)

aws-cloudformation · Oct 18, 2024 · 8e463fb · 8e463fb
1 parent 7e514f4
commit 8e463fb
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/src/cfnlint/data/schemas/other/iam/policy.json b/src/cfnlint/data/schemas/other/iam/policy.json
@@ -68,6 +68,7 @@
    ]
   },
   "Condition": {
+   "additionalProperties": false,
    "patternProperties": {
     "ForAllValues:^(Not)?IpAddress$": {
      "$ref": "#/definitions/ConditionSetValue"

diff --git a/test/unit/rules/resources/iam/test_identity_policy.py b/test/unit/rules/resources/iam/test_identity_policy.py
@@ -162,3 +162,35 @@ def test_string_statements(self):
             errs[1].message, "'2012-10-18' is not one of ['2008-10-17', '2012-10-17']"
         )
         self.assertListEqual(list(errs[1].path), ["Version"])
+
+    def test_string_statements_with_condition(self):
+        validator = CfnTemplateValidator()
+
+        policy = """
+            {
+                "Version": "2012-10-17",
+                "Statement": [
+                    {
+                        "Effect": "Allow",
+                        "Action": "*",
+                        "Resource": "*",
+                        "Condition": {
+                            "iam:PassedToService": "cloudformation.amazonaws.com"
+                        }
+                    }
+                ]
+            }
+        """
+
+        errs = list(
+            self.rule.validate(
+                validator=validator, policy=policy, schema={}, policy_type=None
+            )
+        )
+        self.assertEqual(len(errs), 1, errs)
+        self.assertTrue(
+            errs[0].message.startswith("'iam:PassedToService' does not match")
+        )
+        self.assertListEqual(
+            list(errs[0].path), ["Statement", 0, "Condition", "iam:PassedToService"]
+        )