Update IAM Resource policy pattern (#4040)

* Update IAM Resource policy
* Add rule E3514 to validate resource policy resource ARNs
* Update W3037 to limit actions for resource policies

Author: kddejong

src/cfnlint/data/schemas/other/iam/policy.json

@@ -16,7 +16,7 @@
    ]
   },
   "AwsArn": {
-   "pattern": "(^arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:]*(:(?:\\d{12}|\\*|aws)?:.+|)|\\*)$"
+   "pattern": "^(arn:aws[A-Za-z\\-]*?:[^:]+:[^:]*(:(?:\\d{12}|\\*|aws)?:.+|)|\\*)$"
   },
   "AwsPrincipalArn": {
    "anyOf": [

src/cfnlint/data/schemas/other/iam/policy_resource.json

@@ -2,6 +2,21 @@
  "$id": "resource",
  "additionalProperties": false,
  "definitions": {
+  "Resource": {
+   "cfnLint": [
+    "AWS::IAM::Policy/Properties/PolicyDocument/Statement/Resource"
+   ],
+   "items": {
+    "cfnLint": [
+     "AWS::IAM::Policy/Properties/PolicyDocument/Statement/Resource"
+    ],
+    "type": "string"
+   },
+   "type": [
+    "string",
+    "array"
+   ]
+  },
   "Statement": {
    "additionalProperties": false,
    "allOf": [
@@ -52,7 +67,7 @@
      "$ref": "policy#/definitions/Principal"
     },
     "Resource": {
-     "$ref": "policy#/definitions/Resource"
+     "$ref": "#/definitions/Resource"
     },
     "Sid": {
      "$ref": "policy#/definitions/Statement/properties/Sid"

src/cfnlint/rules/resources/iam/Permissions.py

@@ -29,7 +29,12 @@ def __init__(self):
         super().__init__(
             ["AWS::IAM::Policy/Properties/PolicyDocument/Statement/Action"]
         )
-        self.service_map = load_resource(AdditionalSpecs, "Policies.json")
+        self._service_map = load_resource(AdditionalSpecs, "Policies.json")
+        self._resource_action_limitations = {
+            "AWS::S3::BucketPolicy": ["s3"],
+            "AWS::SQS::QueuePolicy": ["sqs"],
+            "AWS::SNS::TopicPolicy": ["sns"],
+        }
 
     def validate(
         self, validator: Validator, _, instance: Any, schema: dict[str, Any]
@@ -59,8 +64,27 @@ def validate(
             service = service.lower()
             permission = permission.lower()
 
-            if service in self.service_map:
-                enums = list(self.service_map[service].get("Actions", []).keys())
+            if len(validator.context.path.cfn_path) >= 2:
+                if (
+                    validator.context.path.cfn_path[1]
+                    in self._resource_action_limitations
+                ):
+                    if (
+                        service
+                        not in self._resource_action_limitations[
+                            validator.context.path.cfn_path[1]
+                        ]
+                    ):
+                        yield ValidationError(
+                            (
+                                f"{service!r} is not one of "
+                                f"{self._resource_action_limitations[validator.context.path.cfn_path[1]]!r}"
+                            ),
+                            rule=self,
+                        )
+
+            if service in self._service_map:
+                enums = list(self._service_map[service].get("Actions", []).keys())
                 if permission == "*":
                     pass
 
@@ -80,6 +104,6 @@ def validate(
                     )
             else:
                 yield ValidationError(
-                    f"{service!r} is not one of {list(self.service_map.keys())!r}",
+                    f"{service!r} is not one of {list(self._service_map.keys())!r}",
                     rule=self,
                 )

src/cfnlint/rules/resources/iam/ResourcePolicyResourceArn.py

@@ -0,0 +1,53 @@
+"""
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+"""
+
+from __future__ import annotations
+
+from typing import Any
+
+import regex as re
+
+from cfnlint.jsonschema import ValidationError, ValidationResult, Validator
+from cfnlint.rules.jsonschema.CfnLintKeyword import CfnLintKeyword
+
+
+class ResourcePolicyResourceArn(CfnLintKeyword):
+
+    id = "E3514"
+    shortdesc = "Validate IAM resource policy resource ARNs"
+    description = "Validates an IAM resource policy has a compliant resource ARN"
+    source_url = (
+        "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html"
+    )
+    tags = ["parameters", "iam"]
+
+    def __init__(self) -> None:
+        super().__init__(
+            [
+                "AWS::IAM::Policy/Properties/PolicyDocument/Statement/Resource",
+            ]
+        )
+
+    # pylint: disable=unused-argument
+    def validate(
+        self, validator: Validator, aZ: Any, arn: Any, schema: dict[str, Any]
+    ) -> ValidationResult:
+        if not validator.is_type(arn, "string"):
+            return
+
+        if not len(validator.context.path.cfn_path) >= 2:
+            return
+
+        patrn: str = (
+            "^(arn:aws[A-Za-z\\-]*?:[^:]+:[^:]*(:(?:\\d{12}|\\*|aws)?:.+|)|\\*)$"
+        )
+        if validator.context.path.cfn_path[1] == "AWS::S3::BucketPolicy":
+            patrn = "^arn:aws[A-Za-z\\-]*?:[^:]+:[^:]*(:(?:\\d{12}|\\*|aws)?:.+|)$"
+
+        if not re.match(patrn, arn):
+            yield ValidationError(
+                f"{arn!r} does not match {patrn!r}",
+                rule=self,
+            )

test/fixtures/results/quickstart/nist_application.json

@@ -89,7 +89,7 @@
     },
     {
         "Filename": "test/fixtures/templates/quickstart/nist_application.yaml",
-        "Id": "e7287f1c-73b2-cb51-ec2b-8ab42c30ca27",
+        "Id": "c855ed21-761f-b3a3-1fac-92578c95872d",
         "Level": "Warning",
         "Location": {
             "End": {
@@ -106,7 +106,7 @@
                 "LineNumber": 198
             }
         },
-        "Message": "{'Ref': 'pSecurityAlarmTopic'} does not match '(^arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:]*(:(?:\\\\d{12}|\\\\*|aws)?:.+|)|\\\\*)$' when 'Ref' is resolved",
+        "Message": "{'Ref': 'pSecurityAlarmTopic'} does not match '^(arn:aws[A-Za-z\\\\-]*?:[^:]+:[^:]*(:(?:\\\\d{12}|\\\\*|aws)?:.+|)|\\\\*)$' when 'Ref' is resolved",
         "ParentId": null,
         "Rule": {
             "Description": "Resolve the Ref and then validate the values against the schema",

test/fixtures/results/quickstart/non_strict/nist_application.json

@@ -89,7 +89,7 @@
     },
     {
         "Filename": "test/fixtures/templates/quickstart/nist_application.yaml",
-        "Id": "e7287f1c-73b2-cb51-ec2b-8ab42c30ca27",
+        "Id": "c855ed21-761f-b3a3-1fac-92578c95872d",
         "Level": "Warning",
         "Location": {
             "End": {
@@ -106,7 +106,7 @@
                 "LineNumber": 198
             }
         },
-        "Message": "{'Ref': 'pSecurityAlarmTopic'} does not match '(^arn:(aws|aws-cn|aws-us-gov):[^:]+:[^:]*(:(?:\\\\d{12}|\\\\*|aws)?:.+|)|\\\\*)$' when 'Ref' is resolved",
+        "Message": "{'Ref': 'pSecurityAlarmTopic'} does not match '^(arn:aws[A-Za-z\\\\-]*?:[^:]+:[^:]*(:(?:\\\\d{12}|\\\\*|aws)?:.+|)|\\\\*)$' when 'Ref' is resolved",
         "ParentId": null,
         "Rule": {
             "Description": "Resolve the Ref and then validate the values against the schema",