include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

The wildcard `"*"` is specified as the resource for this `PolicyStatement`. This grants the update permission for all policies of the account:

[source,python]
----
from aws_cdk.aws_iam import Effect, PolicyDocument, PolicyStatement

PolicyDocument(
    statements=[
        PolicyStatement(
            effect=Effect.ALLOW,
            actions="iam:CreatePolicyVersion",
            resources=["*"] # Sensitive
        )
    ]
)
----

== Compliant Solution

Restrict the update permission to the appropriate subset of policies:

[source,python]
----
from aws_cdk import Aws
from aws_cdk.aws_iam import Effect, PolicyDocument, PolicyStatement

PolicyDocument(
    statements=[
        PolicyStatement(
            effect=Effect.ALLOW,
            actions="iam:CreatePolicyVersion",
            resources=[f"arn:aws:iam::{Aws.ACCOUNT_ID}:policy/team1/*"]
        )
    ]
)
----

include::../exceptions.adoc[]

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

endif::env-github,rspecator-view[]