include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

The wildcard `"*"` is specified as the resource for this `PolicyStatement`. This grants the update permission for all policies of the account:

[source,javascript]
----
import { aws_iam as iam } from 'aws-cdk-lib'

new iam.PolicyDocument({
    statements: [ 
        new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            actions: ["iam:CreatePolicyVersion"], 
            resources: ["*"] // Sensitive
        })
    ]
})
----

== Compliant Solution

Restrict the update permission to the appropriate subset of policies:

[source,javascript]
----
import { aws_iam as iam } from 'aws-cdk-lib'

new iam.PolicyDocument({
    statements: [ 
        new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            actions: ["iam:CreatePolicyVersion"], 
            resources: ["arn:aws:iam:::policy/team1/*"]
        })
    ]
})
----

include::../exceptions.adoc[]

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

endif::env-github,rspecator-view[]