ci(security-guardian): fix guardhooks-no-root-principals guard rule

[kumvprat]

Issue # (if applicable)

Fixes false positive failures in Security Guardian for PR #36600

Reason for this change

The guardhooks-no-root-principals-except-kms-secrets.guard rule was incorrectly failing on CloudFormation templates containing unresolved intrinsic functions (like Fn::Join, Fn::Sub) in IAM policy principals. This caused false positive security violations on legitimate CDK-generated templates.

Error encountered:

Error = [PathAwareValues are not comparable map, Regex]
Value = {"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::234567890123:role/..."]]}
ComparedWith = "/(?i):root$/"

Description of changes

Root Cause: The rule had an inconsistency where:

• AssumeRolePolicyDocument section properly checked if array items were strings before validation
• PolicyDocument, Policy, and ResourcePolicy sections were missing this type check

This caused cfn-guard to attempt regex comparison on intrinsic function objects, resulting in comparison errors.

Fix Applied:
Changed the validation pattern from:

when Principal.AWS is_list {
    Principal.AWS[*] != /(?i):root$/  # Fails on objects
}

To:

when Principal.AWS is_list {
    Principal.AWS[*] {
        when this is_string {
            this != /(?i):root$/  # Only validates strings
        }
    }
}

This pattern:

1. Iterates through each array item individually
2. Only validates items that are strings
3. Skips intrinsic function objects (avoiding false positives on static templates)
4. Still catches real :root principals in resolved templates

Files Changed:

• tools/@aws-cdk/security-guardian/rules/guard-hooks/guardhooks-no-root-principals-except-kms-secrets.guard

Alternatives Considered:

• Adding when Principal.AWS[*] is_string guard: This checks if ALL items are strings, which fails when even one intrinsic function is present
• Disabling the rule for static templates: Would miss real violations in templates without intrinsics
• The chosen solution properly handles mixed arrays and maintains security validation

Describe any new or updated permissions being added

No IAM permissions changes.

Description of how you validated changes

Unit tests

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

✅ The pull request has been merged at d72a2dd

This pull request spent 1 hour 3 minutes 56 seconds in the queue, including 29 minutes 4 seconds running CI.
The checks were run in-place.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • ci(security-guardian): fix guardhooks-no-root-principals guard rule #36690
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • ci(security-guardian): fix guardhooks-no-root-principals guard rule #36690
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.