How do I append additional iam/resource policy statements

Hello, I’m working on extending the KmsKey class for internal usage by adding sane defaults. One of the things I want to accomplish is to append a deny statement to deny cross account kms actions. I know of the addOverride method but I don’t want to override what my developers define, just append. If it matters, I’m trying to accomplish this in Typescript. I’m essentially looking for AWS CDK equivalent of the “addToResourcePolicy” method.

There’s a few options depending on how you have things setup (there isn’t a direct equivalent of addToResourcePolicy).

If they’ve already set the policy property, you can use policyInput to get the raw JSON string provided. If you are extending the constructor you can get the same string before it is even based to the resource. In either case you can inspect and manipulate the JSON to add the policy statement if missing.

If an IamPolicyDocument is being used, you can similarly check the statements being provided to it.

Aspects can also be used to inspect and update the result without directly extending the class.