From 73b08dc424db2fb60399c5343c314e02e849d4a1 Mon Sep 17 00:00:00 2001
From: Edward Foyle <foyleef@amazon.com>
Date: Tue, 9 Jan 2024 15:11:49 -0800
Subject: [PATCH] fix: set policy effect deny when removing auth (#13523)

---
 .../resources/update-idp-roles-cfn.json                         | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/packages/amplify-provider-awscloudformation/resources/update-idp-roles-cfn.json b/packages/amplify-provider-awscloudformation/resources/update-idp-roles-cfn.json
index a17c761bc52..ebe7d192dbf 100644
--- a/packages/amplify-provider-awscloudformation/resources/update-idp-roles-cfn.json
+++ b/packages/amplify-provider-awscloudformation/resources/update-idp-roles-cfn.json
@@ -47,6 +47,8 @@
               "            try {",
               "                delete authParamsJson.Statement[0].Condition;",
               "                delete unauthParamsJson.Statement[0].Condition;",
+              "                authParamsJson.Statement[0].Effect = 'Deny'",
+              "                unauthParamsJson.Statement[0].Effect = 'Deny'",
               "                let authParams = {PolicyDocument: JSON.stringify(authParamsJson), RoleName: authRoleName};",
               "                let unauthParams = {PolicyDocument: JSON.stringify(unauthParamsJson), RoleName: unauthRoleName};",
               "                const iam = new IAMClient({region: event.ResourceProperties.region});",