From 6679e86fcb491f2aae7045111a0729c3ba993bd6 Mon Sep 17 00:00:00 2001
From: Sander Knape <s.knape@coolblue.nl>
Date: Wed, 3 Jul 2019 10:27:14 +0200
Subject: [PATCH] feat(iam): can configure 'deny' for policy statements (#3165)

---
 packages/@aws-cdk/aws-iam/lib/policy-statement.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/packages/@aws-cdk/aws-iam/lib/policy-statement.ts b/packages/@aws-cdk/aws-iam/lib/policy-statement.ts
index e10771a676b38..4f29df14dc6ab 100644
--- a/packages/@aws-cdk/aws-iam/lib/policy-statement.ts
+++ b/packages/@aws-cdk/aws-iam/lib/policy-statement.ts
@@ -19,7 +19,7 @@ export class PolicyStatement {
   private condition: { [key: string]: any } = { };
 
   constructor(props: PolicyStatementProps = {}) {
-    this.effect = Effect.ALLOW;
+    this.effect = props.effect || Effect.ALLOW;
 
     this.addActions(...props.actions || []);
     this.addPrincipals(...props.principals || []);
@@ -249,6 +249,13 @@ export interface PolicyStatementProps {
    * @default - no condition
    */
   readonly conditions?: {[key: string]: any};
+
+  /**
+   * Whether to allow or deny the actions in this statement
+   *
+   * @default - allow
+   */
+  readonly effect?: Effect;
 }
 
 function noUndef(x: any): any {