cloudsplaining 0.8.1__tar.gz → 0.9.0__tar.gz

{cloudsplaining-0.8.1 → cloudsplaining-0.9.0}/PKG-INFO

@@ -1,29 +1,37 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.4
 Name: cloudsplaining
-Version: 0.8.1
-Summary: AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
-Home-page: https://github.com/salesforce/cloudsplaining
+Version: 0.9.0
+Summary: AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report
+Keywords: aws,iam,roles,policy,policies,privileges,security
 Author: Kinnaird McQuade
-Author-email: kinnairdm@gmail.com
-License: UNKNOWN
-Project-URL: Documentation, https://policy-sentry.readthedocs.io/
-Project-URL: Example Report, https://opensource.salesforce.com/cloudsplaining
-Project-URL: Code, https://github.com/salesforce/cloudsplaining/
-Project-URL: Twitter, https://twitter.com/kmcquade3
-Project-URL: Red Team Report, https://opensource.salesforce.com/policy_sentry
-Keywords: aws iam roles policy policies privileges security
-Platform: UNKNOWN
+Author-email: Kinnaird McQuade <kinnairdm@gmail.com>
+License-Expression: MIT
+License-File: LICENSE
+Classifier: Operating System :: OS Independent
 Classifier: Programming Language :: Python :: 3 :: Only
-Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
-Classifier: License :: OSI Approved :: MIT License
-Classifier: Operating System :: OS Independent
-Requires-Python: >=3.9
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Typing :: Typed
+Requires-Dist: boto3>=1.41.0,<2.0.0
+Requires-Dist: botocore>=1.41.0,<2.0.0
+Requires-Dist: click>=8.1.0,<9.0.0
+Requires-Dist: click-option-group>=0.5.9,<0.6.0
+Requires-Dist: jinja2>=3.1.0,<4.0.0
+Requires-Dist: policy-sentry>=0.15.0,<0.16.0
+Requires-Dist: pyyaml>=6.0.0,<7.0.0
+Requires-Dist: schema>=0.7.0,<0.8.0
+Requires-Python: >=3.10
+Project-URL: Homepage, https://github.com/salesforce/cloudsplaining
+Project-URL: Repository, https://github.com/salesforce/cloudsplaining
+Project-URL: Code, https://github.com/salesforce/cloudsplaining
+Project-URL: Documentation, https://cloudsplaining.readthedocs.io/
+Project-URL: Example Report, https://opensource.salesforce.com/cloudsplaining
+Project-URL: Red Team Report, https://opensource.salesforce.com/policy_sentry
+Project-URL: Twitter, https://twitter.com/kmcquade3
 Description-Content-Type: text/markdown
-License-File: LICENSE
 
 ## NOTE: This repo/project has been restored by Salesforce.
 
@@ -359,6 +367,47 @@ cloudsplaining scan-multi-account \
 
 > Note that if you run the above without the `--profile` flag, it will execute in the standard [AWS Credentials order of precedence](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default) (i.e., Environment variables, credentials profiles, ECS container credentials, then finally EC2 Instance Profile credentials). 
 
+## Custom Guidance and Appendices
+
+Cloudsplaining supports customizing the Guidance and Appendices sections of the HTML report to include organization-specific security recommendations and documentation.
+
+### How It Works
+
+Place HTML files in your project root directory:
+
+- `custom-guidance.html` - Custom security guidance content
+- `custom-appendices.html` - Custom appendices content
+
+### Behavior
+
+- **Files don't exist**: Shows default AWS security advice
+- **Files exist with content**: Shows your custom HTML content
+- **Files exist but are empty**: Hides the tabs entirely
+- **Mixed configuration**: Each tab works independently
+
+### Example Usage
+
+```bash
+# Create custom guidance
+echo '<h1>Company Security Guidelines</h1>
+<p>Follow these organization-specific steps:</p>
+<ul>
+  <li>Review with security team</li>
+  <li>Document in JIRA ticket</li>
+  <li>Get approval before remediation</li>
+</ul>' > custom-guidance.html
+
+# Create custom appendices  
+echo '<h1>Internal Resources</h1>
+<p>Additional company resources:</p>
+<ul>
+  <li><a href="https://internal.company.com/security">Security Portal</a></li>
+  <li><a href="https://wiki.company.com/iam">IAM Best Practices</a></li>
+</ul>' > custom-appendices.html
+```
+
+# Generate report with custom content
+cloudsplaining scan --input-file account-data.json --output reports/
 
 ## Cheatsheet
 
@@ -412,5 +461,3 @@ Try upgrading to the latest version of Cloudsplaining. This error was fixed in v
 * [AWS Privilege Escalation Methods](https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation) by [Spencer Gietzen](https://twitter.com/SpenGietz) at Rhino Security Labs
 * [Understanding Access Level Summaries within Policy Summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html)
 * [Leveraging next-generation blockchain-based AI across multiple service meshes to transparently automate multi-cloud IAM wizardry :mage_man:](http://kmcquade.com/rick.html)
-
-

cloudsplaining-0.8.1/cloudsplaining.egg-info/PKG-INFO → cloudsplaining-0.9.0/README.md

@@ -1,30 +1,3 @@
-Metadata-Version: 2.1
-Name: cloudsplaining
-Version: 0.8.1
-Summary: AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
-Home-page: https://github.com/salesforce/cloudsplaining
-Author: Kinnaird McQuade
-Author-email: kinnairdm@gmail.com
-License: UNKNOWN
-Project-URL: Documentation, https://policy-sentry.readthedocs.io/
-Project-URL: Example Report, https://opensource.salesforce.com/cloudsplaining
-Project-URL: Code, https://github.com/salesforce/cloudsplaining/
-Project-URL: Twitter, https://twitter.com/kmcquade3
-Project-URL: Red Team Report, https://opensource.salesforce.com/policy_sentry
-Keywords: aws iam roles policy policies privileges security
-Platform: UNKNOWN
-Classifier: Programming Language :: Python :: 3 :: Only
-Classifier: Programming Language :: Python :: 3.9
-Classifier: Programming Language :: Python :: 3.10
-Classifier: Programming Language :: Python :: 3.11
-Classifier: Programming Language :: Python :: 3.12
-Classifier: Programming Language :: Python :: 3.13
-Classifier: License :: OSI Approved :: MIT License
-Classifier: Operating System :: OS Independent
-Requires-Python: >=3.9
-Description-Content-Type: text/markdown
-License-File: LICENSE
-
 ## NOTE: This repo/project has been restored by Salesforce.
 
 Cloudsplaining
@@ -359,6 +332,47 @@ cloudsplaining scan-multi-account \
 
 > Note that if you run the above without the `--profile` flag, it will execute in the standard [AWS Credentials order of precedence](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html#credentials-default) (i.e., Environment variables, credentials profiles, ECS container credentials, then finally EC2 Instance Profile credentials). 
 
+## Custom Guidance and Appendices
+
+Cloudsplaining supports customizing the Guidance and Appendices sections of the HTML report to include organization-specific security recommendations and documentation.
+
+### How It Works
+
+Place HTML files in your project root directory:
+
+- `custom-guidance.html` - Custom security guidance content
+- `custom-appendices.html` - Custom appendices content
+
+### Behavior
+
+- **Files don't exist**: Shows default AWS security advice
+- **Files exist with content**: Shows your custom HTML content
+- **Files exist but are empty**: Hides the tabs entirely
+- **Mixed configuration**: Each tab works independently
+
+### Example Usage
+
+```bash
+# Create custom guidance
+echo '<h1>Company Security Guidelines</h1>
+<p>Follow these organization-specific steps:</p>
+<ul>
+  <li>Review with security team</li>
+  <li>Document in JIRA ticket</li>
+  <li>Get approval before remediation</li>
+</ul>' > custom-guidance.html
+
+# Create custom appendices  
+echo '<h1>Internal Resources</h1>
+<p>Additional company resources:</p>
+<ul>
+  <li><a href="https://internal.company.com/security">Security Portal</a></li>
+  <li><a href="https://wiki.company.com/iam">IAM Best Practices</a></li>
+</ul>' > custom-appendices.html
+```
+
+# Generate report with custom content
+cloudsplaining scan --input-file account-data.json --output reports/
 
 ## Cheatsheet
 
@@ -412,5 +426,3 @@ Try upgrading to the latest version of Cloudsplaining. This error was fixed in v
 * [AWS Privilege Escalation Methods](https://github.com/RhinoSecurityLabs/AWS-IAM-Privilege-Escalation) by [Spencer Gietzen](https://twitter.com/SpenGietz) at Rhino Security Labs
 * [Understanding Access Level Summaries within Policy Summaries](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_understand-policy-summary-access-level-summaries.html)
 * [Leveraging next-generation blockchain-based AI across multiple service meshes to transparently automate multi-cloud IAM wizardry :mage_man:](http://kmcquade.com/rick.html)
-
-

{cloudsplaining-0.8.1 → cloudsplaining-0.9.0}/cloudsplaining/__init__.py

@@ -1,4 +1,4 @@
-# pylint: disable=missing-module-docstring
+# ruff: noqa: RUF067
 from __future__ import annotations
 
 import logging

cloudsplaining-0.9.0/cloudsplaining/bin/version.py

@@ -0,0 +1,7 @@
+import importlib.metadata
+
+try:
+    __version__ = importlib.metadata.version("cloudsplaining")
+except Exception:
+    # needed for local dev
+    __version__ = "0.0.0"

{cloudsplaining-0.8.1 → cloudsplaining-0.9.0}/cloudsplaining/command/create_exclusions_file.py

@@ -9,7 +9,7 @@ This way, users don't have to remember exactly how to phrase the yaml files, sin
 # For full license text, see the LICENSE file in the repo root
 # or https://opensource.org/licenses/BSD-3-Clause
 import logging
-import os
+from pathlib import Path
 
 import click
 
@@ -21,14 +21,14 @@ logger = logging.getLogger(__name__)
 
 
 @click.command(
-    context_settings=dict(max_content_width=160),
+    context_settings={"max_content_width": 160},
     short_help="Creates a YML file to be used as a custom exclusions template",
 )
 @click.option(
     "-o",
     "--output-file",
     type=click.Path(exists=False),
-    default=os.path.join(os.getcwd(), "exclusions.yml"),
+    default=str(Path.cwd() / "exclusions.yml"),
     required=True,
     help="Relative path to output file where we want to store the exclusions template.",
 )
@@ -40,7 +40,7 @@ def create_exclusions_file(output_file: str, verbosity: int) -> None:
     """
     set_log_level(verbosity)
 
-    with open(output_file, "a", encoding="utf-8") as file_obj:
+    with Path(output_file).open("a", encoding="utf-8") as file_obj:
         file_obj.write(EXCLUSIONS_TEMPLATE)
 
     utils.print_green(f"Success! Exclusions template file written to: {output_file}")

{cloudsplaining-0.8.1 → cloudsplaining-0.9.0}/cloudsplaining/command/create_multi_account_config_file.py

@@ -9,7 +9,7 @@ This way, users don't have to remember exactly how to phrase the yaml files, sin
 # For full license text, see the LICENSE file in the repo root
 # or https://opensource.org/licenses/BSD-3-Clause
 import logging
-import os
+from pathlib import Path
 
 import click
 
@@ -23,7 +23,7 @@ END = "\033[0m"
 
 
 @click.command(
-    context_settings=dict(max_content_width=160),
+    context_settings={"max_content_width": 160},
     short_help="Creates a YML file to be used for multi-account scanning",
 )
 @click.option(
@@ -31,7 +31,7 @@ END = "\033[0m"
     "--output-file",
     "output_file",
     type=click.Path(exists=False),
-    default=os.path.join(os.getcwd(), "multi-account-config.yml"),
+    default=str(Path.cwd() / "multi-account-config.yml"),
     required=True,
     help="Relative path to output file where we want to store the multi account config template.",
 )
@@ -42,17 +42,16 @@ def create_multi_account_config_file(output_file: str, verbosity: int) -> None:
     """
     set_log_level(verbosity)
 
-    if os.path.exists(output_file):
-        logger.debug("%s exists. Removing the file and replacing its contents.", output_file)
-        os.remove(output_file)
+    output_file_path = Path(output_file)
+    if output_file_path.exists():
+        logger.debug("%s exists. Removing the file and replacing its contents.", output_file_path)
+        output_file_path.unlink()
 
-    with open(output_file, "a", encoding="utf-8") as file_obj:
+    with output_file_path.open("a", encoding="utf-8") as file_obj:
         file_obj.write(MULTI_ACCOUNT_CONFIG_TEMPLATE)
 
-    utils.print_green(f"Success! Multi-account config file written to: {os.path.relpath(output_file)}")
+    utils.print_green(f"Success! Multi-account config file written to: {output_file_path}")
     print(
-        f"\nMake sure you edit the {os.path.relpath(output_file)} file and then run the scan-multi-account command, as shown below."
-    )
-    print(
-        f"\n\tcloudsplaining scan-multi-account --exclusions-file exclusions.yml -c {os.path.relpath(output_file)} -o ./"
+        f"\nMake sure you edit the {output_file_path} file and then run the scan-multi-account command, as shown below."
     )
+    print(f"\n\tcloudsplaining scan-multi-account --exclusions-file exclusions.yml -c {output_file_path} -o ./")

{cloudsplaining-0.8.1 → cloudsplaining-0.9.0}/cloudsplaining/command/download.py

@@ -11,6 +11,7 @@ from __future__ import annotations
 import json
 import logging
 import os
+from pathlib import Path
 from typing import TYPE_CHECKING, Any
 
 import boto3
@@ -20,7 +21,7 @@ from botocore.config import Config
 from cloudsplaining import set_log_level
 
 if TYPE_CHECKING:
-    from mypy_boto3_iam import IAMClient
+    from types_boto3_iam import IAMClient
 
 logger = logging.getLogger(__name__)
 
@@ -41,7 +42,7 @@ logger = logging.getLogger(__name__)
     "-o",
     "--output",
     type=click.Path(exists=True),
-    default=os.getcwd(),
+    default=os.getcwd(),  # noqa: PTH109
     help="Path to store the output. Defaults to current directory.",
 )
 @click.option(
@@ -61,14 +62,15 @@ def download(profile: str, output: str, include_non_default_policy_versions: boo
     default_region = "us-east-1"
     session_data = {"region_name": default_region}
 
+    output_path = Path(output)
     if profile:
         session_data["profile_name"] = profile
-        output_filename = os.path.join(output, f"{profile}.json")
+        output_filename = output_path / f"{profile}.json"
     else:
-        output_filename = os.path.join(output, "default.json")
+        output_filename = output_path / "default.json"
 
     results = get_account_authorization_details(session_data, include_non_default_policy_versions)
-    with open(output_filename, "w", encoding="utf-8") as f:
+    with output_filename.open("w", encoding="utf-8") as f:
         json.dump(results, f, indent=4, default=str)
     # output_filename.write_text(json.dumps(results, indent=4, default=str))
     print(f"Saved results to {output_filename}")
@@ -79,7 +81,7 @@ def get_account_authorization_details(
     session_data: dict[str, str], include_non_default_policy_versions: bool
 ) -> dict[str, list[Any]]:
     """Runs aws-iam-get-account-authorization-details"""
-    session = boto3.Session(**session_data)  # type:ignore[arg-type]
+    session = boto3.Session(**session_data)  # ty: ignore[invalid-argument-type]
     config = Config(connect_timeout=5, retries={"max_attempts": 10})
     iam_client: IAMClient = session.client("iam", config=config)
 

{cloudsplaining-0.8.1 → cloudsplaining-0.9.0}/cloudsplaining/command/expand_policy.py

@@ -9,6 +9,7 @@ Expands the wildcards (*) on an IAM policy file so it is easier for a human to u
 # or https://opensource.org/licenses/BSD-3-Clause
 import json
 import logging
+from pathlib import Path
 
 import click
 from policy_sentry.analysis.expand import get_expanded_policy
@@ -33,7 +34,7 @@ def expand_policy(input_file: str, verbosity: int) -> None:
     """
     set_log_level(verbosity)
 
-    with open(input_file, encoding="utf-8") as json_file:
+    with Path(input_file).open(encoding="utf-8") as json_file:
         logger.debug(f"Opening {input_file}")
         data = json.load(json_file)
         policy = get_expanded_policy(data)

{cloudsplaining-0.8.1 → cloudsplaining-0.9.0}/cloudsplaining/command/scan.py

@@ -47,14 +47,14 @@ from cloudsplaining.shared.validation import check_authorization_details_schema
     help="A yaml file containing a list of policy names to exclude from the scan.",
     type=click.Path(exists=True),
     required=False,
-    default=EXCLUSIONS_FILE,
+    default=str(EXCLUSIONS_FILE),
 )
 @click.option(
     "-o",
     "--output",
     required=False,
     type=click.Path(exists=True),
-    default=os.getcwd(),
+    default=os.getcwd(),  # noqa: PTH109
     help="Output directory.",
 )
 @click.option(
@@ -123,7 +123,7 @@ def scan(
 
     if exclusions_file:
         # Get the exclusions configuration
-        with open(exclusions_file, encoding="utf-8") as yaml_file:
+        with Path(exclusions_file).open(encoding="utf-8") as yaml_file:
             try:
                 exclusions_cfg = yaml.safe_load(yaml_file)
             except yaml.YAMLError as exc:
@@ -139,14 +139,16 @@ def scan(
         flag_conditional_statements = False
         flag_resource_arn_statements = False
 
-    if os.path.isfile(input_file):
-        account_name = os.path.basename(input_file).split(".")[0]
-        account_authorization_details_cfg = json.loads(Path(input_file).read_text(encoding="utf-8"))
+    output_path = Path(output)
+    input_file_path = Path(input_file)
+    if input_file_path.is_file():
+        account_name = input_file_path.stem
+        account_authorization_details_cfg = json.loads(input_file_path.read_text(encoding="utf-8"))
         rendered_html_report = scan_account_authorization_details(
             account_authorization_details_cfg,
             exclusions,
             account_name,
-            output,
+            output_path,
             write_data_files=True,
             minimize=minimize,
             flag_conditional_statements=flag_conditional_statements,
@@ -154,52 +156,52 @@ def scan(
             flag_trust_policies=flag_trust_policies,
             severity=severity,
         )
-        html_output_file = os.path.join(output, f"iam-report-{account_name}.html")
+        html_output_file = output_path / f"iam-report-{account_name}.html"
         logger.info("Saving the report to %s", html_output_file)
-        if os.path.exists(html_output_file):
-            os.remove(html_output_file)
+        if html_output_file.exists():
+            html_output_file.unlink()
 
-        Path(html_output_file).write_text(rendered_html_report, encoding="utf-8")
+        html_output_file.write_text(rendered_html_report, encoding="utf-8")
 
         print(f"Wrote HTML results to: {html_output_file}")
 
         # Open the report by default
         if not skip_open_report:
             print("Opening the HTML report")
-            url = f"file://{os.path.abspath(html_output_file)}"
+            url = f"file://{html_output_file.absolute()}"
             webbrowser.open(url, new=2)
 
-    if os.path.isdir(input_file):
+    if input_file_path.is_dir():
         logger.info("The path given is a directory. Scanning for account authorization files and generating report.")
-        input_files = get_authorization_files_in_directory(input_file)
+        input_files = get_authorization_files_in_directory(input_file_path)
         for file in input_files:
             logger.info(f"Scanning file: {file}")
             account_authorization_details_cfg = json.loads(Path(file).read_text(encoding="utf-8"))
 
-            account_name = os.path.basename(input_file).split(".")[0]
+            account_name = input_file_path.parent.stem
             # Scan the Account Authorization Details config
             rendered_html_report = scan_account_authorization_details(
                 account_authorization_details_cfg,
                 exclusions,
                 account_name,
-                output,
+                output_path,
                 write_data_files=True,
                 minimize=minimize,
                 severity=severity,
             )
-            html_output_file = os.path.join(output, f"iam-report-{account_name}.html")
+            html_output_file = output_path / f"iam-report-{account_name}.html"
             logger.info("Saving the report to %s", html_output_file)
-            if os.path.exists(html_output_file):
-                os.remove(html_output_file)
+            if html_output_file.exists():
+                html_output_file.unlink()
 
-            Path(html_output_file).write_text(rendered_html_report, encoding="utf-8")
+            html_output_file.write_text(rendered_html_report, encoding="utf-8")
 
             print(f"Wrote HTML results to: {html_output_file}")
 
             # Open the report by default
             if not skip_open_report:
                 print("Opening the HTML report")
-                url = f"file://{os.path.abspath(html_output_file)}"
+                url = f"file://{html_output_file.absolute()}"
                 webbrowser.open(url, new=2)
 
 
@@ -211,7 +213,7 @@ def scan_account_authorization_details(
     account_authorization_details_cfg: dict[str, Any],
     exclusions: Exclusions,
     account_name: str,
-    output_directory: str,
+    output_directory: str | Path | None,
     write_data_files: bool,
     minimize: bool,
     return_json_results: Literal[True],
@@ -227,7 +229,7 @@ def scan_account_authorization_details(
     account_authorization_details_cfg: dict[str, Any],
     exclusions: Exclusions,
     account_name: str = ...,
-    output_directory: str = ...,
+    output_directory: str | Path | None = ...,
     write_data_files: bool = ...,
     minimize: bool = ...,
     return_json_results: Literal[False] = ...,
@@ -242,7 +244,7 @@ def scan_account_authorization_details(
     account_authorization_details_cfg: dict[str, Any],
     exclusions: Exclusions,
     account_name: str = "default",
-    output_directory: str = os.getcwd(),
+    output_directory: str | Path | None = None,
     write_data_files: bool = False,
     minimize: bool = False,
     return_json_results: bool = False,
@@ -285,14 +287,13 @@ def scan_account_authorization_details(
 
     # Raw data file
     if write_data_files:
-        if output_directory is None:
-            output_directory = os.getcwd()
+        output_directory = Path(output_directory) if output_directory else Path.cwd()
 
-        results_data_file = os.path.join(output_directory, f"iam-results-{account_name}.json")
+        results_data_file = output_directory / f"iam-results-{account_name}.json"
         results_data_filepath = write_results_data_file(authorization_details.results, results_data_file)
         print(f"Results data saved: {results_data_filepath}")
 
-        findings_data_file = os.path.join(output_directory, f"iam-findings-{account_name}.json")
+        findings_data_file = output_directory / f"iam-findings-{account_name}.json"
         findings_data_filepath = write_results_data_file(results, findings_data_file)
         print(f"Findings data file saved: {findings_data_filepath}")
 
@@ -302,15 +303,15 @@ def scan_account_authorization_details(
             "iam_findings": results,
             "rendered_report": rendered_report,
         }
-    else:
-        return rendered_report
+
+    return rendered_report
 
 
 def get_authorization_files_in_directory(
-    directory: str,
+    directory: Path,
 ) -> list[str]:  # pragma: no cover
     """Get a list of download-account-authorization-files in a directory"""
-    file_list_with_full_path = [file.absolute() for file in Path(directory).glob("*.json")]
+    file_list_with_full_path = [file.absolute() for file in directory.glob("*.json")]
 
     new_file_list = []
     for file in file_list_with_full_path:

{cloudsplaining-0.8.1 → cloudsplaining-0.9.0}/cloudsplaining/command/scan_multi_account.py

@@ -4,7 +4,7 @@ from __future__ import annotations
 
 import json
 import logging
-import os
+from pathlib import Path
 from typing import TYPE_CHECKING, Any, cast
 
 import click
@@ -22,7 +22,7 @@ from cloudsplaining.shared.exclusions import DEFAULT_EXCLUSIONS, Exclusions
 from cloudsplaining.shared.validation import check_authorization_details_schema
 
 if TYPE_CHECKING:
-    from mypy_boto3_s3 import S3ServiceResource
+    from types_boto3_s3 import S3ServiceResource
 
 logger = logging.getLogger(__name__)
 OK_GREEN = "\033[92m"
@@ -77,7 +77,7 @@ class MultiAccountConfig:
     help="A yaml file containing a list of policy names to exclude from the scan.",
     type=click.Path(exists=True),
     required=False,
-    default=EXCLUSIONS_FILE,
+    default=str(EXCLUSIONS_FILE),
 )
 @optgroup.group("Output Target Options", help="")
 @optgroup.option(
@@ -145,7 +145,7 @@ def scan_multi_account(
     set_log_level(verbosity)
 
     # Read the config file from the user
-    with open(config_file, encoding="utf-8") as yaml_file:
+    with Path(config_file).open(encoding="utf-8") as yaml_file:
         config = yaml.safe_load(yaml_file)
 
     if flag_all_risky_actions:
@@ -217,24 +217,25 @@ def scan_accounts(
             )
             # Write the HTML file
             output_file = f"{target_account_name}.html"
-            s3.Object(output_bucket, output_file).put(ACL="bucket-owner-full-control", Body=rendered_report)
+            s3.Object(output_bucket, output_file).put(ACL="bucket-owner-full-control", Body=rendered_report)  # ty: ignore[unresolved-attribute]
             utils.print_green(f"Saved the HTML report to: s3://{output_bucket}/{output_file}")
             # Write the JSON data file
             if write_data_file:
                 output_file = f"{target_account_name}.json"
                 body = json.dumps(results, sort_keys=True, default=str, indent=4)
-                s3.Object(output_bucket, output_file).put(ACL="bucket-owner-full-control", Body=body)
+                s3.Object(output_bucket, output_file).put(ACL="bucket-owner-full-control", Body=body)  # ty: ignore[unresolved-attribute]
                 utils.print_green(f"Saved the JSON data to: s3://{output_bucket}/{output_file}")
         if output_directory:
             # Write the HTML file
-            html_output_file = os.path.join(output_directory, f"{target_account_name}.html")
+            output_dir_path = Path(output_directory)
+            html_output_file = output_dir_path / f"{target_account_name}.html"
             utils.write_file(html_output_file, rendered_report)
-            utils.print_green(f"Saved the HTML report to: {os.path.relpath(html_output_file)}")
+            utils.print_green(f"Saved the HTML report to: {html_output_file}")
             # Write the JSON data file
             if write_data_file:
-                results_data_file = os.path.join(output_directory, f"{target_account_name}.json")
+                results_data_file = output_dir_path / f"{target_account_name}.json"
                 results_data_filepath = utils.write_results_data_file(results, results_data_file)
-                utils.print_green(f"Saved the JSON data to: {os.path.relpath(results_data_filepath)}")
+                utils.print_green(f"Saved the JSON data to: {results_data_filepath}")
 
 
 def scan_account(
@@ -262,8 +263,7 @@ def scan_account(
         flag_resource_arn_statements=flag_resource_arn_statements,
         flag_trust_policies=flag_trust_policies,
     )
-    results = authorization_details.results
-    return results
+    return authorization_details.results
 
 
 def download_account_authorization_details(
@@ -286,15 +286,14 @@ def download_account_authorization_details(
         "aws_session_token": aws_session_token,
     }
     include_non_default_policy_versions = False
-    authorization_details = get_account_authorization_details(session_data, include_non_default_policy_versions)
-    return authorization_details
+    return get_account_authorization_details(session_data, include_non_default_policy_versions)
 
 
 def get_exclusions(exclusions_file: str | None = None) -> Exclusions:
     """Get the exclusions configuration from a file"""
     # Get the exclusions configuration
     if exclusions_file:
-        with open(exclusions_file, encoding="utf-8") as yaml_file:
+        with Path(exclusions_file).open(encoding="utf-8") as yaml_file:
             try:
                 exclusions_cfg = yaml.safe_load(yaml_file)
             except yaml.YAMLError as exc: