iam-policy-validator 1.0.3__py3-none-any.whl → 1.1.0__py3-none-any.whl

{iam_policy_validator-1.0.3.dist-info → iam_policy_validator-1.1.0.dist-info}/RECORD

@@ -1,45 +1,47 @@
 iam_validator/__init__.py,sha256=APnMR3Fu4fHhxfsHBvUM2dJIwazgvLKQbfOsSgFPidg,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=xkumSQPsulcb1i1qcSYPxf_hyoSt2pwqrjoqEFoAglc,206
+iam_validator/__version__.py,sha256=YOIURWR5ocuvaQTQgwFi1XjHm_ifJDzicMOQSJZqmZc,206
 iam_validator/checks/__init__.py,sha256=q-_rIYGZJMjsiHK-R_3CbSUCBVGN5e137LPNDnMRZmw,841
-iam_validator/checks/action_condition_enforcement.py,sha256=3V8Wnz6BYnataKzuFMx8fHukVjzpIZaVfde9-RqZjPc,25357
+iam_validator/checks/action_condition_enforcement.py,sha256=3M1Wj89Af6H-ywBTruZbJPzhCBBQVanVb5hwv-fkiDE,29721
 iam_validator/checks/action_validation.py,sha256=KbUw1SV-2nN-HtLlj3zrE6sdd0z8iAF0ubqz35Vwb7c,6921
 iam_validator/checks/condition_key_validation.py,sha256=bc4LQ8IRKyt0RquaQvQvVjmeJnuOUAFRL8xdduLPa_U,2661
 iam_validator/checks/policy_size.py,sha256=4cvZiWRJXGuvYo8PRcdD1Py_ZL8Xw0lOJfXTs6EX-_I,5753
 iam_validator/checks/resource_validation.py,sha256=AEIoiR6AKYLuVaA8ne3QE5qy6NCMDe98_2JAiwE9-JU,4261
-iam_validator/checks/security_best_practices.py,sha256=Sr3aiLbki8_M3U9qJv7u0fM__GjJRfZzWmJVgJ3ODSw,28185
+iam_validator/checks/security_best_practices.py,sha256=OCAtbsO9HEK97DVPPnm-hJDQtf-ATlnwa1LLshweZDk,32045
 iam_validator/checks/sid_uniqueness.py,sha256=7S8RtVJgYPTKgr7gSEmxgT0oIGkSoXN6iu0ALHbcSfw,5015
 iam_validator/commands/__init__.py,sha256=zuhECuz-1Us5hBNAJtdMae8LaYn1eNeoYPBmQPMwI94,357
 iam_validator/commands/analyze.py,sha256=TWlDaZ8gVOdNv6__KQQfzeLVW36qLiL5IzlhGYfvq_g,16501
 iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gzs,1074
 iam_validator/commands/post_to_pr.py,sha256=hl_K-XlELYN-ArjMdgQqysvIE-26yf9XdrMl4ToDwG0,2148
-iam_validator/commands/validate.py,sha256=zdfay29HX1v4uz_LfzUUgC4-VUy8TTg5CGfZlAeEWXc,13779
+iam_validator/commands/validate.py,sha256=R295cOTly8n7zL1jfvbh9RuCgiM5edBqbf6YMn_4G9A,14013
 iam_validator/core/__init__.py,sha256=1FvJPMrbzJfS9YbRUJCshJLd5gzWwR9Fd_slS0Aq9c8,416
 iam_validator/core/access_analyzer.py,sha256=poeT1i74jXpKr1B3UmvqiTvCTbq82zffWgZHwiFUwoo,24337
 iam_validator/core/access_analyzer_report.py,sha256=iTIFKul6zQZd2qBg8V6zaDNPMKF8D_XDSX6pJwXFVYY,24791
 iam_validator/core/aws_fetcher.py,sha256=fUCIMItIWmrbgsoVCz_9Oe5k3SjuXBlNBVwQ60IWwns,25492
 iam_validator/core/aws_global_conditions.py,sha256=ADVcMEWhgvDZWdBmRUQN3HB7a9OycbTLecXFAy3LPbo,5837
 iam_validator/core/check_registry.py,sha256=wXg4Yw5LJ-rAVLiPUIJOtw8Y49Q1PY00Zbu37LzyjHY,15477
-iam_validator/core/cli.py,sha256=T1SzPTu9vzk29Mey3kMfGJkE4hXTNY6ZrOsj8udDv3o,3140
-iam_validator/core/config_loader.py,sha256=k4D5TT_D6B9N8BbIEg0nE3wUXu0naFLHOVVJsjYZzh4,14880
-iam_validator/core/models.py,sha256=SUEbxDUtkX1uvgMy6-LPzomyGu82PTpXdDXZ9RKqfTY,9655
+iam_validator/core/cli.py,sha256=5UHsHS8o7Fkag4d6MNaaqjCFSGu8evCIbtpa81591lE,3831
+iam_validator/core/config_loader.py,sha256=6Px_JEzk8WU6g8KXaSLme3x8qZXT9oppxUVXYyDkboY,16425
+iam_validator/core/defaults.py,sha256=JzuDYNQGERDtX9S8E5grr4KZmooSephJW8KRplT34L8,10956
+iam_validator/core/models.py,sha256=rWIZnD-I81Sg4asgOhnB10FWJC5mxQ2JO9bdS0sHb4Q,10772
 iam_validator/core/policy_checks.py,sha256=xK5CntsEKVDgN27uIdQ92jCL97t7eBqOk0SChWU9cgw,23872
 iam_validator/core/policy_loader.py,sha256=TR7SpzlRG3TwH4HBGEFUuhNOmxIR8Cud2SQ-AmHWBpM,14040
 iam_validator/core/pr_commenter.py,sha256=TOhVXKTFcRHQ9EVuShXQcKXn9aNjB1mU6FnR2jvltmw,10581
-iam_validator/core/report.py,sha256=6k2A82EuhI72y-xCXbxRbykYcBvUP0z977pjUk9w1Cc,28977
-iam_validator/core/formatters/__init__.py,sha256=ggIKrI_Uu6tnKBLnUbBaXgaIXeL-JAGwUOrfSql6sow,774
+iam_validator/core/report.py,sha256=aRM1mYlDjkPmQrUZtcq2akbviLPVTSa8q_mH7XyuuK4,32897
+iam_validator/core/formatters/__init__.py,sha256=fnCKAEBXItnOf2m4rhVs7zwMaTxbG6ESh3CF8V5j5ec,868
 iam_validator/core/formatters/base.py,sha256=SShDeDiy5mYQnS6BpA8xYg91N-KX1EObkOtlrVHqx1Q,4451
-iam_validator/core/formatters/console.py,sha256=qkKWcxETRWDr62Zmkz0NXG4oS9hj2LwDX8uH4MoSX0s,750
-iam_validator/core/formatters/csv.py,sha256=hyop9gddZc1eOjUvd1YJjxbo8FNlLG7Rvh6UkSCEAhU,5565
-iam_validator/core/formatters/html.py,sha256=kW0BVTTX8PbiEbct8mXIyqTiO6jdsGjyK6Y3NNVeRaI,19317
+iam_validator/core/formatters/console.py,sha256=lX4Yp4bTW61fxe0fCiHuO6bCZtC_6cjCwqDNQ55nT_8,1937
+iam_validator/core/formatters/csv.py,sha256=2FaN6Y_0TPMFOb3A3tNtj0-9bkEc5P-6eZ7eLROIqFE,5899
+iam_validator/core/formatters/enhanced.py,sha256=6hRiATRpH6Osqf_y6C58VN48L47AXYP3Dm9R90VMGs8,16432
+iam_validator/core/formatters/html.py,sha256=j4sQi-wXiD9kCHldW5JCzbJe0frhiP5uQI9KlH3Sj_g,22994
 iam_validator/core/formatters/json.py,sha256=A7gZ8P32GEdbDvrSn6v56yQ4fOP_kyMaoFVXG2bgnew,939
-iam_validator/core/formatters/markdown.py,sha256=FccevVlD_mC6wtrWsya2Uo-NEphyuWsZyFar9x_ZT2g,1859
+iam_validator/core/formatters/markdown.py,sha256=aPAY6FpZBHsVBDag3FAsB_X9CZzznFjX9dQr0ysDrTE,2251
 iam_validator/core/formatters/sarif.py,sha256=tqp8g7RmUh0HRk-kKDaucx4sa-5I9ikgkSpy1MM8Vi4,7200
 iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
 iam_validator/integrations/github_integration.py,sha256=bKs94vNT4PmcmUPUeuY2WJFhCYpUY2SWiBP1vj-andA,25673
 iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
-iam_policy_validator-1.0.3.dist-info/METADATA,sha256=r2LUdyRsOAwNYbOPAXEca66sYjBYEosBBRkQG9K2YWE,31445
-iam_policy_validator-1.0.3.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-iam_policy_validator-1.0.3.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.0.3.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.0.3.dist-info/RECORD,,
+iam_policy_validator-1.1.0.dist-info/METADATA,sha256=a_cegBs1dAS4y_ByXskcvgXY3CNsqC-7frERfdQR27k,25144
+iam_policy_validator-1.1.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.1.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.1.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.1.0.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,5 +3,5 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.0.3"
+__version__ = "1.0.4"
 __version_info__ = tuple(int(part) for part in __version__.split("."))

iam_validator/checks/action_condition_enforcement.py

@@ -139,8 +139,8 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         # Check each requirement rule
         for requirement in action_condition_requirements:
             # Check if this requirement applies to the statement's actions
-            actions_match, matching_actions = self._check_action_match(
-                statement_actions, requirement
+            actions_match, matching_actions = await self._check_action_match(
+                statement_actions, requirement, fetcher
             )
 
             if not actions_match:
@@ -186,8 +186,8 @@ class ActionConditionEnforcementCheck(PolicyCheck):
 
         return issues
 
-    def _check_action_match(
-        self, statement_actions: list[str], requirement: dict[str, Any]
+    async def _check_action_match(
+        self, statement_actions: list[str], requirement: dict[str, Any], fetcher: AWSServiceFetcher
     ) -> tuple[bool, list[str]]:
         """
         Check if statement actions match the requirement.
@@ -208,18 +208,25 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                 if stmt_action == "*":
                     continue
 
-                # Check exact matches
-                if stmt_action in actions_config:
-                    matching_actions.append(stmt_action)
+                # Check if this statement action matches any of the required actions or patterns
+                # Use _action_matches which handles wildcards in both statement and config
+                matched = False
 
-                # Check pattern matches
-                for pattern in action_patterns:
-                    try:
-                        if re.match(pattern, stmt_action):
-                            matching_actions.append(stmt_action)
-                            break
-                    except re.error:
-                        continue
+                # Check against configured actions
+                for required_action in actions_config:
+                    if await self._action_matches(
+                        stmt_action, required_action, action_patterns, fetcher
+                    ):
+                        matched = True
+                        break
+
+                # If not matched by actions, check if wildcard overlaps with patterns
+                if not matched and "*" in stmt_action:
+                    # For wildcards, also check pattern overlap directly
+                    matched = await self._action_matches(stmt_action, "", action_patterns, fetcher)
+
+                if matched and stmt_action not in matching_actions:
+                    matching_actions.append(stmt_action)
 
             return len(matching_actions) > 0, matching_actions
 
@@ -231,20 +238,28 @@ class ActionConditionEnforcementCheck(PolicyCheck):
 
             # Check all_of: ALL specified actions must be in statement
             if all_of:
-                all_present = all(
-                    any(
-                        self._action_matches(stmt_action, req_action, action_patterns)
-                        for stmt_action in statement_actions
-                    )
-                    for req_action in all_of
-                )
+                all_present = True
+                for req_action in all_of:
+                    found = False
+                    for stmt_action in statement_actions:
+                        if await self._action_matches(
+                            stmt_action, req_action, action_patterns, fetcher
+                        ):
+                            found = True
+                            break
+                    if not found:
+                        all_present = False
+                        break
+
                 if not all_present:
                     return False, []
 
                 # Collect matching actions
                 for stmt_action in statement_actions:
                     for req_action in all_of:
-                        if self._action_matches(stmt_action, req_action, action_patterns):
+                        if await self._action_matches(
+                            stmt_action, req_action, action_patterns, fetcher
+                        ):
                             if stmt_action not in matching_actions:
                                 matching_actions.append(stmt_action)
 
@@ -253,7 +268,9 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                 any_present = False
                 for stmt_action in statement_actions:
                     for req_action in any_of:
-                        if self._action_matches(stmt_action, req_action, action_patterns):
+                        if await self._action_matches(
+                            stmt_action, req_action, action_patterns, fetcher
+                        ):
                             any_present = True
                             if stmt_action not in matching_actions:
                                 matching_actions.append(stmt_action)
@@ -266,7 +283,9 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                 forbidden_actions = []
                 for stmt_action in statement_actions:
                     for forbidden_action in none_of:
-                        if self._action_matches(stmt_action, forbidden_action, action_patterns):
+                        if await self._action_matches(
+                            stmt_action, forbidden_action, action_patterns, fetcher
+                        ):
                             forbidden_actions.append(stmt_action)
 
                 # If forbidden actions are found, this is a match for flagging
@@ -277,15 +296,23 @@ class ActionConditionEnforcementCheck(PolicyCheck):
 
         return False, []
 
-    def _action_matches(
-        self, statement_action: str, required_action: str, patterns: list[str]
+    async def _action_matches(
+        self,
+        statement_action: str,
+        required_action: str,
+        patterns: list[str],
+        fetcher: AWSServiceFetcher,
     ) -> bool:
         """
         Check if a statement action matches a required action or pattern.
         Supports:
         - Exact matches: "s3:GetObject"
-        - AWS wildcards: "s3:*", "s3:Get*"
+        - AWS wildcards in both statement and required actions: "s3:*", "s3:Get*", "iam:Creat*"
         - Regex patterns: "^s3:Get.*", "^iam:Delete.*"
+
+        This method handles bidirectional wildcard matching using real AWS actions from the fetcher:
+        - statement_action="iam:Create*" matches required_action="iam:CreateUser"
+        - statement_action="iam:C*" matches pattern="^iam:Create" (by checking actual AWS actions)
         """
         if statement_action == "*":
             return False
@@ -304,6 +331,63 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             except re.error:
                 pass
 
+        # AWS wildcard match in statement_action (e.g., "iam:Creat*" in policy)
+        # Check if this wildcard would grant access to actions matching our patterns
+        if "*" in statement_action:
+            # Convert statement wildcard to regex pattern
+            stmt_wildcard_pattern = statement_action.replace("*", ".*").replace("?", ".")
+
+            # Check if statement wildcard overlaps with required action
+            if "*" not in required_action:
+                # Required action is specific (e.g., "iam:CreateUser")
+                # Check if statement wildcard would grant it
+                try:
+                    if re.match(f"^{stmt_wildcard_pattern}$", required_action):
+                        return True
+                except re.error:
+                    pass
+
+            # Check if statement wildcard overlaps with any of our action patterns
+            # Strategy: Use real AWS actions from the fetcher instead of hardcoded guesses
+            # For example: "iam:C*" should match pattern "^iam:Create" because:
+            # - "iam:C*" grants iam:CreateUser, iam:CreateRole, etc. (from AWS)
+            # - "^iam:Create" pattern is meant to catch iam:CreateUser, iam:CreateRole, etc.
+            # - Therefore they overlap
+            if patterns:
+                try:
+                    # Parse the service from the wildcard action
+                    service_prefix, _ = fetcher.parse_action(statement_action)
+
+                    # Fetch the real list of actions for this service
+                    service_detail = await fetcher.fetch_service_by_name(service_prefix)
+                    available_actions = list(service_detail.actions.keys())
+
+                    # Find which actual AWS actions the wildcard would grant
+                    _, granted_actions = fetcher._match_wildcard_action(
+                        statement_action.split(":", 1)[1],  # Just the action part (e.g., "C*")
+                        available_actions,
+                    )
+
+                    # Check if any of the granted actions match our patterns
+                    for granted_action in granted_actions:
+                        full_granted_action = f"{service_prefix}:{granted_action}"
+                        for pattern in patterns:
+                            try:
+                                if re.match(pattern, full_granted_action):
+                                    return True
+                            except re.error:
+                                continue
+
+                except (ValueError, Exception):
+                    # If we can't fetch the service or parse the action, fall back to prefix matching
+                    stmt_prefix = statement_action.rstrip("*")
+                    for pattern in patterns:
+                        try:
+                            if re.match(pattern, stmt_prefix):
+                                return True
+                        except re.error:
+                            continue
+
         # Regex pattern match (from action_patterns config)
         for pattern in patterns:
             try:

iam_validator/checks/security_best_practices.py

@@ -91,14 +91,27 @@ class SecurityBestPracticesCheck(PolicyCheck):
         if self._is_sub_check_enabled(config, "wildcard_action_check"):
             if "*" in actions:
                 severity = self._get_sub_check_severity(config, "wildcard_action_check", "warning")
+                sub_check_config = config.config.get("wildcard_action_check", {})
+
+                message = sub_check_config.get("message", "Statement allows all actions (*)")
+                suggestion_text = sub_check_config.get(
+                    "suggestion", "Consider limiting to specific actions needed"
+                )
+                example = sub_check_config.get("example", "")
+
+                # Combine suggestion + example like action_condition_enforcement does
+                suggestion = (
+                    f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+                )
+
                 issues.append(
                     ValidationIssue(
                         severity=severity,
                         statement_sid=statement_sid,
                         statement_index=statement_idx,
                         issue_type="overly_permissive",
-                        message="Statement allows all actions (*)",
-                        suggestion="Consider limiting to specific actions needed",
+                        message=message,
+                        suggestion=suggestion,
                         line_number=line_number,
                     )
                 )
@@ -109,14 +122,27 @@ class SecurityBestPracticesCheck(PolicyCheck):
                 severity = self._get_sub_check_severity(
                     config, "wildcard_resource_check", "warning"
                 )
+                sub_check_config = config.config.get("wildcard_resource_check", {})
+
+                message = sub_check_config.get("message", "Statement applies to all resources (*)")
+                suggestion_text = sub_check_config.get(
+                    "suggestion", "Consider limiting to specific resources"
+                )
+                example = sub_check_config.get("example", "")
+
+                # Combine suggestion + example
+                suggestion = (
+                    f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+                )
+
                 issues.append(
                     ValidationIssue(
                         severity=severity,
                         statement_sid=statement_sid,
                         statement_index=statement_idx,
                         issue_type="overly_permissive",
-                        message="Statement applies to all resources (*)",
-                        suggestion="Consider limiting to specific resources",
+                        message=message,
+                        suggestion=suggestion,
                         line_number=line_number,
                     )
                 )
@@ -125,14 +151,31 @@ class SecurityBestPracticesCheck(PolicyCheck):
         if self._is_sub_check_enabled(config, "full_wildcard_check"):
             if "*" in actions and "*" in resources:
                 severity = self._get_sub_check_severity(config, "full_wildcard_check", "error")
+                sub_check_config = config.config.get("full_wildcard_check", {})
+
+                message = sub_check_config.get(
+                    "message",
+                    "Statement allows all actions on all resources - CRITICAL SECURITY RISK",
+                )
+                suggestion_text = sub_check_config.get(
+                    "suggestion",
+                    "This grants full administrative access. Restrict to specific actions and resources.",
+                )
+                example = sub_check_config.get("example", "")
+
+                # Combine suggestion + example
+                suggestion = (
+                    f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+                )
+
                 issues.append(
                     ValidationIssue(
                         severity=severity,
                         statement_sid=statement_sid,
                         statement_index=statement_idx,
                         issue_type="security_risk",
-                        message="Statement allows all actions on all resources - CRITICAL SECURITY RISK",
-                        suggestion="This grants full administrative access. Restrict to specific actions and resources.",
+                        message=message,
+                        suggestion=suggestion,
                         line_number=line_number,
                     )
                 )
@@ -155,15 +198,43 @@ class SecurityBestPracticesCheck(PolicyCheck):
                         severity = self._get_sub_check_severity(
                             config, "service_wildcard_check", "warning"
                         )
+                        sub_check_config = config.config.get("service_wildcard_check", {})
+
+                        # Get message template and replace placeholders
+                        message_template = sub_check_config.get(
+                            "message",
+                            "Service-level wildcard '{action}' grants all permissions for {service} service",
+                        )
+                        suggestion_template = sub_check_config.get(
+                            "suggestion",
+                            "Consider specifying explicit actions instead of '{action}'. If you need multiple actions, list them individually or use more specific wildcards like '{service}:Get*' or '{service}:List*'.",
+                        )
+                        example_template = sub_check_config.get("example", "")
+
+                        message = message_template.format(action=action, service=service)
+                        suggestion_text = suggestion_template.format(action=action, service=service)
+                        example = (
+                            example_template.format(action=action, service=service)
+                            if example_template
+                            else ""
+                        )
+
+                        # Combine suggestion + example
+                        suggestion = (
+                            f"{suggestion_text}\nExample:\n{example}"
+                            if example
+                            else suggestion_text
+                        )
+
                         issues.append(
                             ValidationIssue(
                                 severity=severity,
                                 statement_sid=statement_sid,
                                 statement_index=statement_idx,
                                 issue_type="overly_permissive",
-                                message=f"Service-level wildcard '{action}' grants all permissions for {service} service",
+                                message=message,
                                 action=action,
-                                suggestion=f"Consider specifying explicit actions instead of '{action}'. If you need multiple actions, list them individually or use more specific wildcards like '{service}:Get*' or '{service}:List*'.",
+                                suggestion=suggestion,
                                 line_number=line_number,
                             )
                         )
@@ -177,13 +248,33 @@ class SecurityBestPracticesCheck(PolicyCheck):
 
             if is_sensitive and not has_conditions:
                 severity = self._get_sub_check_severity(config, "sensitive_action_check", "warning")
+                sub_check_config = config.config.get("sensitive_action_check", {})
 
-                # Create appropriate message based on matched actions
+                # Create appropriate message based on matched actions using configurable templates
                 if len(matched_actions) == 1:
-                    message = f"Sensitive action '{matched_actions[0]}' should have conditions to limit when it can be used"
+                    message_template = sub_check_config.get(
+                        "message_single",
+                        "Sensitive action '{action}' should have conditions to limit when it can be used",
+                    )
+                    message = message_template.format(action=matched_actions[0])
                 else:
                     action_list = "', '".join(matched_actions)
-                    message = f"Sensitive actions '{action_list}' should have conditions to limit when they can be used"
+                    message_template = sub_check_config.get(
+                        "message_multiple",
+                        "Sensitive actions '{actions}' should have conditions to limit when they can be used",
+                    )
+                    message = message_template.format(actions=action_list)
+
+                suggestion_text = sub_check_config.get(
+                    "suggestion",
+                    "Add conditions like 'aws:Resource/owner must match aws:Principal/owner', IP restrictions, MFA requirements, or time-based restrictions",
+                )
+                example = sub_check_config.get("example", "")
+
+                # Combine suggestion + example
+                suggestion = (
+                    f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+                )
 
                 issues.append(
                     ValidationIssue(
@@ -193,7 +284,7 @@ class SecurityBestPracticesCheck(PolicyCheck):
                         issue_type="missing_condition",
                         message=message,
                         action=(matched_actions[0] if len(matched_actions) == 1 else None),
-                        suggestion="Add conditions like 'aws:Resource/owner must match aws:Principal/owner', IP restrictions, MFA requirements, or time-based restrictions",
+                        suggestion=suggestion,
                         line_number=line_number,
                     )
                 )

iam_validator/commands/validate.py

@@ -59,9 +59,9 @@ Examples:
         parser.add_argument(
             "--format",
             "-f",
-            choices=["console", "json", "markdown", "html", "csv", "sarif"],
+            choices=["console", "enhanced", "json", "markdown", "html", "csv", "sarif"],
             default="console",
-            help="Output format (default: console)",
+            help="Output format (default: console). Use 'enhanced' for modern visual output with Rich library",
         )
 
         parser.add_argument(
@@ -177,7 +177,8 @@ Examples:
         report = generator.generate_report(results)
 
         # Output results
-        if args.format == "console":
+        if args.format is None:
+            # Default: use classic console output (direct Rich printing)
             generator.print_console_report(report)
         elif args.format == "json":
             if args.output:
@@ -190,7 +191,7 @@ Examples:
             else:
                 print(generator.generate_github_comment(report))
         else:
-            # Use formatter registry for other formats (html, csv, sarif)
+            # Use formatter registry for other formats (enhanced, html, csv, sarif)
             output_content = generator.format_report(report, args.format)
             if args.output:
                 with open(args.output, "w", encoding="utf-8") as f:
@@ -285,6 +286,7 @@ Examples:
 
         # Output final results
         if args.format == "console":
+            # Classic console output (direct Rich printing from report.py)
             generator.print_console_report(report)
         elif args.format == "json":
             if args.output:
@@ -297,7 +299,7 @@ Examples:
             else:
                 print(generator.generate_github_comment(report))
         else:
-            # Use formatter registry for other formats (html, csv, sarif)
+            # Use formatter registry for other formats (enhanced, html, csv, sarif)
             output_content = generator.format_report(report, args.format)
             if args.output:
                 with open(args.output, "w", encoding="utf-8") as f:

iam_validator/core/cli.py

@@ -10,18 +10,24 @@ from iam_validator import __version__
 from iam_validator.commands import ALL_COMMANDS
 
 
-def setup_logging(verbose: bool = False) -> None:
+def setup_logging(log_level: str | None = None, verbose: bool = False) -> None:
     """Setup logging configuration.
 
     Args:
-        verbose: Enable verbose logging
+        log_level: Log level from CLI argument (debug, info, warning, error, critical)
+        verbose: Enable verbose logging (deprecated, use --log-level debug instead)
 
     Environment Variables:
         LOG_LEVEL: Set log level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
-                   Overrides the --verbose flag if set
+
+    Priority:
+        1. --log-level CLI argument (highest priority)
+        2. LOG_LEVEL environment variable
+        3. --verbose flag (sets DEBUG level)
+        4. Default: WARNING (lowest priority)
     """
     # Check for LOG_LEVEL environment variable
-    log_level_str = os.getenv("LOG_LEVEL", "").upper()
+    env_log_level = os.getenv("LOG_LEVEL", "").upper()
 
     # Map string to logging level
     level_map = {
@@ -32,13 +38,15 @@ def setup_logging(verbose: bool = False) -> None:
         "CRITICAL": logging.CRITICAL,
     }
 
-    # Priority: LOG_LEVEL env var > --verbose flag > default (INFO)
-    if log_level_str in level_map:
-        level = level_map[log_level_str]
+    # Priority: CLI --log-level > LOG_LEVEL env var > --verbose flag > default (WARNING)
+    if log_level:
+        level = level_map[log_level.upper()]
+    elif env_log_level in level_map:
+        level = level_map[env_log_level]
     elif verbose:
         level = logging.DEBUG
     else:
-        level = logging.INFO
+        level = logging.WARNING
 
     logging.basicConfig(
         level=level,
@@ -66,6 +74,14 @@ def main() -> int:
         help="Show version information and exit",
     )
 
+    # Add global log level argument
+    parser.add_argument(
+        "--log-level",
+        choices=["debug", "info", "warning", "error", "critical"],
+        default=None,
+        help="Set logging level (default: warning)",
+    )
+
     subparsers = parser.add_subparsers(dest="command", help="Command to run")
 
     # Register all commands
@@ -88,8 +104,9 @@ def main() -> int:
         return 1
 
     # Setup logging
+    log_level = getattr(args, "log_level", None)
     verbose = getattr(args, "verbose", False)
-    setup_logging(verbose)
+    setup_logging(log_level, verbose)
 
     # Execute command
     try:

iam_validator/core/config_loader.py

@@ -15,21 +15,57 @@ from typing import Any
 import yaml
 
 from iam_validator.core.check_registry import CheckConfig, CheckRegistry, PolicyCheck
+from iam_validator.core.defaults import get_default_config
 
 logger = logging.getLogger(__name__)
 
 
+def deep_merge(base: dict, override: dict) -> dict:
+    """
+    Deep merge two dictionaries, with override taking precedence.
+
+    Args:
+        base: Base dictionary with default values
+        override: Dictionary with override values
+
+    Returns:
+        Merged dictionary where override values take precedence
+    """
+    result = base.copy()
+    for key, value in override.items():
+        if key in result and isinstance(result[key], dict) and isinstance(value, dict):
+            result[key] = deep_merge(result[key], value)
+        else:
+            result[key] = value
+    return result
+
+
 class ValidatorConfig:
     """Main configuration object for the validator."""
 
-    def __init__(self, config_dict: dict[str, Any] | None = None):
+    def __init__(self, config_dict: dict[str, Any] | None = None, use_defaults: bool = True):
         """
         Initialize configuration from a dictionary.
 
         Args:
-            config_dict: Dictionary loaded from YAML config file
+            config_dict: Dictionary loaded from YAML config file.
+                        If None, either uses default configuration (if use_defaults=True)
+                        or creates an empty configuration (if use_defaults=False).
+                        If provided, merges with defaults (user config takes precedence).
+            use_defaults: Whether to load default configuration. Set to False for testing
+                         or when you want an empty configuration.
         """
-        self.config_dict = config_dict or {}
+        # Start with default configuration if requested
+        if use_defaults:
+            default_config = get_default_config()
+            # Merge user config with defaults if provided
+            if config_dict:
+                self.config_dict = deep_merge(default_config, config_dict)
+            else:
+                self.config_dict = default_config
+        else:
+            # No defaults - use provided config or empty dict
+            self.config_dict = config_dict or {}
 
         # Support both nested and flat structure
         # New flat structure: each check is a top-level key ending with "_check"