iam-policy-validator 1.0.4__py3-none-any.whl → 1.1.1__py3-none-any.whl

{iam_policy_validator-1.0.4.dist-info → iam_policy_validator-1.1.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.0.4
+Version: 1.1.1
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs
@@ -70,7 +70,8 @@ A high-performance GitHub Action and Python CLI tool that validates AWS IAM poli
 - **Comment Updates**: Update existing comments instead of creating duplicates
 
 ### Output Formats
-- **Console**: Rich terminal output with colors and tables
+- **Console** (default): Clean terminal output with colors and tables
+- **Enhanced**: Modern visual output with progress bars, tree structure, and rich visuals
 - **JSON**: Structured format for programmatic processing
 - **Markdown**: GitHub-flavored markdown for PR comments
 - **SARIF**: GitHub code scanning integration format
@@ -87,9 +88,11 @@ A high-performance GitHub Action and Python CLI tool that validates AWS IAM poli
 
 ### As a GitHub Action (Recommended) ⭐
 
-The easiest way to use IAM Policy Validator is as a GitHub Action in your workflows.
+The IAM Policy Validator is available as **both** a standalone GitHub Action and a Python module. Choose the approach that best fits your needs:
 
-#### Basic Validation
+#### **Option A: Standalone GitHub Action** (Recommended - Zero Setup)
+
+Use the published action directly - it handles all setup automatically:
 
 Create `.github/workflows/iam-policy-validator.yml`:
 
@@ -121,7 +124,13 @@ jobs:
           fail-on-warnings: true
 ```
 
-#### With AWS Access Analyzer
+**Benefits:**
+- ✅ Zero setup - action handles Python, uv, and dependencies
+- ✅ Automatic dependency caching
+- ✅ Simple, declarative configuration
+- ✅ Perfect for CI/CD workflows
+
+#### With AWS Access Analyzer (Standalone Action)
 
 Use AWS's official policy validation service:
 
@@ -162,7 +171,61 @@ jobs:
           fail-on-warnings: true
 ```
 
-#### Custom Policy Checks
+#### **Option B: As Python Module/CLI Tool**
+
+For advanced use cases or when you need more control:
+
+```yaml
+name: IAM Policy Validation (CLI)
+
+on:
+  pull_request:
+    paths:
+      - 'policies/**/*.json'
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v3
+
+      - name: Install dependencies
+        run: uv sync
+
+      - name: Validate IAM Policies
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          uv run iam-validator validate \
+            --path ./policies/ \
+            --github-comment \
+            --github-review \
+            --fail-on-warnings \
+            --log-level info
+```
+
+**Use this when you need:**
+- Advanced CLI options (e.g., `--log-level`, `--custom-checks-dir`, `--stream`)
+- Full control over the Python environment
+- Integration with existing Python workflows
+- Multiple validation commands in sequence
+
+#### Custom Policy Checks (Standalone Action)
 
 Enforce specific security requirements:
 
@@ -231,7 +294,22 @@ jobs:
           fail-on-warnings: true
 ```
 
-#### Multiple Paths
+---
+
+### Choosing the Right Approach
+
+| Feature               | Standalone Action        | Python Module/CLI                                                        |
+| --------------------- | ------------------------ | ------------------------------------------------------------------------ |
+| Setup Required        | None - fully automated   | Manual (Python, uv, dependencies)                                        |
+| Configuration         | YAML inputs              | CLI arguments                                                            |
+| Advanced Options      | Limited to action inputs | Full CLI access (`--log-level`, `--custom-checks-dir`, `--stream`, etc.) |
+| Custom Checks         | Via config file only     | Via config file or `--custom-checks-dir`                                 |
+| Best For              | CI/CD, simple workflows  | Development, advanced workflows, testing                                 |
+| Dependency Management | Automatic                | Manual                                                                   |
+
+**Recommendation:** Use the **Standalone Action** for production CI/CD workflows, and the **Python Module/CLI** for development, testing, or when you need advanced features.
+
+#### Multiple Paths (Standalone Action)
 
 Validate policies across multiple directories:
 
@@ -305,7 +383,7 @@ action_condition_enforcement_check:
         - condition_key: "iam:PassedToService"
 ```
 
-See [iam-validator.yaml](iam-validator.yaml) for a complete configuration example.
+See [default-config.yaml](default-config.yaml) for a complete configuration example.
 
 ### GitHub Action Inputs
 
@@ -316,12 +394,12 @@ See [iam-validator.yaml](iam-validator.yaml) for a complete configuration exampl
 | `fail-on-warnings`            | Fail validation if warnings are found                                  | No       | `false`           |
 | `post-comment`                | Post validation results as PR comment                                  | No       | `true`            |
 | `create-review`               | Create line-specific review comments on PR                             | No       | `true`            |
-| `format`                      | Output format (console, json, markdown, sarif, csv, html)              | No       | `console`         |
+| `format`                      | Output format (console, enhanced, json, markdown, sarif, csv, html)    | No       | `console`         |
 | `output-file`                 | Path to save output file                                               | No       | ""                |
 | `recursive`                   | Recursively search directories for policy files                        | No       | `true`            |
 | `use-access-analyzer`         | Use AWS IAM Access Analyzer for validation                             | No       | `false`           |
 | `access-analyzer-region`      | AWS region for Access Analyzer                                         | No       | `us-east-1`       |
-| `policy-type`                 | Policy type (IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY) | No       | `RESOURCE_POLICY` |
+| `policy-type`                 | Policy type (IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY) | No       | `IDENTITY_POLICY` |
 | `run-all-checks`              | Run custom checks after Access Analyzer                                | No       | `false`           |
 | `check-access-not-granted`    | Actions that should NOT be granted (space-separated)                   | No       | ""                |
 | `check-access-resources`      | Resources to check with check-access-not-granted                       | No       | ""                |

iam_policy_validator-1.1.1.dist-info/RECORD

@@ -0,0 +1,53 @@
+iam_validator/__init__.py,sha256=APnMR3Fu4fHhxfsHBvUM2dJIwazgvLKQbfOsSgFPidg,693
+iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
+iam_validator/__version__.py,sha256=xEe2pX5CjvpoW3wJ6rXXULgJzJ3B6BM7RqL5dElKRA4,206
+iam_validator/checks/__init__.py,sha256=eKTPgiZ1i3zvyP6OdKgLx9s3u69onITMYifmJPJwZgM,968
+iam_validator/checks/action_condition_enforcement.py,sha256=3M1Wj89Af6H-ywBTruZbJPzhCBBQVanVb5hwv-fkiDE,29721
+iam_validator/checks/action_resource_constraint.py,sha256=p-gP7S9QYR6M7vffrnJY6LOlMUTn0kpEbrxQ8pTY5rs,6031
+iam_validator/checks/action_validation.py,sha256=IpxtTsk58f2zEZ-xzAoyHw4QK8BCRV43OffP-8ydf9E,2578
+iam_validator/checks/condition_key_validation.py,sha256=bc4LQ8IRKyt0RquaQvQvVjmeJnuOUAFRL8xdduLPa_U,2661
+iam_validator/checks/policy_size.py,sha256=4cvZiWRJXGuvYo8PRcdD1Py_ZL8Xw0lOJfXTs6EX-_I,5753
+iam_validator/checks/resource_validation.py,sha256=AEIoiR6AKYLuVaA8ne3QE5qy6NCMDe98_2JAiwE9-JU,4261
+iam_validator/checks/security_best_practices.py,sha256=-gqxtcx_cUV1ZnyZ8Flydwan1vxb-RmnanWoIlU6YyY,21711
+iam_validator/checks/sid_uniqueness.py,sha256=7S8RtVJgYPTKgr7gSEmxgT0oIGkSoXN6iu0ALHbcSfw,5015
+iam_validator/checks/utils/__init__.py,sha256=j0X4ibUB6RGx2a-kNoJnlVZwHfoEvzZsIeTmJIAoFzA,45
+iam_validator/checks/utils/policy_level_checks.py,sha256=2V60C0zhKfsFPjQ-NMlD3EemtwA9S6-4no8nETgXdQE,5274
+iam_validator/checks/utils/sensitive_action_matcher.py,sha256=_kQRGRJDQ0TLHymZbucXmKOfZJ_OUsf5p0blLfP54EY,8883
+iam_validator/checks/utils/wildcard_expansion.py,sha256=L6AWrLRacqXqk9k-5ZmXv5HyoAyz98cg5AlTvzH2tTI,3158
+iam_validator/commands/__init__.py,sha256=lF0fSUukLSxTAvhjg-0P79YMseYwihIr_tmQYbfNgcY,425
+iam_validator/commands/analyze.py,sha256=TWlDaZ8gVOdNv6__KQQfzeLVW36qLiL5IzlhGYfvq_g,16501
+iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gzs,1074
+iam_validator/commands/cache.py,sha256=1E-irKF3e2CFUEG9s1z64hIKLVSYFQ-L92ld6L3za5g,14368
+iam_validator/commands/post_to_pr.py,sha256=hl_K-XlELYN-ArjMdgQqysvIE-26yf9XdrMl4ToDwG0,2148
+iam_validator/commands/validate.py,sha256=R295cOTly8n7zL1jfvbh9RuCgiM5edBqbf6YMn_4G9A,14013
+iam_validator/core/__init__.py,sha256=1FvJPMrbzJfS9YbRUJCshJLd5gzWwR9Fd_slS0Aq9c8,416
+iam_validator/core/access_analyzer.py,sha256=poeT1i74jXpKr1B3UmvqiTvCTbq82zffWgZHwiFUwoo,24337
+iam_validator/core/access_analyzer_report.py,sha256=IrQVszlhFfQ6WykYLpig7TU3hf8dnQTegPDsOvHjR5Q,24873
+iam_validator/core/aws_fetcher.py,sha256=P7fYX1Q1TICuTOlGaqH97U3m8B0bqGE9jP7cxfmny8k,27418
+iam_validator/core/aws_global_conditions.py,sha256=ADVcMEWhgvDZWdBmRUQN3HB7a9OycbTLecXFAy3LPbo,5837
+iam_validator/core/check_registry.py,sha256=wxqaF2t_3lWgT6x7_PnnZ8XGjHKUxUk72UlmdYBLFyo,15679
+iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
+iam_validator/core/config_loader.py,sha256=Pq2rd6LJtEZET0ZeW4hEZS2ZRLC5gNRsKbtLyIsT21I,16516
+iam_validator/core/defaults.py,sha256=sPQJUMyjv4yalGCuyQhlY42rDc_-BZLq6qS0GgoP4mc,11893
+iam_validator/core/models.py,sha256=rWIZnD-I81Sg4asgOhnB10FWJC5mxQ2JO9bdS0sHb4Q,10772
+iam_validator/core/policy_checks.py,sha256=vIzRkqf5k1BB0elry5a4E2SRBlp6Vz3jPqrav29k3PM,24842
+iam_validator/core/policy_loader.py,sha256=TR7SpzlRG3TwH4HBGEFUuhNOmxIR8Cud2SQ-AmHWBpM,14040
+iam_validator/core/pr_commenter.py,sha256=TOhVXKTFcRHQ9EVuShXQcKXn9aNjB1mU6FnR2jvltmw,10581
+iam_validator/core/report.py,sha256=wPkLvsIej-AaW5FlqntvUuHuEMvyi2iBI6NQF496gCM,33064
+iam_validator/core/formatters/__init__.py,sha256=fnCKAEBXItnOf2m4rhVs7zwMaTxbG6ESh3CF8V5j5ec,868
+iam_validator/core/formatters/base.py,sha256=SShDeDiy5mYQnS6BpA8xYg91N-KX1EObkOtlrVHqx1Q,4451
+iam_validator/core/formatters/console.py,sha256=lX4Yp4bTW61fxe0fCiHuO6bCZtC_6cjCwqDNQ55nT_8,1937
+iam_validator/core/formatters/csv.py,sha256=2FaN6Y_0TPMFOb3A3tNtj0-9bkEc5P-6eZ7eLROIqFE,5899
+iam_validator/core/formatters/enhanced.py,sha256=k_DwzhGTARUKMv4bjkaCrpI6ypT10z9LcSk8gKlyDIM,16547
+iam_validator/core/formatters/html.py,sha256=j4sQi-wXiD9kCHldW5JCzbJe0frhiP5uQI9KlH3Sj_g,22994
+iam_validator/core/formatters/json.py,sha256=A7gZ8P32GEdbDvrSn6v56yQ4fOP_kyMaoFVXG2bgnew,939
+iam_validator/core/formatters/markdown.py,sha256=aPAY6FpZBHsVBDag3FAsB_X9CZzznFjX9dQr0ysDrTE,2251
+iam_validator/core/formatters/sarif.py,sha256=tqp8g7RmUh0HRk-kKDaucx4sa-5I9ikgkSpy1MM8Vi4,7200
+iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
+iam_validator/integrations/github_integration.py,sha256=bKs94vNT4PmcmUPUeuY2WJFhCYpUY2SWiBP1vj-andA,25673
+iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
+iam_policy_validator-1.1.1.dist-info/METADATA,sha256=tliAMa89Y5CSxbEy0PCV_IXr-FSn07I91AKl44QpoJQ,25144
+iam_policy_validator-1.1.1.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.1.1.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.1.1.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.1.1.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,5 +3,5 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.0.4"
+__version__ = "1.1.1"
 __version_info__ = tuple(int(part) for part in __version__.split("."))

iam_validator/checks/__init__.py

@@ -5,6 +5,7 @@ Built-in policy checks for IAM Policy Validator.
 from iam_validator.checks.action_condition_enforcement import (
     ActionConditionEnforcementCheck,
 )
+from iam_validator.checks.action_resource_constraint import ActionResourceConstraintCheck
 from iam_validator.checks.action_validation import ActionValidationCheck
 from iam_validator.checks.condition_key_validation import ConditionKeyValidationCheck
 from iam_validator.checks.policy_size import PolicySizeCheck
@@ -14,6 +15,7 @@ from iam_validator.checks.sid_uniqueness import SidUniquenessCheck
 
 __all__ = [
     "ActionConditionEnforcementCheck",
+    "ActionResourceConstraintCheck",
     "ActionValidationCheck",
     "ConditionKeyValidationCheck",
     "PolicySizeCheck",

iam_validator/checks/action_condition_enforcement.py

@@ -139,8 +139,8 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         # Check each requirement rule
         for requirement in action_condition_requirements:
             # Check if this requirement applies to the statement's actions
-            actions_match, matching_actions = self._check_action_match(
-                statement_actions, requirement
+            actions_match, matching_actions = await self._check_action_match(
+                statement_actions, requirement, fetcher
             )
 
             if not actions_match:
@@ -186,8 +186,8 @@ class ActionConditionEnforcementCheck(PolicyCheck):
 
         return issues
 
-    def _check_action_match(
-        self, statement_actions: list[str], requirement: dict[str, Any]
+    async def _check_action_match(
+        self, statement_actions: list[str], requirement: dict[str, Any], fetcher: AWSServiceFetcher
     ) -> tuple[bool, list[str]]:
         """
         Check if statement actions match the requirement.
@@ -208,18 +208,25 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                 if stmt_action == "*":
                     continue
 
-                # Check exact matches
-                if stmt_action in actions_config:
-                    matching_actions.append(stmt_action)
+                # Check if this statement action matches any of the required actions or patterns
+                # Use _action_matches which handles wildcards in both statement and config
+                matched = False
 
-                # Check pattern matches
-                for pattern in action_patterns:
-                    try:
-                        if re.match(pattern, stmt_action):
-                            matching_actions.append(stmt_action)
-                            break
-                    except re.error:
-                        continue
+                # Check against configured actions
+                for required_action in actions_config:
+                    if await self._action_matches(
+                        stmt_action, required_action, action_patterns, fetcher
+                    ):
+                        matched = True
+                        break
+
+                # If not matched by actions, check if wildcard overlaps with patterns
+                if not matched and "*" in stmt_action:
+                    # For wildcards, also check pattern overlap directly
+                    matched = await self._action_matches(stmt_action, "", action_patterns, fetcher)
+
+                if matched and stmt_action not in matching_actions:
+                    matching_actions.append(stmt_action)
 
             return len(matching_actions) > 0, matching_actions
 
@@ -231,20 +238,28 @@ class ActionConditionEnforcementCheck(PolicyCheck):
 
             # Check all_of: ALL specified actions must be in statement
             if all_of:
-                all_present = all(
-                    any(
-                        self._action_matches(stmt_action, req_action, action_patterns)
-                        for stmt_action in statement_actions
-                    )
-                    for req_action in all_of
-                )
+                all_present = True
+                for req_action in all_of:
+                    found = False
+                    for stmt_action in statement_actions:
+                        if await self._action_matches(
+                            stmt_action, req_action, action_patterns, fetcher
+                        ):
+                            found = True
+                            break
+                    if not found:
+                        all_present = False
+                        break
+
                 if not all_present:
                     return False, []
 
                 # Collect matching actions
                 for stmt_action in statement_actions:
                     for req_action in all_of:
-                        if self._action_matches(stmt_action, req_action, action_patterns):
+                        if await self._action_matches(
+                            stmt_action, req_action, action_patterns, fetcher
+                        ):
                             if stmt_action not in matching_actions:
                                 matching_actions.append(stmt_action)
 
@@ -253,7 +268,9 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                 any_present = False
                 for stmt_action in statement_actions:
                     for req_action in any_of:
-                        if self._action_matches(stmt_action, req_action, action_patterns):
+                        if await self._action_matches(
+                            stmt_action, req_action, action_patterns, fetcher
+                        ):
                             any_present = True
                             if stmt_action not in matching_actions:
                                 matching_actions.append(stmt_action)
@@ -266,7 +283,9 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                 forbidden_actions = []
                 for stmt_action in statement_actions:
                     for forbidden_action in none_of:
-                        if self._action_matches(stmt_action, forbidden_action, action_patterns):
+                        if await self._action_matches(
+                            stmt_action, forbidden_action, action_patterns, fetcher
+                        ):
                             forbidden_actions.append(stmt_action)
 
                 # If forbidden actions are found, this is a match for flagging
@@ -277,15 +296,23 @@ class ActionConditionEnforcementCheck(PolicyCheck):
 
         return False, []
 
-    def _action_matches(
-        self, statement_action: str, required_action: str, patterns: list[str]
+    async def _action_matches(
+        self,
+        statement_action: str,
+        required_action: str,
+        patterns: list[str],
+        fetcher: AWSServiceFetcher,
     ) -> bool:
         """
         Check if a statement action matches a required action or pattern.
         Supports:
         - Exact matches: "s3:GetObject"
-        - AWS wildcards: "s3:*", "s3:Get*"
+        - AWS wildcards in both statement and required actions: "s3:*", "s3:Get*", "iam:Creat*"
         - Regex patterns: "^s3:Get.*", "^iam:Delete.*"
+
+        This method handles bidirectional wildcard matching using real AWS actions from the fetcher:
+        - statement_action="iam:Create*" matches required_action="iam:CreateUser"
+        - statement_action="iam:C*" matches pattern="^iam:Create" (by checking actual AWS actions)
         """
         if statement_action == "*":
             return False
@@ -304,6 +331,63 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             except re.error:
                 pass
 
+        # AWS wildcard match in statement_action (e.g., "iam:Creat*" in policy)
+        # Check if this wildcard would grant access to actions matching our patterns
+        if "*" in statement_action:
+            # Convert statement wildcard to regex pattern
+            stmt_wildcard_pattern = statement_action.replace("*", ".*").replace("?", ".")
+
+            # Check if statement wildcard overlaps with required action
+            if "*" not in required_action:
+                # Required action is specific (e.g., "iam:CreateUser")
+                # Check if statement wildcard would grant it
+                try:
+                    if re.match(f"^{stmt_wildcard_pattern}$", required_action):
+                        return True
+                except re.error:
+                    pass
+
+            # Check if statement wildcard overlaps with any of our action patterns
+            # Strategy: Use real AWS actions from the fetcher instead of hardcoded guesses
+            # For example: "iam:C*" should match pattern "^iam:Create" because:
+            # - "iam:C*" grants iam:CreateUser, iam:CreateRole, etc. (from AWS)
+            # - "^iam:Create" pattern is meant to catch iam:CreateUser, iam:CreateRole, etc.
+            # - Therefore they overlap
+            if patterns:
+                try:
+                    # Parse the service from the wildcard action
+                    service_prefix, _ = fetcher.parse_action(statement_action)
+
+                    # Fetch the real list of actions for this service
+                    service_detail = await fetcher.fetch_service_by_name(service_prefix)
+                    available_actions = list(service_detail.actions.keys())
+
+                    # Find which actual AWS actions the wildcard would grant
+                    _, granted_actions = fetcher._match_wildcard_action(
+                        statement_action.split(":", 1)[1],  # Just the action part (e.g., "C*")
+                        available_actions,
+                    )
+
+                    # Check if any of the granted actions match our patterns
+                    for granted_action in granted_actions:
+                        full_granted_action = f"{service_prefix}:{granted_action}"
+                        for pattern in patterns:
+                            try:
+                                if re.match(pattern, full_granted_action):
+                                    return True
+                            except re.error:
+                                continue
+
+                except (ValueError, Exception):
+                    # If we can't fetch the service or parse the action, fall back to prefix matching
+                    stmt_prefix = statement_action.rstrip("*")
+                    for pattern in patterns:
+                        try:
+                            if re.match(pattern, stmt_prefix):
+                                return True
+                        except re.error:
+                            continue
+
         # Regex pattern match (from action_patterns config)
         for pattern in patterns:
             try:

iam_validator/checks/action_resource_constraint.py

@@ -0,0 +1,151 @@
+"""Action resource constraint check - validates resource constraints for actions.
+
+This check ensures that:
+- Actions WITHOUT required resource types (empty or missing Resources field in AWS API)
+  MUST use Resource: "*" because they are account-level operations
+
+Examples of actions without required resources:
+- s3:ListAllMyBuckets (lists all buckets in account)
+- iam:ListRoles (lists all roles in account)
+- ec2:DescribeInstances (describes instances across all regions)
+
+These actions cannot target specific resources because they operate at the account level.
+"""
+
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class ActionResourceConstraintCheck(PolicyCheck):
+    """Validates resource constraints based on action requirements.
+    This check ensures that actions without required resource types use Resource: "*".
+
+    Examples of such actions include s3:ListAllMyBuckets, iam:ListRoles, etc.
+    """
+
+    @property
+    def check_id(self) -> str:
+        return "action_resource_constraint"
+
+    @property
+    def description(self) -> str:
+        return "Validates that actions without required resource types use Resource: '*'"
+
+    @property
+    def default_severity(self) -> str:
+        return "error"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute action resource constraint validation on a statement."""
+        issues = []
+
+        # Only check Allow statements
+        if statement.effect != "Allow":
+            return issues
+
+        # Get actions and resources from statement
+        actions = statement.get_actions()
+        resources = statement.get_resources()
+        statement_sid = statement.sid
+        line_number = statement.line_number
+
+        # Skip if no actions or wildcard action
+        if not actions or "*" in actions:
+            return issues
+
+        # Skip if already using wildcard resource (this is correct for these actions)
+        if "*" in resources:
+            return issues
+
+        # Check each action for resource requirements
+        actions_without_required_resources = []
+
+        for action in actions:
+            # Skip wildcard actions
+            if "*" in action:
+                continue
+
+            try:
+                # Parse action to get service and action name
+                service_prefix, action_name = fetcher.parse_action(action)
+
+                # Fetch service detail to check resource requirements
+                service_detail = await fetcher.fetch_service_by_name(service_prefix)
+
+                # Check if action exists
+                if action_name not in service_detail.actions:
+                    # Action doesn't exist - skip (will be caught by action_validation_check)
+                    continue
+
+                action_detail = service_detail.actions[action_name]
+
+                # Check if action has NO required resources (empty or missing Resources field)
+                has_no_required_resources = (
+                    not action_detail.resources or len(action_detail.resources) == 0
+                )
+
+                if has_no_required_resources:
+                    actions_without_required_resources.append(action)
+
+            except ValueError:
+                # Invalid action format - skip (will be caught by action_validation_check)
+                continue
+            except Exception:
+                # Service not found or other error - skip
+                continue
+
+        # If we found actions without required resources, report the issue
+        if actions_without_required_resources:
+            # Get a sample of the resources to show in error message
+            resource_sample = resources[:3] if len(resources) > 3 else resources
+            resource_display = ", ".join(f'"{r}"' for r in resource_sample)
+            if len(resources) > 3:
+                resource_display += f", ... ({len(resources) - 3} more)"
+
+            # Format action list
+            action_list = ", ".join(f'"{a}"' for a in actions_without_required_resources)
+
+            # Determine message based on how many actions are affected
+            if len(actions_without_required_resources) == 1:
+                message = (
+                    f"Action {action_list} does not operate on specific resources "
+                    f'and requires Resource: "*"'
+                )
+                suggestion = (
+                    f"Action {action_list} is an account-level operation that cannot target "
+                    'specific resources. Move this action to a separate statement with Resource: "*", '
+                    "and keep resource-specific actions in another statement with their specific ARNs"
+                )
+            else:
+                message = (
+                    f"Actions {action_list} do not operate on specific resources "
+                    f'and require Resource: "*"'
+                )
+                suggestion = (
+                    "These actions are account-level operations that cannot target "
+                    'specific resources. Move these actions to a dedicated statement with Resource: "*", '
+                    "and keep resource-specific actions in separate statements with their specific ARNs"
+                )
+
+            issues.append(
+                ValidationIssue(
+                    severity=self.get_severity(config),
+                    statement_sid=statement_sid,
+                    statement_index=statement_idx,
+                    issue_type="invalid_resource_constraint",
+                    message=message,
+                    action=action_list,
+                    resource=resource_display,
+                    suggestion=suggestion,
+                    line_number=line_number,
+                )
+            )
+
+        return issues