iam-policy-validator 1.0.4__py3-none-any.whl → 1.1.1__py3-none-any.whl

iam_validator/core/config_loader.py

@@ -15,21 +15,57 @@ from typing import Any
 import yaml
 
 from iam_validator.core.check_registry import CheckConfig, CheckRegistry, PolicyCheck
+from iam_validator.core.defaults import get_default_config
 
 logger = logging.getLogger(__name__)
 
 
+def deep_merge(base: dict, override: dict) -> dict:
+    """
+    Deep merge two dictionaries, with override taking precedence.
+
+    Args:
+        base: Base dictionary with default values
+        override: Dictionary with override values
+
+    Returns:
+        Merged dictionary where override values take precedence
+    """
+    result = base.copy()
+    for key, value in override.items():
+        if key in result and isinstance(result[key], dict) and isinstance(value, dict):
+            result[key] = deep_merge(result[key], value)
+        else:
+            result[key] = value
+    return result
+
+
 class ValidatorConfig:
     """Main configuration object for the validator."""
 
-    def __init__(self, config_dict: dict[str, Any] | None = None):
+    def __init__(self, config_dict: dict[str, Any] | None = None, use_defaults: bool = True):
         """
         Initialize configuration from a dictionary.
 
         Args:
-            config_dict: Dictionary loaded from YAML config file
+            config_dict: Dictionary loaded from YAML config file.
+                        If None, either uses default configuration (if use_defaults=True)
+                        or creates an empty configuration (if use_defaults=False).
+                        If provided, merges with defaults (user config takes precedence).
+            use_defaults: Whether to load default configuration. Set to False for testing
+                         or when you want an empty configuration.
         """
-        self.config_dict = config_dict or {}
+        # Start with default configuration if requested
+        if use_defaults:
+            default_config = get_default_config()
+            # Merge user config with defaults if provided
+            if config_dict:
+                self.config_dict = deep_merge(default_config, config_dict)
+            else:
+                self.config_dict = default_config
+        else:
+            # No defaults - use provided config or empty dict
+            self.config_dict = config_dict or {}
 
         # Support both nested and flat structure
         # New flat structure: each check is a top-level key ending with "_check"
@@ -210,6 +246,7 @@ class ConfigLoader:
                 severity=check_config_dict.get("severity"),
                 config=check_config_dict,
                 description=check_config_dict.get("description", check.description),
+                root_config=config.config_dict,  # Pass full config for cross-check access
             )
 
             registry.configure_check(check_id, check_config)

iam_validator/core/defaults.py

@@ -0,0 +1,334 @@
+"""
+Default configuration for IAM Policy Validator.
+
+This module contains the default configuration that is used when no user
+configuration file is provided. User configuration files will override
+these defaults.
+
+This configuration is synced with the default-config.yaml file.
+"""
+
+# ============================================================================
+# SEVERITY LEVELS
+# ============================================================================
+# The validator uses two types of severity levels:
+#
+# 1. IAM VALIDITY SEVERITIES (for AWS IAM policy correctness):
+#    - error:   Policy violates AWS IAM rules (invalid actions, ARNs, etc.)
+#    - warning: Policy may have IAM-related issues but is technically valid
+#    - info:    Informational messages about the policy structure
+#
+# 2. SECURITY SEVERITIES (for security best practices):
+#    - critical: Critical security risk (e.g., wildcard action + resource)
+#    - high:     High security risk (e.g., missing required conditions)
+#    - medium:   Medium security risk (e.g., overly permissive wildcards)
+#    - low:      Low security risk (e.g., minor best practice violations)
+#
+# Use 'error' for policy validity issues, and 'critical/high/medium/low' for
+# security best practices. This distinction helps separate "broken policies"
+# from "insecure but valid policies".
+# ============================================================================
+
+# Default configuration dictionary
+DEFAULT_CONFIG = {
+    "settings": {
+        "fail_fast": False,
+        "max_concurrent": 10,
+        "enable_builtin_checks": True,
+        "parallel_execution": True,
+        "cache_enabled": True,
+        "cache_ttl_hours": 168,
+        "fail_on_severity": ["error", "critical"],
+    },
+    "sid_uniqueness_check": {
+        "enabled": True,
+        "severity": "error",
+        "description": "Validates that Statement IDs (Sids) are unique within the policy",
+    },
+    "policy_size_check": {
+        "enabled": True,
+        "severity": "error",
+        "description": "Validates that IAM policies don't exceed AWS size limits",
+        "policy_type": "managed",
+    },
+    "action_validation_check": {
+        "enabled": True,
+        "severity": "error",
+        "description": "Validates that actions exist in AWS services",
+    },
+    "condition_key_validation_check": {
+        "enabled": True,
+        "severity": "error",
+        "description": "Validates condition keys against AWS service definitions for specified actions",
+        "validate_aws_global_keys": True,
+    },
+    "resource_validation_check": {
+        "enabled": True,
+        "severity": "error",
+        "description": "Validates ARN format for resources",
+        "arn_pattern": "^arn:(aws|aws-cn|aws-us-gov|aws-eusc|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):[a-z0-9\\-]+:[a-z0-9\\-*]*:[0-9*]*:.+$",
+    },
+    "action_resource_constraint_check": {
+        "enabled": True,
+        "severity": "error",
+        "description": "Validates that actions without required resource types use Resource: '*'",
+    },
+    "security_best_practices_check": {
+        "enabled": True,
+        "description": "Checks for common security anti-patterns",
+        "allowed_wildcards": [
+            "autoscaling:Describe*",
+            "cloudwatch:Describe*",
+            "cloudwatch:Get*",
+            "cloudwatch:List*",
+            "dynamodb:Describe*",
+            "ec2:Describe*",
+            "elasticloadbalancing:Describe*",
+            "iam:Get*",
+            "iam:List*",
+            "kms:Describe*",
+            "lambda:Get*",
+            "lambda:List*",
+            "logs:Describe*",
+            "logs:Filter*",
+            "logs:Get*",
+            "rds:Describe*",
+            "route53:Get*",
+            "route53:List*",
+            "s3:Describe*",
+            "s3:GetBucket*",
+            "s3:GetM*",
+            "s3:List*",
+            "sqs:Get*",
+            "sqs:List*",
+            "apigateway:GET",
+        ],
+        "wildcard_action_check": {
+            "enabled": True,
+            "severity": "medium",
+            "message": "Statement allows all actions (*)",
+            "suggestion": "Replace wildcard with specific actions needed for your use case",
+            "example": """Replace:
+  "Action": ["*"]
+
+With specific actions:
+  "Action": [
+    "s3:GetObject",
+    "s3:PutObject",
+    "s3:ListBucket"
+  ]
+""",
+        },
+        "wildcard_resource_check": {
+            "enabled": True,
+            "severity": "medium",
+            "message": "Statement applies to all resources (*)",
+            "suggestion": "Replace wildcard with specific resource ARNs",
+            "example": """Replace:
+  "Resource": "*"
+
+With specific ARNs:
+  "Resource": [
+    "arn:aws:service:region:account-id:resource-type/resource-id",
+    "arn:aws:service:region:account-id:resource-type/*"
+  ]
+""",
+        },
+        "full_wildcard_check": {
+            "enabled": True,
+            "severity": "critical",
+            "message": "Statement allows all actions on all resources - CRITICAL SECURITY RISK",
+            "suggestion": "This grants full administrative access. Replace both wildcards with specific actions and resources to follow least-privilege principle",
+            "example": """Replace:
+  "Action": "*",
+  "Resource": "*"
+
+With specific values:
+  "Action": [
+    "s3:GetObject",
+    "s3:PutObject"
+  ],
+  "Resource": [
+    "arn:aws:s3:::my-bucket/*"
+  ]
+""",
+        },
+        "service_wildcard_check": {
+            "enabled": True,
+            "severity": "high",
+            "allowed_services": ["logs", "cloudwatch", "xray"],
+        },
+        "sensitive_action_check": {
+            "enabled": True,
+            "severity": "medium",
+            "sensitive_actions": [
+                "iam:AddClientIDToOpenIDConnectProvider",
+                "iam:AttachRolePolicy",
+                "iam:AttachUserPolicy",
+                "iam:CreateAccessKey",
+                "iam:CreateOpenIDConnectProvider",
+                "iam:CreatePolicyVersion",
+                "iam:CreateRole",
+                "iam:CreateSAMLProvider",
+                "iam:CreateUser",
+                "iam:DeleteAccessKey",
+                "iam:DeleteLoginProfile",
+                "iam:DeleteOpenIDConnectProvider",
+                "iam:DeleteRole",
+                "iam:DeleteRolePolicy",
+                "iam:DeleteSAMLProvider",
+                "iam:DeleteUser",
+                "iam:DeleteUserPolicy",
+                "iam:DetachRolePolicy",
+                "iam:DetachUserPolicy",
+                "iam:PutRolePolicy",
+                "iam:PutUserPolicy",
+                "iam:SetDefaultPolicyVersion",
+                "iam:UpdateAccessKey",
+                "iam:UpdateAssumeRolePolicy",
+                "kms:DisableKey",
+                "kms:PutKeyPolicy",
+                "kms:ScheduleKeyDeletion",
+                "secretsmanager:DeleteSecret",
+                "secretsmanager:GetSecretValue",
+                "secretsmanager:PutSecretValue",
+                "ssm:DeleteParameter",
+                "ssm:PutParameter",
+                "ec2:DeleteSnapshot",
+                "ec2:DeleteVolume",
+                "ec2:DeleteVpc",
+                "ec2:ModifyInstanceAttribute",
+                "ec2:TerminateInstances",
+                "ecr:DeleteRepository",
+                "ecs:DeleteCluster",
+                "ecs:DeleteService",
+                "eks:DeleteCluster",
+                "lambda:DeleteFunction",
+                "lambda:DeleteFunctionConcurrency",
+                "lambda:PutFunctionConcurrency",
+                "dynamodb:DeleteTable",
+                "efs:DeleteFileSystem",
+                "elasticache:DeleteCacheCluster",
+                "fsx:DeleteFileSystem",
+                "rds:DeleteDBCluster",
+                "rds:DeleteDBInstance",
+                "redshift:DeleteCluster",
+                "backup:DeleteBackupVault",
+                "glacier:DeleteArchive",
+                "s3:DeleteBucket",
+                "s3:DeleteBucketPolicy",
+                "s3:DeleteObject",
+                "s3:PutBucketPolicy",
+                "s3:PutLifecycleConfiguration",
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:DeleteSecurityGroup",
+                "ec2:DisassociateRouteTable",
+                "ec2:RevokeSecurityGroupEgress",
+                "cloudtrail:DeleteTrail",
+                "cloudtrail:StopLogging",
+                "cloudwatch:DeleteLogGroup",
+                "config:DeleteConfigurationRecorder",
+                "guardduty:DeleteDetector",
+                "account:CloseAccount",
+                "account:CreateAccount",
+                "organizations:LeaveOrganization",
+                "organizations:RemoveAccountFromOrganization",
+            ],
+            "sensitive_action_patterns": ["^iam:Delete.*"],
+        },
+    },
+    "action_condition_enforcement_check": {
+        "enabled": True,
+        "severity": "high",
+        "description": "Enforce specific IAM condition requirements (unified: MFA, IP, tags, etc.)",
+        "action_condition_requirements": [
+            {
+                "actions": ["iam:PassRole"],
+                "action_patterns": ["^iam:Pas?.*$"],
+                "severity": "high",
+                "required_conditions": [
+                    {
+                        "condition_key": "iam:PassedToService",
+                        "description": "Specify which AWS services are allowed to use the passed role to prevent privilege escalation",
+                        "example": """"Condition": {
+  "StringEquals": {
+    "iam:PassedToService": [
+      "lambda.amazonaws.com",
+      "ecs-tasks.amazonaws.com",
+      "ec2.amazonaws.com",
+      "glue.amazonaws.com",
+      "lambda.amazonaws.com"
+    ]
+  }
+}
+""",
+                    },
+                ],
+            },
+            {
+                "actions": [
+                    "iam:Create*",
+                    "iam:CreateRole",
+                    "iam:Put*Policy*",
+                    "iam:PutUserPolicy",
+                    "iam:PutRolePolicy",
+                    "iam:Attach*Policy*",
+                    "iam:AttachUserPolicy",
+                    "iam:AttachRolePolicy",
+                ],
+                "action_patterns": ["^iam:Create", "^iam:Put.*Policy", "^iam:Attach.*Policy"],
+                "severity": "high",
+                "required_conditions": [
+                    {
+                        "condition_key": "iam:PermissionsBoundary",
+                        "description": "Require permissions boundary for sensitive IAM operations to prevent privilege escalation",
+                        "expected_value": "arn:aws:iam::*:policy/DeveloperBoundary",
+                        "example": """# See: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
+"Condition": {
+  "StringEquals": {
+    "iam:PermissionsBoundary": "arn:aws:iam::123456789012:policy/XCompanyBoundaries"
+  }
+}
+""",
+                    },
+                ],
+            },
+            {
+                "action_patterns": [
+                    "^ssm:StartSession$",
+                    "^ssm:Run.*$",
+                    "^s3:GetObject$",
+                    "^rds-db:Connect$",
+                ],
+                "severity": "low",
+                "required_conditions": [
+                    {
+                        "condition_key": "aws:SourceIp",
+                        "description": "Restrict access to corporate IP ranges",
+                        "example": """"Condition": {
+  "IpAddress": {
+    "aws:SourceIp": [
+      "10.0.0.0/8",
+      "172.16.0.0/12"
+    ]
+  }
+}
+""",
+                    },
+                ],
+            },
+        ],
+    },
+}
+
+
+def get_default_config() -> dict:
+    """
+    Get a deep copy of the default configuration.
+
+    Returns:
+        A deep copy of the default configuration dictionary
+    """
+    import copy
+
+    return copy.deepcopy(DEFAULT_CONFIG)

iam_validator/core/formatters/__init__.py

@@ -7,6 +7,7 @@ from iam_validator.core.formatters.base import (
 )
 from iam_validator.core.formatters.console import ConsoleFormatter
 from iam_validator.core.formatters.csv import CSVFormatter
+from iam_validator.core.formatters.enhanced import EnhancedFormatter
 from iam_validator.core.formatters.html import HTMLFormatter
 from iam_validator.core.formatters.json import JSONFormatter
 from iam_validator.core.formatters.markdown import MarkdownFormatter
@@ -17,6 +18,7 @@ __all__ = [
     "FormatterRegistry",
     "get_global_registry",
     "ConsoleFormatter",
+    "EnhancedFormatter",
     "JSONFormatter",
     "MarkdownFormatter",
     "SARIFFormatter",

iam_validator/core/formatters/console.py

@@ -1,11 +1,15 @@
-"""Console formatter - placeholder for existing functionality."""
+"""Console formatter - Classic console output using report.py."""
+
+from io import StringIO
+
+from rich.console import Console
 
 from iam_validator.core.formatters.base import OutputFormatter
 from iam_validator.core.models import ValidationReport
 
 
 class ConsoleFormatter(OutputFormatter):
-    """Console formatter using Rich library."""
+    """Classic console formatter - uses the standard report.py print_console_report output."""
 
     @property
     def format_id(self) -> str:
@@ -13,10 +17,43 @@ class ConsoleFormatter(OutputFormatter):
 
     @property
     def description(self) -> str:
-        return "Rich console output with colors and tables"
+        return "Classic console output with colors and tables"
 
     def format(self, report: ValidationReport, **kwargs) -> str:
-        """Format for console output."""
-        # This would integrate with existing Rich console output
-        # from iam_validator.core.report module
-        return "Console output (uses Rich library for terminal display)"
+        """Format validation report using the classic console output from report.py.
+
+        This delegates to the ReportGenerator.print_console_report method,
+        capturing its output to return as a string.
+
+        Args:
+            report: Validation report to format
+            **kwargs: Additional options (color: bool = True)
+
+        Returns:
+            Formatted string with classic console output
+        """
+        # Import here to avoid circular dependency
+        from iam_validator.core.report import ReportGenerator
+
+        # Allow disabling color for plain text output
+        color = kwargs.get("color", True)
+
+        # Capture the output from print_console_report
+        string_buffer = StringIO()
+        console = Console(file=string_buffer, force_terminal=color, width=120)
+
+        # Create a generator instance with our custom console
+        generator = ReportGenerator()
+
+        # Replace the console temporarily to capture output
+        original_console = generator.console
+        generator.console = console
+
+        # Call the actual print_console_report method
+        generator.print_console_report(report)
+
+        # Restore original console
+        generator.console = original_console
+
+        # Return captured output
+        return string_buffer.getvalue()

iam_validator/core/formatters/csv.py

@@ -68,9 +68,14 @@ class CSVFormatter(OutputFormatter):
         writer.writerow(["Summary Statistics"])
         writer.writerow(["Metric", "Value"])
         writer.writerow(["Total Policies", report.total_policies])
-        writer.writerow(["Valid Policies", report.valid_policies])
-        writer.writerow(["Invalid Policies", report.invalid_policies])
+        writer.writerow(["Valid Policies (IAM)", report.valid_policies])
+        writer.writerow(["Invalid Policies (IAM)", report.invalid_policies])
+        writer.writerow(["Policies with Security Findings", report.policies_with_security_issues])
         writer.writerow(["Total Issues", report.total_issues])
+        writer.writerow(["Validity Issues", report.validity_issues])
+        writer.writerow(["Security Issues", report.security_issues])
+        writer.writerow([""])
+        writer.writerow(["Legacy Severity Breakdown"])
         writer.writerow(["Errors", errors])
         writer.writerow(["Warnings", warnings])
         writer.writerow(["Info", infos])