iam-policy-validator 1.0.4__tar.gz → 1.1.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of iam-policy-validator might be problematic. Click here for more details.

Files changed (138) hide show
  1. iam_policy_validator-1.1.0/.python-version +1 -0
  2. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/CONTRIBUTING.md +41 -31
  3. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/DOCS.md +388 -189
  4. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/Makefile +7 -1
  5. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/PKG-INFO +88 -10
  6. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/README.md +87 -9
  7. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/action.yaml +3 -3
  8. iam_policy_validator-1.0.4/iam-validator.yaml → iam_policy_validator-1.1.0/default-config.yaml +98 -12
  9. iam_policy_validator-1.1.0/docs/configuration.md +220 -0
  10. iam_policy_validator-1.1.0/docs/custom-checks.md +558 -0
  11. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/insecure_policy.json +7 -1
  12. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/checks/action_condition_enforcement.py +112 -28
  13. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/checks/security_best_practices.py +103 -12
  14. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/commands/validate.py +7 -5
  15. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/config_loader.py +39 -3
  16. iam_policy_validator-1.1.0/iam_validator/core/defaults.py +304 -0
  17. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/formatters/__init__.py +2 -0
  18. iam_policy_validator-1.1.0/iam_validator/core/formatters/console.py +59 -0
  19. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/formatters/csv.py +7 -2
  20. iam_policy_validator-1.1.0/iam_validator/core/formatters/enhanced.py +428 -0
  21. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/formatters/html.py +127 -37
  22. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/formatters/markdown.py +10 -2
  23. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/models.py +30 -6
  24. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/report.py +104 -25
  25. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/pyproject.toml +1 -1
  26. iam_policy_validator-1.1.0/scripts/sync_defaults_from_yaml.py +204 -0
  27. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_config_loader.py +19 -10
  28. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_models.py +8 -2
  29. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/uv.lock +1 -1
  30. iam_policy_validator-1.0.4/.python-version +0 -1
  31. iam_policy_validator-1.0.4/iam_validator/core/formatters/console.py +0 -22
  32. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/.github/dependabot.yml +0 -0
  33. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/.github/workflows/ci.yml +0 -0
  34. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/.github/workflows/release.yml +0 -0
  35. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/.gitignore +0 -0
  36. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/LICENSE +0 -0
  37. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/docs/README.md +0 -0
  38. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/docs/development/PUBLISHING.md +0 -0
  39. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/README.md +0 -0
  40. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/access-analyzer/example1.json +0 -0
  41. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/access-analyzer/example2.json +0 -0
  42. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/configs/action-condition-enforcement-advanced.yaml +0 -0
  43. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/configs/config-privilege-escalation.yaml +0 -0
  44. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/configs/custom-business-rules.yaml +0 -0
  45. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/configs/custom-wildcard-config.yaml +0 -0
  46. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/configs/none_of_example.yaml +0 -0
  47. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/configs/unified-condition-enforcement.yaml +0 -0
  48. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/custom_checks/README.md +0 -0
  49. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/custom_checks/advanced_multi_condition_validator.py +0 -0
  50. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/custom_checks/cross_account_external_id_check.py +0 -0
  51. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/custom_checks/domain_restriction_check.py +0 -0
  52. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/custom_checks/encryption_required_check.py +0 -0
  53. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/custom_checks/mfa_required_check.py +0 -0
  54. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/custom_checks/region_restriction_check.py +0 -0
  55. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/custom_checks/tag_enforcement_check.py +0 -0
  56. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/custom_checks/time_based_access_check.py +0 -0
  57. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/github-actions/README.md +0 -0
  58. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/github-actions/access-analyzer-only.yaml +0 -0
  59. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/github-actions/action-examples.md +0 -0
  60. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/github-actions/basic-validation.yaml +0 -0
  61. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/github-actions/custom-policy-checks.yml +0 -0
  62. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/github-actions/multi-region-validation.yaml +0 -0
  63. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/github-actions/resource-policy-validation.yaml +0 -0
  64. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/github-actions/sequential-validation.yaml +0 -0
  65. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/github-actions/two-step-validation.yaml +0 -0
  66. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/README-privilege-escalation.md +0 -0
  67. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/api_gateway_management.json +0 -0
  68. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/athena_query_access.json +0 -0
  69. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/backup_vault_access.json +0 -0
  70. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/cloudformation_deployer.json +0 -0
  71. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/cloudwatch_monitoring.json +0 -0
  72. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/cognito_user_pool.json +0 -0
  73. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/dynamodb_table_access.json +0 -0
  74. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/ecs_task_execution.json +0 -0
  75. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/eventbridge_rules.json +0 -0
  76. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/glue_etl_jobs.json +0 -0
  77. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/invalid_policy.json +0 -0
  78. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/kms_encryption_keys.json +0 -0
  79. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/lambda_developer.json +0 -0
  80. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/maximum_size_policy.json +0 -0
  81. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/policy_missing_required_tags.json +0 -0
  82. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/policy_tag_enforcement_example.json +0 -0
  83. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/policy_with_wildcard_resources.json +0 -0
  84. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/privilege_escalation_scattered.json +0 -0
  85. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/rds_database_admin.json +0 -0
  86. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/sample_policy.json +0 -0
  87. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/secrets_manager_access.json +0 -0
  88. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/sns_sqs_messaging.json +0 -0
  89. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/step_functions_workflow.json +0 -0
  90. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/test_none_of_valid.json +0 -0
  91. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/test_none_of_violations.json +0 -0
  92. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/examples/policies/test-cases/wildcard_examples.json +0 -0
  93. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/__init__.py +0 -0
  94. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/__main__.py +0 -0
  95. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/__version__.py +0 -0
  96. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/checks/__init__.py +0 -0
  97. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/checks/action_validation.py +0 -0
  98. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/checks/condition_key_validation.py +0 -0
  99. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/checks/policy_size.py +0 -0
  100. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/checks/resource_validation.py +0 -0
  101. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/checks/sid_uniqueness.py +0 -0
  102. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/commands/__init__.py +0 -0
  103. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/commands/analyze.py +0 -0
  104. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/commands/base.py +0 -0
  105. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/commands/post_to_pr.py +0 -0
  106. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/__init__.py +0 -0
  107. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/access_analyzer.py +0 -0
  108. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/access_analyzer_report.py +0 -0
  109. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/aws_fetcher.py +0 -0
  110. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/aws_global_conditions.py +0 -0
  111. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/check_registry.py +0 -0
  112. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/cli.py +0 -0
  113. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/formatters/base.py +0 -0
  114. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/formatters/json.py +0 -0
  115. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/formatters/sarif.py +0 -0
  116. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/policy_checks.py +0 -0
  117. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/policy_loader.py +0 -0
  118. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/core/pr_commenter.py +0 -0
  119. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/integrations/__init__.py +0 -0
  120. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/integrations/github_integration.py +0 -0
  121. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/iam_validator/integrations/ms_teams.py +0 -0
  122. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/README.md +0 -0
  123. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/__init__.py +0 -0
  124. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_action_condition_enforcement.py +0 -0
  125. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_action_validation_check.py +0 -0
  126. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_aws_fetcher_wildcards.py +0 -0
  127. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_aws_global_conditions.py +0 -0
  128. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_check_registry.py +0 -0
  129. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_comment_truncation.py +0 -0
  130. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_condition_key_validation_check.py +0 -0
  131. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_custom_policy_checks.py +0 -0
  132. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_multipart_comments.py +0 -0
  133. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_policy_loader.py +0 -0
  134. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_policy_size_check.py +0 -0
  135. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_resource_validation_check.py +0 -0
  136. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_security_best_practices.py +0 -0
  137. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_sid_uniqueness_check.py +0 -0
  138. {iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/tests/test_wildcard_allowlist.py +0 -0
iam_policy_validator-1.1.0/.python-version ADDED
@@ -0,0 +1 @@
1
+ 3.12
{iam_policy_validator-1.0.4 → iam_policy_validator-1.1.0}/CONTRIBUTING.md RENAMED
@@ -132,7 +132,7 @@ iam-policy-auditor/
132
132
  ├── .github/workflows/ # CI/CD workflows
133
133
  ├── pyproject.toml # Project metadata and dependencies
134
134
  ├── Makefile # Development commands
135
- └── iam-validator.yaml # Default configuration
135
+ └── default-config.yaml # Example configuration file
136
136
  ```
137
137
 
138
138
  ## Development Workflow
@@ -400,49 +400,59 @@ For detailed publishing instructions, see [docs/development/PUBLISHING.md](docs/
400
400
 
401
401
  ### Creating a New Check
402
402
 
403
- 1. **Create Check Class**
403
+ See the comprehensive [Custom Checks Guide](docs/custom-checks.md) for detailed instructions on creating custom validation checks.
404
+
405
+ **Quick Example:**
406
+
407
+ 1. **Create Check File**
404
408
  ```python
405
- # iam_validator/checks/my_check.py
409
+ # my_checks/mfa_check.py
406
410
  from typing import List
407
- from iam_validator.core.models import PolicyCheck, Statement, ValidationIssue
408
-
409
- class MyCustomCheck(PolicyCheck):
410
- @property
411
- def check_id(self) -> str:
412
- return "my_custom_check"
413
-
414
- @property
415
- def description(self) -> str:
416
- return "Description of what this check does"
417
-
418
- async def execute(
419
- self,
420
- statement: Statement,
421
- statement_idx: int,
422
- fetcher,
423
- config
424
- ) -> List[ValidationIssue]:
425
- # Implement your check logic
426
- issues = []
427
- # ... check logic ...
428
- return issues
411
+ from iam_validator.core.models import PolicyValidationIssue, PolicyStatement
412
+
413
+ def execute(statement: PolicyStatement, policy_document: dict) -> List[PolicyValidationIssue]:
414
+ """Ensure sensitive actions require MFA."""
415
+ issues = []
416
+
417
+ sensitive_actions = ["iam:CreateUser", "iam:DeleteUser"]
418
+ actions = statement.action if isinstance(statement.action, list) else [statement.action]
419
+
420
+ for action in actions:
421
+ if action in sensitive_actions:
422
+ # Check for MFA condition
423
+ has_mfa = statement.condition and "aws:MultiFactorAuthPresent" in str(statement.condition)
424
+
425
+ if not has_mfa:
426
+ issues.append(
427
+ PolicyValidationIssue(
428
+ check_name="mfa_required",
429
+ severity="high",
430
+ message=f"Action '{action}' requires MFA",
431
+ statement_index=statement.index,
432
+ action=action,
433
+ suggestion='Add: {"Bool": {"aws:MultiFactorAuthPresent": "true"}}'
434
+ )
435
+ )
436
+
437
+ return issues
429
438
  ```
430
439
 
431
- 2. **Register the Check**
432
- - Check is auto-discovered if in `checks/` directory
433
- - Or register manually in configuration
440
+ 2. **Use the Check**
441
+ ```bash
442
+ iam-validator validate --path ./policies/ --custom-checks-dir ./my_checks
443
+ ```
434
444
 
435
445
  3. **Add Tests**
436
446
  ```python
437
447
  # tests/test_my_check.py
438
- def test_my_custom_check():
448
+ def test_mfa_check():
439
449
  # Test your check
440
450
  pass
441
451
  ```
442
452
 
443
453
  4. **Document the Check**
444
- - Add to `docs/reference/CHECKS.md`
445
- - Add example to `examples/`
454
+ - Add to `docs/custom-checks.md`
455
+ - Add example to `examples/custom_checks/`
446
456
 
447
457
  ### Adding a New Formatter
448
458