iam-policy-validator 1.1.0__py3-none-any.whl → 1.1.1__py3-none-any.whl

iam_validator/core/defaults.py

@@ -37,8 +37,7 @@ DEFAULT_CONFIG = {
         "enable_builtin_checks": True,
         "parallel_execution": True,
         "cache_enabled": True,
-        "cache_directory": ".cache/aws_services",
-        "cache_ttl_hours": 24,
+        "cache_ttl_hours": 168,
         "fail_on_severity": ["error", "critical"],
     },
     "sid_uniqueness_check": {
@@ -56,12 +55,11 @@ DEFAULT_CONFIG = {
         "enabled": True,
         "severity": "error",
         "description": "Validates that actions exist in AWS services",
-        "disable_wildcard_warnings": True,
     },
     "condition_key_validation_check": {
         "enabled": True,
         "severity": "error",
-        "description": "Validates condition keys against AWS service definitions",
+        "description": "Validates condition keys against AWS service definitions for specified actions",
         "validate_aws_global_keys": True,
     },
     "resource_validation_check": {
@@ -70,9 +68,41 @@ DEFAULT_CONFIG = {
         "description": "Validates ARN format for resources",
         "arn_pattern": "^arn:(aws|aws-cn|aws-us-gov|aws-eusc|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):[a-z0-9\\-]+:[a-z0-9\\-*]*:[0-9*]*:.+$",
     },
+    "action_resource_constraint_check": {
+        "enabled": True,
+        "severity": "error",
+        "description": "Validates that actions without required resource types use Resource: '*'",
+    },
     "security_best_practices_check": {
         "enabled": True,
         "description": "Checks for common security anti-patterns",
+        "allowed_wildcards": [
+            "autoscaling:Describe*",
+            "cloudwatch:Describe*",
+            "cloudwatch:Get*",
+            "cloudwatch:List*",
+            "dynamodb:Describe*",
+            "ec2:Describe*",
+            "elasticloadbalancing:Describe*",
+            "iam:Get*",
+            "iam:List*",
+            "kms:Describe*",
+            "lambda:Get*",
+            "lambda:List*",
+            "logs:Describe*",
+            "logs:Filter*",
+            "logs:Get*",
+            "rds:Describe*",
+            "route53:Get*",
+            "route53:List*",
+            "s3:Describe*",
+            "s3:GetBucket*",
+            "s3:GetM*",
+            "s3:List*",
+            "sqs:Get*",
+            "sqs:List*",
+            "apigateway:GET",
+        ],
         "wildcard_action_check": {
             "enabled": True,
             "severity": "medium",
@@ -126,29 +156,83 @@ With specific values:
         "service_wildcard_check": {
             "enabled": True,
             "severity": "high",
-            "allowed_services": ["logs", "cloudwatch"],
+            "allowed_services": ["logs", "cloudwatch", "xray"],
         },
         "sensitive_action_check": {
             "enabled": True,
             "severity": "medium",
             "sensitive_actions": [
-                "iam:CreateUser",
-                "iam:CreateRole",
-                "iam:PutUserPolicy",
-                "iam:PutRolePolicy",
-                "iam:AttachUserPolicy",
+                "iam:AddClientIDToOpenIDConnectProvider",
                 "iam:AttachRolePolicy",
+                "iam:AttachUserPolicy",
                 "iam:CreateAccessKey",
-                "iam:DeleteUser",
+                "iam:CreateOpenIDConnectProvider",
+                "iam:CreatePolicyVersion",
+                "iam:CreateRole",
+                "iam:CreateSAMLProvider",
+                "iam:CreateUser",
+                "iam:DeleteAccessKey",
+                "iam:DeleteLoginProfile",
+                "iam:DeleteOpenIDConnectProvider",
                 "iam:DeleteRole",
-                "s3:DeleteBucket",
-                "s3:PutBucketPolicy",
-                "s3:DeleteBucketPolicy",
-                "ec2:TerminateInstances",
+                "iam:DeleteRolePolicy",
+                "iam:DeleteSAMLProvider",
+                "iam:DeleteUser",
+                "iam:DeleteUserPolicy",
+                "iam:DetachRolePolicy",
+                "iam:DetachUserPolicy",
+                "iam:PutRolePolicy",
+                "iam:PutUserPolicy",
+                "iam:SetDefaultPolicyVersion",
+                "iam:UpdateAccessKey",
+                "iam:UpdateAssumeRolePolicy",
+                "kms:DisableKey",
+                "kms:PutKeyPolicy",
+                "kms:ScheduleKeyDeletion",
+                "secretsmanager:DeleteSecret",
+                "secretsmanager:GetSecretValue",
+                "secretsmanager:PutSecretValue",
+                "ssm:DeleteParameter",
+                "ssm:PutParameter",
+                "ec2:DeleteSnapshot",
                 "ec2:DeleteVolume",
-                "rds:DeleteDBInstance",
-                "lambda:DeleteFunction",
+                "ec2:DeleteVpc",
+                "ec2:ModifyInstanceAttribute",
+                "ec2:TerminateInstances",
+                "ecr:DeleteRepository",
+                "ecs:DeleteCluster",
+                "ecs:DeleteService",
                 "eks:DeleteCluster",
+                "lambda:DeleteFunction",
+                "lambda:DeleteFunctionConcurrency",
+                "lambda:PutFunctionConcurrency",
+                "dynamodb:DeleteTable",
+                "efs:DeleteFileSystem",
+                "elasticache:DeleteCacheCluster",
+                "fsx:DeleteFileSystem",
+                "rds:DeleteDBCluster",
+                "rds:DeleteDBInstance",
+                "redshift:DeleteCluster",
+                "backup:DeleteBackupVault",
+                "glacier:DeleteArchive",
+                "s3:DeleteBucket",
+                "s3:DeleteBucketPolicy",
+                "s3:DeleteObject",
+                "s3:PutBucketPolicy",
+                "s3:PutLifecycleConfiguration",
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:DeleteSecurityGroup",
+                "ec2:DisassociateRouteTable",
+                "ec2:RevokeSecurityGroupEgress",
+                "cloudtrail:DeleteTrail",
+                "cloudtrail:StopLogging",
+                "cloudwatch:DeleteLogGroup",
+                "config:DeleteConfigurationRecorder",
+                "guardduty:DeleteDetector",
+                "account:CloseAccount",
+                "account:CreateAccount",
+                "organizations:LeaveOrganization",
+                "organizations:RemoveAccountFromOrganization",
             ],
             "sensitive_action_patterns": ["^iam:Delete.*"],
         },
@@ -209,25 +293,14 @@ With specific values:
                     },
                 ],
             },
-            {
-                "actions": ["s3:DeleteBucket", "s3:DeleteBucketPolicy", "s3:PutBucketPolicy"],
-                "severity": "high",
-                "required_conditions": [
-                    {
-                        "condition_key": "aws:MultiFactorAuthPresent",
-                        "description": "Require MFA for S3 destructive operations",
-                        "expected_value": True,
-                    },
-                ],
-            },
             {
                 "action_patterns": [
                     "^ssm:StartSession$",
                     "^ssm:Run.*$",
                     "^s3:GetObject$",
-                    "^rds:.*$",
+                    "^rds-db:Connect$",
                 ],
-                "severity": "medium",
+                "severity": "low",
                 "required_conditions": [
                     {
                         "condition_key": "aws:SourceIp",
@@ -244,49 +317,6 @@ With specific values:
                     },
                 ],
             },
-            {
-                "actions": ["ec2:RunInstances"],
-                "required_conditions": {
-                    "all_of": [
-                        {
-                            "condition_key": "aws:ResourceTag/owner",
-                            "operator": "StringEquals",
-                            "expected_value": "${aws:PrincipalTag/owner}",
-                            "description": "Resource owner must match the principal's owner tag",
-                        },
-                        {
-                            "condition_key": "aws:RequestTag/env",
-                            "operator": "StringEquals",
-                            "expected_value": [
-                                "prod",
-                                "pre",
-                                "dev",
-                                "sandbox",
-                            ],
-                            "description": "Must specify a valid Environment tag",
-                        },
-                    ],
-                },
-            },
-            {
-                "action_patterns": ["^rds:Create.*", "^rds:Modify.*"],
-                "required_conditions": {
-                    "all_of": [
-                        {
-                            "condition_key": "aws:RequestTag/DataClassification",
-                            "description": "Must specify data classification",
-                        },
-                        {
-                            "condition_key": "aws:RequestTag/BackupPolicy",
-                            "description": "Must specify backup policy",
-                        },
-                        {
-                            "condition_key": "aws:RequestTag/Owner",
-                            "description": "Must specify resource owner",
-                        },
-                    ],
-                },
-            },
         ],
     },
 }

iam_validator/core/formatters/enhanced.py

@@ -9,6 +9,7 @@ from rich.table import Table
 from rich.text import Text
 from rich.tree import Tree
 
+from iam_validator.__version__ import __version__
 from iam_validator.core.formatters.base import OutputFormatter
 from iam_validator.core.models import PolicyValidationResult, ValidationReport
 
@@ -49,7 +50,11 @@ class EnhancedFormatter(OutputFormatter):
 
         # Header with title
         console.print()
-        title = Text("IAM Policy Validation Report", style="bold cyan", justify="center")
+        title = Text(
+            f"IAM Policy Validation Report (v{__version__})",
+            style="bold cyan",
+            justify="center",
+        )
         console.print(Panel(title, border_style="bright_blue", padding=(1, 0)))
         console.print()
 

iam_validator/core/policy_checks.py

@@ -474,7 +474,18 @@ async def validate_policies(
     """
     if not use_registry:
         # Legacy path - use old PolicyValidator
-        async with AWSServiceFetcher() as fetcher:
+        # Load config for cache settings even in legacy mode
+        from iam_validator.core.config_loader import ConfigLoader
+
+        config = ConfigLoader.load_config(explicit_path=config_path, allow_missing=True)
+        cache_enabled = config.get_setting("cache_enabled", True)
+        cache_ttl_hours = config.get_setting("cache_ttl_hours", 168)
+        cache_directory = config.get_setting("cache_directory", None)
+        cache_ttl_seconds = cache_ttl_hours * 3600
+
+        async with AWSServiceFetcher(
+            enable_cache=cache_enabled, cache_ttl=cache_ttl_seconds, cache_dir=cache_directory
+        ) as fetcher:
             validator = PolicyValidator(fetcher)
 
             tasks = [validator.validate_policy(policy, file_path) for file_path, policy in policies]
@@ -530,8 +541,16 @@ async def validate_policies(
     # Get fail_on_severity setting from config
     fail_on_severities = config.get_setting("fail_on_severity", ["error"])
 
+    # Get cache settings from config
+    cache_enabled = config.get_setting("cache_enabled", True)
+    cache_ttl_hours = config.get_setting("cache_ttl_hours", 168)  # 7 days default
+    cache_directory = config.get_setting("cache_directory", None)
+    cache_ttl_seconds = cache_ttl_hours * 3600
+
     # Validate policies using registry
-    async with AWSServiceFetcher() as fetcher:
+    async with AWSServiceFetcher(
+        enable_cache=cache_enabled, cache_ttl=cache_ttl_seconds, cache_dir=cache_directory
+    ) as fetcher:
         tasks = [
             _validate_policy_with_registry(policy, file_path, registry, fetcher, fail_on_severities)
             for file_path, policy in policies

iam_validator/core/report.py

@@ -11,6 +11,7 @@ from rich.panel import Panel
 from rich.table import Table
 from rich.text import Text
 
+from iam_validator.__version__ import __version__
 from iam_validator.core.formatters import (
     ConsoleFormatter,
     CSVFormatter,
@@ -143,7 +144,13 @@ class ReportGenerator:
             summary_text.append(")")
         summary_text.append("\n")
 
-        self.console.print(Panel(summary_text, title="Validation Summary", border_style="blue"))
+        self.console.print(
+            Panel(
+                summary_text,
+                title=f"Validation Summary (iam-validator v{__version__})",
+                border_style="blue",
+            )
+        )
 
         # Detailed results
         for result in report.results: