iam-policy-validator 1.1.2__py3-none-any.whl → 1.3.0__py3-none-any.whl

{iam_policy_validator-1.1.2.dist-info → iam_policy_validator-1.3.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.1.2
+Version: 1.3.0
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs
@@ -42,47 +42,129 @@ Description-Content-Type: text/markdown
 
 # IAM Policy Validator
 
-A high-performance GitHub Action and Python CLI tool that validates AWS IAM policies for correctness and security by checking against the official AWS Service Reference API.
-
-## ✨ Features
-
-### Core Validation
-- **Real-time Validation**: Validates IAM actions against AWS's official service reference API
-- **AWS IAM Access Analyzer Integration**: Validate policies using AWS's official policy validation service
-- **Custom Policy Checks**: Verify policies don't grant specific actions, check for new access, and detect public exposure (29+ resource types supported)
-- **Condition Key Checking**: Verifies that condition keys are valid for each action
-- **ARN Format Validation**: Ensures resource ARNs follow proper AWS format with compiled regex patterns
-- **Security Best Practices**: Identifies overly permissive policies and security risks
-
-### Performance Enhancements
-- **Service Pre-fetching**: Common AWS services cached at startup for faster validation
-- **LRU Memory Cache**: Recently accessed services cached with TTL support
-- **Request Coalescing**: Duplicate API requests automatically deduplicated
-- **Parallel Check Execution**: Multiple validation checks run concurrently
-- **HTTP/2 Support**: Multiplexed connections for better API performance
-- **Optimized Connection Pool**: 20 keepalive connections, 50 max connections
-
-### GitHub Integration
-- **PR Comments**: Post detailed validation reports as PR comments
-- **Line-Specific Reviews**: Add review comments on exact policy lines
-- **Label Management**: Automatically add/remove PR labels based on results
-- **Commit Status**: Set commit status to pass/fail based on validation
-- **Comment Updates**: Update existing comments instead of creating duplicates
-
-### Output Formats
-- **Console** (default): Clean terminal output with colors and tables
-- **Enhanced**: Modern visual output with progress bars, tree structure, and rich visuals
-- **JSON**: Structured format for programmatic processing
-- **Markdown**: GitHub-flavored markdown for PR comments
-- **SARIF**: GitHub code scanning integration format
-- **CSV**: Spreadsheet-compatible format for analysis
-- **HTML**: Interactive reports with filtering and search
-
-### Extensibility
-- **Plugin System**: Easy-to-add custom validation checks
-- **Middleware Support**: Cross-cutting concerns like caching, timing, error handling
-- **Formatter Registry**: Pluggable output format system
-- **Configuration-Driven**: YAML-based configuration for all aspects
+> **Catch IAM policy errors before they reach production** - A comprehensive security and validation tool for AWS IAM policies that combines AWS's official Access Analyzer with powerful custom security checks.
+
+[![GitHub Actions](https://img.shields.io/badge/GitHub%20Actions-Ready-blue)](https://github.com/marketplace/actions/iam-policy-validator)
+[![Python 3.12+](https://img.shields.io/badge/python-3.12+-blue.svg)](https://www.python.org/downloads/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+
+## 🚀 Why IAM Policy Validator?
+
+**IAM policy errors are costly and dangerous.** A single misconfigured policy can:
+- ❌ Grant unintended admin access (privilege escalation)
+- ❌ Expose sensitive data to the public
+- ❌ Break production deployments with invalid syntax
+- ❌ Create security vulnerabilities that persist for months
+
+**This tool prevents these issues** by:
+- ✅ **Validating early** - Catch errors in PRs before merge
+- ✅ **Comprehensive checks** - AWS Access Analyzer + 15+ security checks
+- ✅ **Smart filtering** - Auto-detects IAM policies from mixed JSON/YAML files
+- ✅ **Developer-friendly** - Clear error messages with fix suggestions
+- ✅ **Zero setup** - Works as a GitHub Action out of the box
+
+## ✨ Key Features
+
+### 🔍 Multi-Layer Validation
+- **AWS IAM Access Analyzer** - Official AWS validation (syntax, permissions, security)
+- **Custom Security Checks** - 15+ specialized checks for best practices
+- **Policy Comparison** - Detect new permissions vs baseline (prevent scope creep)
+- **Public Access Detection** - Check 29+ AWS resource types for public exposure
+- **Privilege Escalation Detection** - Identify dangerous action combinations
+
+### 🎯 Smart & Efficient
+- **Automatic IAM Policy Detection** - Scans mixed repos, filters non-IAM files automatically
+- **Wildcard Expansion** - Expands `s3:Get*` patterns to validate specific actions
+- **Offline Validation** - Download AWS service definitions for air-gapped environments
+- **JSON + YAML Support** - Native support for both formats
+- **Streaming Mode** - Memory-efficient processing for large policy sets
+
+### ⚡ Performance Optimized
+- **Service Pre-fetching** - Common AWS services cached at startup (faster validation)
+- **LRU Memory Cache** - Recently accessed services cached with TTL
+- **Request Coalescing** - Duplicate API requests automatically deduplicated
+- **Parallel Execution** - Multiple checks run concurrently
+- **HTTP/2 Support** - Multiplexed connections for better API performance
+
+### 📊 Output Formats
+- **Console** (default) - Clean terminal output with colors and tables
+- **Enhanced** - Modern visual output with progress bars and tree structure
+- **JSON** - Structured format for programmatic processing
+- **Markdown** - GitHub-flavored markdown for PR comments
+- **SARIF** - GitHub code scanning integration format
+- **CSV** - Spreadsheet-compatible for analysis
+- **HTML** - Interactive reports with filtering and search
+
+### 🔌 Extensibility
+- **Plugin System** - Easy-to-add custom validation checks
+- **Configuration-Driven** - YAML-based configuration for all aspects
+- **CI/CD Ready** - GitHub Actions, GitLab CI, Jenkins, CircleCI
+
+## 📈 Real-World Impact
+
+### Common IAM Policy Issues This Tool Catches
+
+**Before IAM Policy Validator:**
+```json
+{
+  "Statement": [{
+    "Effect": "Allow",
+    "Action": "s3:*",            // ❌ Too permissive
+    "Resource": "*"              // ❌ All buckets!
+  }]
+}
+```
+**Issue:** Grants full S3 access to ALL buckets (data breach risk)
+
+**After IAM Policy Validator:**
+```
+❌ MEDIUM: Statement applies to all resources (*)
+❌ HIGH: Wildcard action 's3:*' with resource '*' is overly permissive
+💡 Suggestion: Specify exact actions and bucket ARNs
+```
+
+### Privilege Escalation Detection
+
+**Dangerous combination across multiple statements:**
+```json
+{
+  "Statement": [
+    {"Action": "iam:CreateUser"},      // Seems innocent
+    {"Action": "iam:AttachUserPolicy"} // Also seems innocent
+  ]
+}
+```
+
+**What the validator catches:**
+```
+🚨 CRITICAL: Privilege escalation risk detected!
+Actions ['iam:CreateUser', 'iam:AttachUserPolicy'] allow:
+  1. Create new IAM user
+  2. Attach AdministratorAccess policy to that user
+  3. Gain full AWS account access
+
+💡 Add conditions or separate these permissions
+```
+
+### Public Access Prevention
+
+**Before merge:**
+```json
+{
+  "Principal": "*",  // ❌ Anyone on the internet!
+  "Action": "s3:GetObject",
+  "Resource": "arn:aws:s3:::my-private-data/*"
+}
+```
+
+**Blocked by validator:**
+```
+🛑 CRITICAL: Resource policy allows public access
+29 resource types checked: AWS::S3::Bucket
+Principal "*" grants internet-wide access to private data
+
+💡 Use specific AWS principals or add IP restrictions
+```
 
 ## Quick Start
 
@@ -387,27 +469,56 @@ See [default-config.yaml](default-config.yaml) for a complete configuration exam
 
 ### GitHub Action Inputs
 
-| Input                         | Description                                                            | Required | Default           |
-| ----------------------------- | ---------------------------------------------------------------------- | -------- | ----------------- |
-| `path`                        | Path(s) to IAM policy file or directory (newline-separated)            | Yes      | -                 |
-| `config-file`                 | Path to custom configuration file (iam-validator.yaml)                 | No       | ""                |
-| `fail-on-warnings`            | Fail validation if warnings are found                                  | No       | `false`           |
-| `post-comment`                | Post validation results as PR comment                                  | No       | `true`            |
-| `create-review`               | Create line-specific review comments on PR                             | No       | `true`            |
-| `format`                      | Output format (console, enhanced, json, markdown, sarif, csv, html)    | No       | `console`         |
-| `output-file`                 | Path to save output file                                               | No       | ""                |
-| `recursive`                   | Recursively search directories for policy files                        | No       | `true`            |
-| `use-access-analyzer`         | Use AWS IAM Access Analyzer for validation                             | No       | `false`           |
-| `access-analyzer-region`      | AWS region for Access Analyzer                                         | No       | `us-east-1`       |
-| `policy-type`                 | Policy type (IDENTITY_POLICY, RESOURCE_POLICY, SERVICE_CONTROL_POLICY) | No       | `IDENTITY_POLICY` |
-| `run-all-checks`              | Run custom checks after Access Analyzer                                | No       | `false`           |
-| `check-access-not-granted`    | Actions that should NOT be granted (space-separated)                   | No       | ""                |
-| `check-access-resources`      | Resources to check with check-access-not-granted                       | No       | ""                |
-| `check-no-new-access`         | Path to baseline policy to compare against                             | No       | ""                |
-| `check-no-public-access`      | Check that resource policies do not allow public access                | No       | `false`           |
-| `public-access-resource-type` | Resource type(s) for public access check                               | No       | `AWS::S3::Bucket` |
-
-See [examples/github-actions/](examples/github-actions/) for more workflow examples.
+#### Core Options
+| Input              | Description                                                 | Required | Default |
+| ------------------ | ----------------------------------------------------------- | -------- | ------- |
+| `path`             | Path(s) to IAM policy file or directory (newline-separated) | Yes      | -       |
+| `config-file`      | Path to custom configuration file (.yaml)                   | No       | `""`    |
+| `fail-on-warnings` | Fail validation if warnings are found                       | No       | `false` |
+| `recursive`        | Recursively search directories for policy files             | No       | `true`  |
+
+#### GitHub Integration
+| Input           | Description                                | Required | Default |
+| --------------- | ------------------------------------------ | -------- | ------- |
+| `post-comment`  | Post validation results as PR comment      | No       | `true`  |
+| `create-review` | Create line-specific review comments on PR | No       | `true`  |
+
+#### Output Options
+| Input         | Description                                                                      | Required | Default   |
+| ------------- | -------------------------------------------------------------------------------- | -------- | --------- |
+| `format`      | Output format: `console`, `enhanced`, `json`, `markdown`, `sarif`, `csv`, `html` | No       | `console` |
+| `output-file` | Path to save output file (for non-console formats)                               | No       | `""`      |
+
+#### AWS Access Analyzer
+| Input                    | Description                                                                 | Required | Default           |
+| ------------------------ | --------------------------------------------------------------------------- | -------- | ----------------- |
+| `use-access-analyzer`    | Use AWS IAM Access Analyzer for validation                                  | No       | `false`           |
+| `access-analyzer-region` | AWS region for Access Analyzer                                              | No       | `us-east-1`       |
+| `policy-type`            | Policy type: `IDENTITY_POLICY`, `RESOURCE_POLICY`, `SERVICE_CONTROL_POLICY` | No       | `IDENTITY_POLICY` |
+| `run-all-checks`         | Run custom checks after Access Analyzer (sequential mode)                   | No       | `false`           |
+
+#### Custom Policy Checks (Access Analyzer)
+| Input                         | Description                                                                 | Required | Default           |
+| ----------------------------- | --------------------------------------------------------------------------- | -------- | ----------------- |
+| `check-access-not-granted`    | Actions that should NOT be granted (space-separated, max 100)               | No       | `""`              |
+| `check-access-resources`      | Resources to check with check-access-not-granted (space-separated, max 100) | No       | `""`              |
+| `check-no-new-access`         | Path to baseline policy to compare against (detect new permissions)         | No       | `""`              |
+| `check-no-public-access`      | Check that resource policies do not allow public access                     | No       | `false`           |
+| `public-access-resource-type` | Resource type(s) for public access check (29+ types supported, or `all`)    | No       | `AWS::S3::Bucket` |
+
+#### Advanced Options
+| Input               | Description                                                    | Required | Default   |
+| ------------------- | -------------------------------------------------------------- | -------- | --------- |
+| `custom-checks-dir` | Path to directory containing custom validation checks          | No       | `""`      |
+| `log-level`         | Logging level: `debug`, `info`, `warning`, `error`, `critical` | No       | `warning` |
+
+**💡 Pro Tips:**
+- Use `custom-checks-dir` to add organization-specific validation rules
+- Set `log-level: debug` when troubleshooting workflow issues
+- Configure `aws-services-dir` in your config file for offline validation
+- The action automatically filters IAM policies from mixed JSON/YAML files
+
+See [examples/github-actions/](examples/github-actions/) for 8 ready-to-use workflow examples.
 
 ### As a CLI Tool
 
@@ -712,7 +823,8 @@ The comprehensive [DOCS.md](DOCS.md) file contains everything you need:
   - [GitHub Actions Workflows](examples/github-actions/)
   - [Custom Checks](examples/custom_checks/)
   - [Configuration Files](examples/configs/)
-  - [Sample Policies](examples/policies/)
+  - [Test IAM Policies](examples/iam-test-policies/)
+- **[AWS Services Backup Guide](docs/aws-services-backup.md)** - Offline validation
 - **[Contributing Guide](CONTRIBUTING.md)** - Contribution guidelines
 - **[Publishing Guide](docs/development/PUBLISHING.md)** - Release process
 

{iam_policy_validator-1.1.2.dist-info → iam_policy_validator-1.3.0.dist-info}/RECORD

@@ -1,6 +1,6 @@
 iam_validator/__init__.py,sha256=APnMR3Fu4fHhxfsHBvUM2dJIwazgvLKQbfOsSgFPidg,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=Gnq5VxEcBl7XBv8aQLOpUL1P1P6Gnsze4sf794FzMWs,206
+iam_validator/__version__.py,sha256=BOzo0kDxoue17MkZOqACxqP9TwbfCJhkzZuMsC5TMac,206
 iam_validator/checks/__init__.py,sha256=eKTPgiZ1i3zvyP6OdKgLx9s3u69onITMYifmJPJwZgM,968
 iam_validator/checks/action_condition_enforcement.py,sha256=3M1Wj89Af6H-ywBTruZbJPzhCBBQVanVb5hwv-fkiDE,29721
 iam_validator/checks/action_resource_constraint.py,sha256=p-gP7S9QYR6M7vffrnJY6LOlMUTn0kpEbrxQ8pTY5rs,6031
@@ -8,37 +8,38 @@ iam_validator/checks/action_validation.py,sha256=IpxtTsk58f2zEZ-xzAoyHw4QK8BCRV4
 iam_validator/checks/condition_key_validation.py,sha256=bc4LQ8IRKyt0RquaQvQvVjmeJnuOUAFRL8xdduLPa_U,2661
 iam_validator/checks/policy_size.py,sha256=4cvZiWRJXGuvYo8PRcdD1Py_ZL8Xw0lOJfXTs6EX-_I,5753
 iam_validator/checks/resource_validation.py,sha256=AEIoiR6AKYLuVaA8ne3QE5qy6NCMDe98_2JAiwE9-JU,4261
-iam_validator/checks/security_best_practices.py,sha256=-gqxtcx_cUV1ZnyZ8Flydwan1vxb-RmnanWoIlU6YyY,21711
-iam_validator/checks/sid_uniqueness.py,sha256=7S8RtVJgYPTKgr7gSEmxgT0oIGkSoXN6iu0ALHbcSfw,5015
+iam_validator/checks/security_best_practices.py,sha256=uf3ZAhBkyN8ka9bZHWi2kkAGIibhqWMIF06DBXsgu9U,23093
+iam_validator/checks/sid_uniqueness.py,sha256=U2Kk5lYi9mHhhTpCWAD0ZQfxcLnIJJa7KGC5nOzTEbY,5145
 iam_validator/checks/utils/__init__.py,sha256=j0X4ibUB6RGx2a-kNoJnlVZwHfoEvzZsIeTmJIAoFzA,45
 iam_validator/checks/utils/policy_level_checks.py,sha256=2V60C0zhKfsFPjQ-NMlD3EemtwA9S6-4no8nETgXdQE,5274
 iam_validator/checks/utils/sensitive_action_matcher.py,sha256=VlTpgjMnympYa28kOdm6xRIUL2P87rOvm1O2NdnjtVI,8900
-iam_validator/checks/utils/wildcard_expansion.py,sha256=L6AWrLRacqXqk9k-5ZmXv5HyoAyz98cg5AlTvzH2tTI,3158
-iam_validator/commands/__init__.py,sha256=lF0fSUukLSxTAvhjg-0P79YMseYwihIr_tmQYbfNgcY,425
+iam_validator/checks/utils/wildcard_expansion.py,sha256=V3V_KRpapOzPBhpUObJjGHoMhvCH90QvDxppeEHIG_U,3152
+iam_validator/commands/__init__.py,sha256=M-5bo8w0TCWydK0cXgJyPD2fmk8bpQs-3b26YbgLzlc,565
 iam_validator/commands/analyze.py,sha256=TWlDaZ8gVOdNv6__KQQfzeLVW36qLiL5IzlhGYfvq_g,16501
 iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gzs,1074
-iam_validator/commands/cache.py,sha256=1E-irKF3e2CFUEG9s1z64hIKLVSYFQ-L92ld6L3za5g,14368
+iam_validator/commands/cache.py,sha256=NHfbIDWI8tj-3o-4fIZJQS-Vvd9bxIH3Lk6kBtNuiUU,14212
+iam_validator/commands/download_services.py,sha256=anRcobOuhkiEmHpwW_AJb1e2ifgkgYAO2-b9-JBrBcg,9152
 iam_validator/commands/post_to_pr.py,sha256=hl_K-XlELYN-ArjMdgQqysvIE-26yf9XdrMl4ToDwG0,2148
 iam_validator/commands/validate.py,sha256=R295cOTly8n7zL1jfvbh9RuCgiM5edBqbf6YMn_4G9A,14013
 iam_validator/core/__init__.py,sha256=1FvJPMrbzJfS9YbRUJCshJLd5gzWwR9Fd_slS0Aq9c8,416
 iam_validator/core/access_analyzer.py,sha256=poeT1i74jXpKr1B3UmvqiTvCTbq82zffWgZHwiFUwoo,24337
 iam_validator/core/access_analyzer_report.py,sha256=IrQVszlhFfQ6WykYLpig7TU3hf8dnQTegPDsOvHjR5Q,24873
-iam_validator/core/aws_fetcher.py,sha256=P7fYX1Q1TICuTOlGaqH97U3m8B0bqGE9jP7cxfmny8k,27418
+iam_validator/core/aws_fetcher.py,sha256=6W4ixYEMx4Y5bx9rCB65CDqZh7iUVANAvhFVHu0MOKQ,32654
 iam_validator/core/aws_global_conditions.py,sha256=ADVcMEWhgvDZWdBmRUQN3HB7a9OycbTLecXFAy3LPbo,5837
 iam_validator/core/check_registry.py,sha256=wxqaF2t_3lWgT6x7_PnnZ8XGjHKUxUk72UlmdYBLFyo,15679
 iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
 iam_validator/core/config_loader.py,sha256=Pq2rd6LJtEZET0ZeW4hEZS2ZRLC5gNRsKbtLyIsT21I,16516
-iam_validator/core/defaults.py,sha256=sPQJUMyjv4yalGCuyQhlY42rDc_-BZLq6qS0GgoP4mc,11893
+iam_validator/core/defaults.py,sha256=tp8MPrFicRvI0dp8yH95MzJ9tC33n0N92aUC3HMkmYc,13289
 iam_validator/core/models.py,sha256=rWIZnD-I81Sg4asgOhnB10FWJC5mxQ2JO9bdS0sHb4Q,10772
-iam_validator/core/policy_checks.py,sha256=vIzRkqf5k1BB0elry5a4E2SRBlp6Vz3jPqrav29k3PM,24842
+iam_validator/core/policy_checks.py,sha256=pMlZ2XkuqppVOUZq__e8w_yGoy7lIHjAB5RiTXwJo4Q,25114
 iam_validator/core/policy_loader.py,sha256=TR7SpzlRG3TwH4HBGEFUuhNOmxIR8Cud2SQ-AmHWBpM,14040
 iam_validator/core/pr_commenter.py,sha256=TOhVXKTFcRHQ9EVuShXQcKXn9aNjB1mU6FnR2jvltmw,10581
-iam_validator/core/report.py,sha256=wPkLvsIej-AaW5FlqntvUuHuEMvyi2iBI6NQF496gCM,33064
+iam_validator/core/report.py,sha256=Yeh_u9jQvTyDV3ignyPcWEQVfFcxNZNrxf4T0fjeWb4,33283
 iam_validator/core/formatters/__init__.py,sha256=fnCKAEBXItnOf2m4rhVs7zwMaTxbG6ESh3CF8V5j5ec,868
 iam_validator/core/formatters/base.py,sha256=SShDeDiy5mYQnS6BpA8xYg91N-KX1EObkOtlrVHqx1Q,4451
 iam_validator/core/formatters/console.py,sha256=lX4Yp4bTW61fxe0fCiHuO6bCZtC_6cjCwqDNQ55nT_8,1937
 iam_validator/core/formatters/csv.py,sha256=2FaN6Y_0TPMFOb3A3tNtj0-9bkEc5P-6eZ7eLROIqFE,5899
-iam_validator/core/formatters/enhanced.py,sha256=k_DwzhGTARUKMv4bjkaCrpI6ypT10z9LcSk8gKlyDIM,16547
+iam_validator/core/formatters/enhanced.py,sha256=-W9JACV4FNVWoWtfVxXLla4d__Gg96SASbNAijpJnT0,16638
 iam_validator/core/formatters/html.py,sha256=j4sQi-wXiD9kCHldW5JCzbJe0frhiP5uQI9KlH3Sj_g,22994
 iam_validator/core/formatters/json.py,sha256=A7gZ8P32GEdbDvrSn6v56yQ4fOP_kyMaoFVXG2bgnew,939
 iam_validator/core/formatters/markdown.py,sha256=aPAY6FpZBHsVBDag3FAsB_X9CZzznFjX9dQr0ysDrTE,2251
@@ -46,8 +47,8 @@ iam_validator/core/formatters/sarif.py,sha256=tqp8g7RmUh0HRk-kKDaucx4sa-5I9ikgkS
 iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
 iam_validator/integrations/github_integration.py,sha256=bKs94vNT4PmcmUPUeuY2WJFhCYpUY2SWiBP1vj-andA,25673
 iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
-iam_policy_validator-1.1.2.dist-info/METADATA,sha256=mjrd4ODBydvBtCh_0Ztq0-FqQTNunBpEdIrDQ-5RXos,25144
-iam_policy_validator-1.1.2.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-iam_policy_validator-1.1.2.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.1.2.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.1.2.dist-info/RECORD,,
+iam_policy_validator-1.3.0.dist-info/METADATA,sha256=FOWdp3xcENWJmZJtZ8lQlg53Bd6-8v9RpdBLKVvEY3Q,29136
+iam_policy_validator-1.3.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.3.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.3.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.3.0.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,5 +3,5 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.1.2"
+__version__ = "1.3.0"
 __version_info__ = tuple(int(part) for part in __version__.split("."))

iam_validator/checks/security_best_practices.py

@@ -7,10 +7,7 @@ from iam_validator.checks.utils.sensitive_action_matcher import (
     DEFAULT_SENSITIVE_ACTIONS,
     check_sensitive_actions,
 )
-from iam_validator.checks.utils.wildcard_expansion import (
-    compile_wildcard_pattern,
-    expand_wildcard_actions,
-)
+from iam_validator.checks.utils.wildcard_expansion import expand_wildcard_actions
 from iam_validator.core.aws_fetcher import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
@@ -86,22 +83,26 @@ class SecurityBestPracticesCheck(PolicyCheck):
         if self._is_sub_check_enabled(config, "wildcard_resource_check"):
             if "*" in resources:
                 # Check if all actions are in the allowed_wildcards list
-                # This allows Resource: "*" when only safe read-only wildcard actions are used
-                allowed_wildcards = self._get_allowed_wildcards_for_resources(config)
+                # allowed_wildcards works by expanding wildcard patterns (like "ec2:Describe*")
+                # to all matching AWS actions using the AWS API, then checking if the policy's
+                # actions are in that expanded list. This ensures only validated AWS actions
+                # are allowed with Resource: "*".
+                allowed_wildcards_expanded = await self._get_expanded_allowed_wildcards(
+                    config, fetcher
+                )
 
-                # Check if ALL actions (excluding full wildcard "*") match allowed patterns
+                # Check if ALL actions (excluding full wildcard "*") are in the expanded list
                 non_wildcard_actions = [a for a in actions if a != "*"]
 
-                if allowed_wildcards and non_wildcard_actions:
-                    # Check if all actions are allowed wildcards
+                if allowed_wildcards_expanded and non_wildcard_actions:
+                    # Check if all actions are in the expanded allowed list (exact match)
                     all_actions_allowed = all(
-                        self._is_action_allowed_wildcard(action, allowed_wildcards)
-                        for action in non_wildcard_actions
+                        action in allowed_wildcards_expanded for action in non_wildcard_actions
                     )
 
-                    # If all actions are in the allowed list, skip the wildcard resource warning
+                    # If all actions are in the expanded list, skip the wildcard resource warning
                     if all_actions_allowed:
-                        # All actions are safe wildcards, Resource: "*" is acceptable
+                        # All actions are safe, Resource: "*" is acceptable
                         pass
                     else:
                         # Some actions are not in allowed list, flag the issue
@@ -443,45 +444,6 @@ class SecurityBestPracticesCheck(PolicyCheck):
 
         return set()
 
-    def _is_action_allowed_wildcard(
-        self, action: str, allowed_wildcards: frozenset[str] | list[str] | set[str]
-    ) -> bool:
-        """Check if an action matches the allowed_wildcards list.
-
-        This method checks if a given action is in the allowed_wildcards configuration
-        from action_validation_check. This is used to determine if wildcard resources
-        are acceptable when only safe wildcard actions are used.
-
-        Args:
-            action: The action to check (e.g., "s3:List*", "ec2:DescribeInstances")
-            allowed_wildcards: Set or list of allowed wildcard patterns
-
-        Returns:
-            True if the action matches any pattern in the allowlist
-
-        Note:
-            Exact matches use O(1) set lookup for performance.
-            Pattern matches (wildcards in allowlist) require O(n) iteration.
-        """
-        # Fast O(1) exact match using set membership
-        if action in allowed_wildcards:
-            return True
-
-        # Pattern match - check if action matches any pattern in allowlist
-        # This is needed when allowlist contains wildcards like "s3:*"
-        # Uses cached compiled patterns for 20-30x speedup
-        for pattern in allowed_wildcards:
-            # Skip exact matches (already checked above)
-            if "*" not in pattern:
-                continue
-
-            # Use cached compiled pattern
-            compiled = compile_wildcard_pattern(pattern)
-            if compiled.match(action):
-                return True
-
-        return False
-
     def _get_allowed_wildcards_for_resources(self, config: CheckConfig) -> frozenset[str]:
         """Get allowed_wildcards for resource check configuration.
 
@@ -513,3 +475,61 @@ class SecurityBestPracticesCheck(PolicyCheck):
 
         # No configuration found, return empty set (flag all Resource: "*")
         return frozenset()
+
+    async def _get_expanded_allowed_wildcards(
+        self, config: CheckConfig, fetcher: AWSServiceFetcher
+    ) -> frozenset[str]:
+        """Get and expand allowed_wildcards configuration.
+
+        This method retrieves wildcard patterns from the allowed_wildcards config
+        and expands them using the AWS API to get all matching actual AWS actions.
+
+        How it works:
+        1. Retrieves patterns from config (e.g., ["ec2:Describe*", "s3:List*"])
+        2. Expands each pattern using AWS API:
+           - "ec2:Describe*" → ["ec2:DescribeInstances", "ec2:DescribeImages", ...]
+           - "s3:List*" → ["s3:ListBucket", "s3:ListObjects", ...]
+        3. Returns a set of all expanded actions
+
+        This allows you to:
+        - Specify patterns like "ec2:Describe*" in config
+        - Have the validator allow specific actions like "ec2:DescribeInstances" with Resource: "*"
+        - Ensure only real AWS actions (validated via API) are allowed
+
+        Example:
+            Config: allowed_wildcards: ["ec2:Describe*"]
+            Expands to: ["ec2:DescribeInstances", "ec2:DescribeImages", ...]
+            Policy: "Action": ["ec2:DescribeInstances"], "Resource": "*"
+            Result: ✅ Allowed (ec2:DescribeInstances is in expanded list)
+
+        Args:
+            config: The check configuration
+            fetcher: AWS service fetcher for expanding wildcards via AWS API
+
+        Returns:
+            A frozenset of all expanded action names from the configured patterns
+        """
+        # Check wildcard_resource_check first for override
+        sub_check_config = config.config.get("wildcard_resource_check", {})
+        patterns_to_expand: list[str] = []
+
+        if isinstance(sub_check_config, dict) and "allowed_wildcards" in sub_check_config:
+            # Explicitly configured in wildcard_resource_check (override)
+            patterns = sub_check_config.get("allowed_wildcards", [])
+            if isinstance(patterns, list):
+                patterns_to_expand = patterns
+        else:
+            # Fall back to parent security_best_practices_check's allowed_wildcards
+            parent_patterns = config.config.get("allowed_wildcards", [])
+            if isinstance(parent_patterns, list):
+                patterns_to_expand = parent_patterns
+
+        # If no patterns configured, return empty set
+        if not patterns_to_expand:
+            return frozenset()
+
+        # Expand the wildcard patterns using the AWS API
+        # This converts patterns like "ec2:Describe*" to actual AWS actions
+        expanded_actions = await expand_wildcard_actions(patterns_to_expand, fetcher)
+
+        return frozenset(expanded_actions)

iam_validator/checks/sid_uniqueness.py

@@ -46,13 +46,15 @@ def _check_sid_uniqueness_impl(policy: IAMPolicy, severity: str) -> list[Validat
         # (the first occurrence is "original", subsequent ones are "duplicates")
         for idx in indices[1:]:
             statement = policy.statement[idx]
+            # Convert to 1-indexed statement numbers for user-facing message
+            statement_numbers = ", ".join(f"#{i + 1}" for i in indices)
             issues.append(
                 ValidationIssue(
                     severity=severity,
                     statement_sid=duplicate_sid,
                     statement_index=idx,
                     issue_type="duplicate_sid",
-                    message=f"Statement ID '{duplicate_sid}' is used {count} times in this policy (found in statements {', '.join(f'[{i}]' for i in indices)})",
+                    message=f"Statement ID '{duplicate_sid}' is used {count} times in this policy (found in statements {statement_numbers})",
                     suggestion="Change this SID to a unique value. Statement IDs help identify and reference specific statements, so duplicates can cause confusion.",
                     line_number=statement.line_number,
                 )

iam_validator/checks/utils/wildcard_expansion.py

@@ -30,9 +30,7 @@ def compile_wildcard_pattern(pattern: str) -> Pattern[str]:
     return re.compile(regex_pattern, re.IGNORECASE)
 
 
-async def expand_wildcard_actions(
-    actions: list[str], fetcher: AWSServiceFetcher
-) -> list[str]:
+async def expand_wildcard_actions(actions: list[str], fetcher: AWSServiceFetcher) -> list[str]:
     """
     Expand wildcard actions to their actual action names using AWS API.
 

iam_validator/commands/__init__.py

@@ -2,6 +2,7 @@
 
 from .analyze import AnalyzeCommand
 from .cache import CacheCommand
+from .download_services import DownloadServicesCommand
 from .post_to_pr import PostToPRCommand
 from .validate import ValidateCommand
 
@@ -11,6 +12,14 @@ ALL_COMMANDS = [
     PostToPRCommand(),
     AnalyzeCommand(),
     CacheCommand(),
+    DownloadServicesCommand(),
 ]
 
-__all__ = ["ValidateCommand", "PostToPRCommand", "AnalyzeCommand", "CacheCommand", "ALL_COMMANDS"]
+__all__ = [
+    "ValidateCommand",
+    "PostToPRCommand",
+    "AnalyzeCommand",
+    "CacheCommand",
+    "DownloadServicesCommand",
+    "ALL_COMMANDS",
+]

iam_validator/commands/cache.py

@@ -223,12 +223,7 @@ Examples:
             size = f.stat().st_size
             mtime = f.stat().st_mtime
 
-            services.append({
-                "name": name,
-                "size": size,
-                "file": f.name,
-                "mtime": mtime
-            })
+            services.append({"name": name, "size": size, "file": f.name, "mtime": mtime})
 
         # Sort by service name
         services.sort(key=lambda x: x["name"])
@@ -256,12 +251,7 @@ Examples:
             size_kb = svc["size"] / 1024
             cached_time = datetime.fromtimestamp(svc["mtime"]).strftime("%Y-%m-%d %H:%M")
 
-            table.add_row(
-                svc["name"],
-                svc["file"],
-                f"{size_kb:.1f} KB",
-                cached_time
-            )
+            table.add_row(svc["name"], svc["file"], f"{size_kb:.1f} KB", cached_time)
 
         console.print(table)
 

iam_validator/commands/download_services.py

@@ -0,0 +1,260 @@
+"""Download AWS service definitions command."""
+
+import argparse
+import asyncio
+import json
+import logging
+from datetime import datetime, timezone
+from pathlib import Path
+
+import httpx
+from rich.console import Console
+from rich.progress import (
+    BarColumn,
+    Progress,
+    TaskID,
+    TextColumn,
+    TimeRemainingColumn,
+)
+
+from iam_validator.commands.base import Command
+
+logger = logging.getLogger(__name__)
+console = Console()
+
+BASE_URL = "https://servicereference.us-east-1.amazonaws.com/"
+DEFAULT_OUTPUT_DIR = Path("aws_services")
+
+
+class DownloadServicesCommand(Command):
+    """Download all AWS service definition JSON files."""
+
+    @property
+    def name(self) -> str:
+        return "sync-services"
+
+    @property
+    def help(self) -> str:
+        return "Sync/download all AWS service definitions for offline use"
+
+    @property
+    def epilog(self) -> str:
+        return """
+Examples:
+  # Sync all AWS service definitions to default directory (aws_services/)
+  iam-validator sync-services
+
+  # Sync to a custom directory
+  iam-validator sync-services --output-dir /path/to/backup
+
+  # Limit concurrent downloads
+  iam-validator sync-services --max-concurrent 5
+
+  # Enable verbose output
+  iam-validator sync-services --log-level debug
+
+Directory structure:
+  aws_services/
+      _manifest.json         # Metadata about the download
+      _services.json         # List of all services
+      s3.json                # Individual service definitions
+      ec2.json
+      iam.json
+      ...
+
+This command is useful for:
+  - Creating offline backups of AWS service definitions
+  - Avoiding API rate limiting during development
+  - Ensuring consistent service definitions across environments
+"""
+
+    def add_arguments(self, parser: argparse.ArgumentParser) -> None:
+        """Add sync-services command arguments."""
+        parser.add_argument(
+            "--output-dir",
+            type=Path,
+            default=DEFAULT_OUTPUT_DIR,
+            help=f"Output directory for downloaded files (default: {DEFAULT_OUTPUT_DIR})",
+        )
+
+        parser.add_argument(
+            "--max-concurrent",
+            type=int,
+            default=10,
+            help="Maximum number of concurrent downloads (default: 10)",
+        )
+
+    async def execute(self, args: argparse.Namespace) -> int:
+        """Execute the sync-services command."""
+        output_dir = args.output_dir
+        max_concurrent = args.max_concurrent
+
+        try:
+            await self._download_all_services(output_dir, max_concurrent)
+            return 0
+        except Exception as e:
+            console.print(f"[red]Error:[/red] {e}")
+            logger.error(f"Download failed: {e}", exc_info=True)
+            return 1
+
+    async def _download_services_list(self, client: httpx.AsyncClient) -> list[dict]:
+        """Download the list of all AWS services.
+
+        Args:
+            client: HTTP client for making requests
+
+        Returns:
+            List of service info dictionaries
+        """
+        console.print(f"[cyan]Fetching services list from {BASE_URL}...[/cyan]")
+
+        try:
+            response = await client.get(BASE_URL, timeout=30.0)
+            response.raise_for_status()
+            services = response.json()
+
+            console.print(f"[green]✓[/green] Found {len(services)} AWS services")
+            return services
+        except Exception as e:
+            logger.error(f"Failed to fetch services list: {e}")
+            raise
+
+    async def _download_service_detail(
+        self,
+        client: httpx.AsyncClient,
+        service_name: str,
+        service_url: str,
+        semaphore: asyncio.Semaphore,
+        progress: Progress,
+        task_id: TaskID,
+    ) -> tuple[str, dict | None]:
+        """Download detailed JSON for a single service.
+
+        Args:
+            client: HTTP client for making requests
+            service_name: Name of the service
+            service_url: URL to fetch service details
+            semaphore: Semaphore to limit concurrent requests
+            progress: Progress bar instance
+            task_id: Progress task ID
+
+        Returns:
+            Tuple of (service_name, service_data) or (service_name, None) if failed
+        """
+        async with semaphore:
+            try:
+                logger.debug(f"Downloading {service_name}...")
+                response = await client.get(service_url, timeout=30.0)
+                response.raise_for_status()
+                data = response.json()
+                logger.debug(f"✓ Downloaded {service_name}")
+                progress.update(task_id, advance=1)
+                return service_name, data
+            except Exception as e:
+                logger.error(f"✗ Failed to download {service_name}: {e}")
+                progress.update(task_id, advance=1)
+                return service_name, None
+
+    async def _download_all_services(self, output_dir: Path, max_concurrent: int = 10) -> None:
+        """Download all AWS service definitions.
+
+        Args:
+            output_dir: Directory to save the downloaded files
+            max_concurrent: Maximum number of concurrent downloads
+        """
+        # Create output directory
+        output_dir.mkdir(parents=True, exist_ok=True)
+        console.print(f"[cyan]Output directory:[/cyan] {output_dir.absolute()}\n")
+
+        # Create HTTP client with connection pooling
+        async with httpx.AsyncClient(
+            limits=httpx.Limits(max_connections=max_concurrent, max_keepalive_connections=5),
+            timeout=httpx.Timeout(30.0),
+        ) as client:
+            # Download services list
+            services = await self._download_services_list(client)
+
+            # Save services list (underscore prefix for easy discovery at top of directory)
+            services_file = output_dir / "_services.json"
+            with open(services_file, "w") as f:
+                json.dump(services, f, indent=2)
+            console.print(f"[green]✓[/green] Saved services list to {services_file}\n")
+
+            # Download all service details with rate limiting and progress bar
+            semaphore = asyncio.Semaphore(max_concurrent)
+            tasks = []
+
+            # Set up progress bar
+            with Progress(
+                TextColumn("[progress.description]{task.description}"),
+                BarColumn(),
+                TextColumn("[progress.percentage]{task.percentage:>3.0f}%"),
+                TextColumn("({task.completed}/{task.total})"),
+                TimeRemainingColumn(),
+                console=console,
+            ) as progress:
+                task_id = progress.add_task(
+                    "[cyan]Downloading service definitions...", total=len(services)
+                )
+
+                for item in services:
+                    service_name = item.get("service")
+                    service_url = item.get("url")
+
+                    if service_name and service_url:
+                        task = self._download_service_detail(
+                            client, service_name, service_url, semaphore, progress, task_id
+                        )
+                        tasks.append(task)
+
+                # Download all services concurrently
+                results = await asyncio.gather(*tasks)
+
+            # Save individual service files
+            successful = 0
+            failed = 0
+
+            console.print("\n[cyan]Saving service definitions...[/cyan]")
+
+            for service_name, data in results:
+                if data is not None:
+                    # Normalize filename (lowercase, safe characters)
+                    filename = f"{service_name.lower().replace(' ', '_')}.json"
+                    service_file = output_dir / filename
+
+                    with open(service_file, "w") as f:
+                        json.dump(data, f, indent=2)
+
+                    successful += 1
+                else:
+                    failed += 1
+
+            # Create manifest with metadata
+            manifest = {
+                "download_date": datetime.now(timezone.utc).isoformat(),
+                "total_services": len(services),
+                "successful_downloads": successful,
+                "failed_downloads": failed,
+                "base_url": BASE_URL,
+            }
+
+            manifest_file = output_dir / "_manifest.json"
+            with open(manifest_file, "w") as f:
+                json.dump(manifest, f, indent=2)
+
+            # Print summary
+            console.print(f"\n{'=' * 60}")
+            console.print("[bold cyan]Download Summary:[/bold cyan]")
+            console.print(f"  Total services: {len(services)}")
+            console.print(f"  [green]Successful:[/green] {successful}")
+            if failed > 0:
+                console.print(f"  [red]Failed:[/red] {failed}")
+            console.print(f"  Output directory: {output_dir.absolute()}")
+            console.print(f"  Manifest: {manifest_file}")
+            console.print(f"{'=' * 60}")
+
+            if failed > 0:
+                console.print(
+                    "\n[yellow]Warning:[/yellow] Some services failed to download. "
+                    "Check the logs for details."
+                )

iam_validator/core/aws_fetcher.py

@@ -182,19 +182,25 @@ class AWSServiceFetcher:
         keepalive_connections: int = 20,
         prefetch_common: bool = True,
         cache_dir: Path | str | None = None,
+        aws_services_dir: Path | str | None = None,
     ):
         """Initialize aws service fetcher.
 
         Args:
             timeout: Request timeout in seconds
-            retries: Number of retry attempts
-            enable_cache: Enable disk caching
-            cache_ttl: Cache time to live in seconds (default: 7 days)
-            memory_cache_size: Max items in memory cache
-            connection_pool_size: Max connections in pool
+            retries: Number of retries for failed requests
+            enable_cache: Enable persistent disk caching
+            cache_ttl: Cache time-to-live in seconds
+            memory_cache_size: Size of in-memory LRU cache
+            connection_pool_size: HTTP connection pool size
             keepalive_connections: Number of keepalive connections
-            prefetch_common: Pre-fetch common services on init
-            cache_dir: Custom cache directory (defaults to platform-specific user cache dir)
+            prefetch_common: Prefetch common AWS services
+            cache_dir: Custom cache directory path
+            aws_services_dir: Directory containing pre-downloaded AWS service JSON files.
+                            When set, the fetcher will load services from local files
+                            instead of making API calls. Directory should contain:
+                            - _services.json: List of all services
+                            - {service}.json: Individual service files (e.g., s3.json)
         """
         self.timeout = timeout
         self.retries = retries
@@ -202,6 +208,14 @@ class AWSServiceFetcher:
         self.cache_ttl = cache_ttl
         self.prefetch_common = prefetch_common
 
+        # AWS services directory for offline mode
+        self.aws_services_dir: Path | None = None
+        if aws_services_dir:
+            self.aws_services_dir = Path(aws_services_dir)
+            if not self.aws_services_dir.exists():
+                raise ValueError(f"AWS services directory does not exist: {aws_services_dir}")
+            logger.info(f"Using local AWS services from: {self.aws_services_dir}")
+
         self._client: httpx.AsyncClient | None = None
         self._memory_cache = LRUCache(maxsize=memory_cache_size, ttl=cache_ttl)
         self._cache_dir = self._get_cache_directory(cache_dir)
@@ -470,8 +484,84 @@ class AWSServiceFetcher:
 
         raise last_exception or Exception(f"Failed to fetch {url} after {self.retries} attempts")
 
+    def _load_services_from_file(self) -> list[ServiceInfo]:
+        """Load services list from local _services.json file.
+
+        Returns:
+            List of ServiceInfo objects loaded from _services.json
+
+        Raises:
+            FileNotFoundError: If _services.json doesn't exist
+            ValueError: If _services.json is invalid
+        """
+        if not self.aws_services_dir:
+            raise ValueError("aws_services_dir is not set")
+
+        services_file = self.aws_services_dir / "_services.json"
+        if not services_file.exists():
+            raise FileNotFoundError(f"_services.json not found in {self.aws_services_dir}")
+
+        try:
+            with open(services_file) as f:
+                data = json.load(f)
+
+            if not isinstance(data, list):
+                raise ValueError("Expected list of services from _services.json")
+
+            services: list[ServiceInfo] = []
+            for item in data:
+                if isinstance(item, dict):
+                    service = item.get("service")
+                    url = item.get("url")
+                    if service and url:
+                        services.append(ServiceInfo(service=str(service), url=str(url)))
+
+            logger.info(f"Loaded {len(services)} services from local file: {services_file}")
+            return services
+
+        except json.JSONDecodeError as e:
+            raise ValueError(f"Invalid JSON in services.json: {e}")
+
+    def _load_service_from_file(self, service_name: str) -> ServiceDetail:
+        """Load service detail from local JSON file.
+
+        Args:
+            service_name: Name of the service (case-insensitive)
+
+        Returns:
+            ServiceDetail object loaded from {service}.json
+
+        Raises:
+            FileNotFoundError: If service JSON file doesn't exist
+            ValueError: If service JSON is invalid
+        """
+        if not self.aws_services_dir:
+            raise ValueError("aws_services_dir is not set")
+
+        # Normalize filename (lowercase, replace spaces with underscores)
+        filename = f"{service_name.lower().replace(' ', '_')}.json"
+        service_file = self.aws_services_dir / filename
+
+        if not service_file.exists():
+            raise FileNotFoundError(f"Service file not found: {service_file}")
+
+        try:
+            with open(service_file) as f:
+                data = json.load(f)
+
+            service_detail = ServiceDetail.model_validate(data)
+            logger.debug(f"Loaded service {service_name} from local file: {service_file}")
+            return service_detail
+
+        except json.JSONDecodeError as e:
+            raise ValueError(f"Invalid JSON in {service_file}: {e}")
+
     async def fetch_services(self) -> list[ServiceInfo]:
-        """Fetch list of AWS services with caching."""
+        """Fetch list of AWS services with caching.
+
+        When aws_services_dir is set, loads from local services.json file.
+        Otherwise, fetches from AWS API.
+        """
         # Check if we have the parsed services list in cache
         services_cache_key = "parsed_services_list"
         cached_services = await self._memory_cache.get(services_cache_key)
@@ -479,7 +569,14 @@ class AWSServiceFetcher:
             logger.debug(f"Retrieved {len(cached_services)} services from parsed cache")
             return cached_services
 
-        # Not in parsed cache, fetch the raw data
+        # Load from local file if aws_services_dir is set
+        if self.aws_services_dir:
+            services = self._load_services_from_file()
+            # Cache the loaded services
+            await self._memory_cache.set(services_cache_key, services)
+            return services
+
+        # Not in parsed cache, fetch the raw data from API
         data = await self._make_request_with_batching(self.BASE_URL)
 
         if not isinstance(data, list):
@@ -501,7 +598,11 @@ class AWSServiceFetcher:
         return services
 
     async def fetch_service_by_name(self, service_name: str) -> ServiceDetail:
-        """Fetch service detail with optimized caching."""
+        """Fetch service detail with optimized caching.
+
+        When aws_services_dir is set, loads from local {service}.json file.
+        Otherwise, fetches from AWS API.
+        """
         # Normalize service name
         service_name_lower = service_name.lower()
 
@@ -512,12 +613,33 @@ class AWSServiceFetcher:
             logger.debug(f"Memory cache hit for service {service_name}")
             return cached_detail
 
-        # Fetch service list and find URL
+        # Load from local file if aws_services_dir is set
+        if self.aws_services_dir:
+            try:
+                service_detail = self._load_service_from_file(service_name_lower)
+                # Cache the loaded service
+                await self._memory_cache.set(cache_key, service_detail)
+                return service_detail
+            except FileNotFoundError:
+                # Try to find the service in services.json to get proper name
+                services = await self.fetch_services()
+                for service in services:
+                    if service.service.lower() == service_name_lower:
+                        # Try with the exact service name from services.json
+                        try:
+                            service_detail = self._load_service_from_file(service.service)
+                            await self._memory_cache.set(cache_key, service_detail)
+                            return service_detail
+                        except FileNotFoundError:
+                            pass
+                raise ValueError(f"Service '{service_name}' not found in {self.aws_services_dir}")
+
+        # Fetch service list and find URL from API
         services = await self.fetch_services()
 
         for service in services:
             if service.service.lower() == service_name_lower:
-                # Fetch service detail
+                # Fetch service detail from API
                 data = await self._make_request_with_batching(service.url)
 
                 # Validate and parse

iam_validator/core/defaults.py

@@ -36,6 +36,7 @@ DEFAULT_CONFIG = {
         "max_concurrent": 10,
         "enable_builtin_checks": True,
         "parallel_execution": True,
+        "aws_services_dir": None,
         "cache_enabled": True,
         "cache_ttl_hours": 168,
         "fail_on_severity": ["error", "critical"],
@@ -161,6 +162,15 @@ With specific values:
         "sensitive_action_check": {
             "enabled": True,
             "severity": "medium",
+            "message_single": "Sensitive action '{action}' should have conditions to limit when it can be used",
+            "message_multiple": "Sensitive actions '{actions}' should have conditions to limit when they can be used",
+            "suggestion": "Add IAM conditions to limit when this action can be used. Consider: ABAC (ResourceTag OR RequestTag must match PrincipalTag), IP restrictions (aws:SourceIp), MFA requirements (aws:MultiFactorAuthPresent), or time-based restrictions (aws:CurrentTime)",
+            "example": """"Condition": {
+  "StringEquals": {
+    "aws:ResourceTag/owner": "${aws:PrincipalTag/owner}"
+  }
+}
+""",
             "sensitive_actions": [
                 "iam:AddClientIDToOpenIDConnectProvider",
                 "iam:AttachRolePolicy",
@@ -234,7 +244,6 @@ With specific values:
                 "organizations:LeaveOrganization",
                 "organizations:RemoveAccountFromOrganization",
             ],
-            "sensitive_action_patterns": ["^iam:Delete.*"],
         },
     },
     "action_condition_enforcement_check": {
@@ -244,7 +253,6 @@ With specific values:
         "action_condition_requirements": [
             {
                 "actions": ["iam:PassRole"],
-                "action_patterns": ["^iam:Pas?.*$"],
                 "severity": "high",
                 "required_conditions": [
                     {
@@ -267,7 +275,6 @@ With specific values:
             },
             {
                 "actions": [
-                    "iam:Create*",
                     "iam:CreateRole",
                     "iam:Put*Policy*",
                     "iam:PutUserPolicy",
@@ -276,7 +283,6 @@ With specific values:
                     "iam:AttachUserPolicy",
                     "iam:AttachRolePolicy",
                 ],
-                "action_patterns": ["^iam:Create", "^iam:Put.*Policy", "^iam:Attach.*Policy"],
                 "severity": "high",
                 "required_conditions": [
                     {
@@ -293,6 +299,32 @@ With specific values:
                     },
                 ],
             },
+            {
+                "actions": ["s3:PutObject", "s3:DeleteObject", "s3:CreateBucket"],
+                "severity": "medium",
+                "required_conditions": [
+                    {
+                        "condition_key": "aws:ResourceOrgId",
+                        "description": "Require aws:ResourceOrgId condition for S3 write actions to enforce organization-level access control",
+                        "example": """"Condition": {
+  "StringEquals": {
+    "aws:ResourceOrgId": "${aws:PrincipalOrgID}"
+  }
+}
+""",
+                    },
+                ],
+            },
+            {
+                "action_patterns": ["^s3:.*"],
+                "required_conditions": [
+                    {
+                        "condition_key": "aws:SecureTransport",
+                        "description": "Require HTTPS for all S3 operations",
+                        "expected_value": True,
+                    },
+                ],
+            },
             {
                 "action_patterns": [
                     "^ssm:StartSession$",

iam_validator/core/formatters/enhanced.py

@@ -345,10 +345,11 @@ class EnhancedFormatter(OutputFormatter):
 
     def _add_issue_to_tree(self, branch: Tree, issue, color: str) -> None:
         """Add an issue to a tree branch."""
-        # Build location string
-        location = f"Statement {issue.statement_index}"
+        # Build location string (use 1-indexed statement numbers for user-facing output)
+        statement_num = issue.statement_index + 1
+        location = f"Statement {statement_num}"
         if issue.statement_sid:
-            location = f"{issue.statement_sid} (#{issue.statement_index})"
+            location = f"{issue.statement_sid} (#{statement_num})"
         if issue.line_number is not None:
             location += f" @L{issue.line_number}"
 

iam_validator/core/policy_checks.py

@@ -481,10 +481,14 @@ async def validate_policies(
         cache_enabled = config.get_setting("cache_enabled", True)
         cache_ttl_hours = config.get_setting("cache_ttl_hours", 168)
         cache_directory = config.get_setting("cache_directory", None)
+        aws_services_dir = config.get_setting("aws_services_dir", None)
         cache_ttl_seconds = cache_ttl_hours * 3600
 
         async with AWSServiceFetcher(
-            enable_cache=cache_enabled, cache_ttl=cache_ttl_seconds, cache_dir=cache_directory
+            enable_cache=cache_enabled,
+            cache_ttl=cache_ttl_seconds,
+            cache_dir=cache_directory,
+            aws_services_dir=aws_services_dir,
         ) as fetcher:
             validator = PolicyValidator(fetcher)
 
@@ -545,11 +549,15 @@ async def validate_policies(
     cache_enabled = config.get_setting("cache_enabled", True)
     cache_ttl_hours = config.get_setting("cache_ttl_hours", 168)  # 7 days default
     cache_directory = config.get_setting("cache_directory", None)
+    aws_services_dir = config.get_setting("aws_services_dir", None)
     cache_ttl_seconds = cache_ttl_hours * 3600
 
     # Validate policies using registry
     async with AWSServiceFetcher(
-        enable_cache=cache_enabled, cache_ttl=cache_ttl_seconds, cache_dir=cache_directory
+        enable_cache=cache_enabled,
+        cache_ttl=cache_ttl_seconds,
+        cache_dir=cache_directory,
+        aws_services_dir=aws_services_dir,
     ) as fetcher:
         tasks = [
             _validate_policy_with_registry(policy, file_path, registry, fetcher, fail_on_severities)

iam_validator/core/report.py

@@ -195,7 +195,9 @@ class ReportGenerator:
                 "low": "[cyan]LOW[/cyan]",
             }.get(issue.severity, issue.severity.upper())
 
-            location = f"Statement {issue.statement_index}"
+            # Use 1-indexed statement numbers for user-facing output
+            statement_num = issue.statement_index + 1
+            location = f"Statement {statement_num}"
             if issue.statement_sid:
                 location += f" ({issue.statement_sid})"
             if issue.line_number is not None:
@@ -776,9 +778,11 @@ class ReportGenerator:
 
     def _format_issue_markdown(self, issue: ValidationIssue) -> str:
         """Format a single issue as markdown."""
-        location = f"Statement {issue.statement_index}"
+        # Use 1-indexed statement numbers for user-facing output
+        statement_num = issue.statement_index + 1
+        location = f"Statement {statement_num}"
         if issue.statement_sid:
-            location = f"`{issue.statement_sid}` (index {issue.statement_index})"
+            location = f"`{issue.statement_sid}` (statement #{statement_num})"
 
         parts = []