iam-policy-validator 1.10.2__py3-none-any.whl → 1.10.3__py3-none-any.whl

{iam_policy_validator-1.10.2.dist-info → iam_policy_validator-1.10.3.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.10.2
+Version: 1.10.3
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs

{iam_policy_validator-1.10.2.dist-info → iam_policy_validator-1.10.3.dist-info}/RECORD

@@ -1,6 +1,6 @@
 iam_validator/__init__.py,sha256=xHdUASOxFHwEXfT_GSr_KrkLlnxZ-pAAr1wW1PwAGko,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=Fz08JonmD1dXoibF83ZYkSo1e0IWJO9aJ4iIAfq64mI,374
+iam_validator/__version__.py,sha256=UMITyOhvLRTs5TZWk4U4b0IKHWjVN05qKIVWOKq-Gx8,374
 iam_validator/checks/__init__.py,sha256=OTkPnmlelu4YjMO8krjhu2wXiTV72RzopA5u1SfPQA0,1990
 iam_validator/checks/action_condition_enforcement.py,sha256=0dCH_xX-Xc0uLxtNeRjrpNjWYbdWQRzO1XNcLTSn6sI,51698
 iam_validator/checks/action_resource_matching.py,sha256=WiGJmCIJfx5yituMjZxpKmk-99N6nK20ueN02ddy9oM,19296
@@ -20,7 +20,7 @@ iam_validator/checks/set_operator_validation.py,sha256=FyxZ7qWlp9-ABzZaRRkxRP_Hw
 iam_validator/checks/sid_uniqueness.py,sha256=vfpk88b9G9OApxtrotABI2mPXvGd_C_X4gJKeqIURlk,5968
 iam_validator/checks/trust_policy_validation.py,sha256=a8Sm2xu3gFOHLd7rXDl-ibqiLEmg5c-dyWv1lK2i6HA,17816
 iam_validator/checks/wildcard_action.py,sha256=CyURgURDt2fQT2468LK813RupQ3WWvpmvLVLjUZf9QQ,1960
-iam_validator/checks/wildcard_resource.py,sha256=AidyyKMQL3PxLI6Zd-iFiiI6BnvSle4ATLwDXUmV3jQ,5404
+iam_validator/checks/wildcard_resource.py,sha256=lRNZN7f3ZQrvnbGdVDCefUQF8lESIMoXVfhIgpln3mM,6679
 iam_validator/checks/utils/__init__.py,sha256=j0X4ibUB6RGx2a-kNoJnlVZwHfoEvzZsIeTmJIAoFzA,45
 iam_validator/checks/utils/policy_level_checks.py,sha256=2V60C0zhKfsFPjQ-NMlD3EemtwA9S6-4no8nETgXdQE,5274
 iam_validator/checks/utils/sensitive_action_matcher.py,sha256=qDXcJa_2sCJu9pBbjDlI7x5lPtLRc6jQCpKPMheCOJQ,11215
@@ -61,7 +61,7 @@ iam_validator/core/config/aws_global_conditions.py,sha256=gdmMxXGBy95B3uYUG-J7rn
 iam_validator/core/config/category_suggestions.py,sha256=QlrYi4BTkxDSTlL7NZGE9BWN-atWetZ6XjkI9F_7YzI,4370
 iam_validator/core/config/condition_requirements.py,sha256=qauIP73HFnOw1dchUeFpg1x7Y7QWkILo3GfxV_dxdQo,7696
 iam_validator/core/config/config_loader.py,sha256=qKD8aR8YAswaFf68pnYJLFNwKznvcc6lNxSQWU3i6SY,17713
-iam_validator/core/config/defaults.py,sha256=qpFP534dgCQ-vjCdhkK7ZslDoTm9Ftgy20qmYZsSYUI,28637
+iam_validator/core/config/defaults.py,sha256=bI0MC3x7q6TVDxJxFs0MeyVRMmANGyfOOdvOWQQAuKc,30103
 iam_validator/core/config/principal_requirements.py,sha256=VCX7fBDgeDTJQyoz7_x7GI7Kf9O1Eu-sbihoHOrKv6o,15105
 iam_validator/core/config/sensitive_actions.py,sha256=uATDIp_TD3OQQlsYTZp79qd1mSK2Bf9hJ0JwcqLBr84,25344
 iam_validator/core/config/service_principals.py,sha256=8pys5H_yycVJ9KTyimAKFYBg83Aol2Iri53wiHjtnEM,3959
@@ -89,8 +89,8 @@ iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYu
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
 iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
 iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
-iam_policy_validator-1.10.2.dist-info/METADATA,sha256=t5vzMawKVACC8uFWNJznjMBvw4xX9T7z1EduP8HbAQA,19070
-iam_policy_validator-1.10.2.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-iam_policy_validator-1.10.2.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.10.2.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.10.2.dist-info/RECORD,,
+iam_policy_validator-1.10.3.dist-info/METADATA,sha256=TNwd0AdEvphwtPx0E8AoHsNNyYzTcl6QUDT6dRqqyEE,19070
+iam_policy_validator-1.10.3.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.10.3.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.10.3.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.10.3.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.10.2"
+__version__ = "1.10.3"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/checks/wildcard_resource.py

@@ -39,22 +39,44 @@ class WildcardResourceCheck(PolicyCheck):
             # to all matching AWS actions using the AWS API, then checking if the policy's
             # actions are in that expanded list. This ensures only validated AWS actions
             # are allowed with Resource: "*".
+            allowed_wildcards_config = config.config.get("allowed_wildcards", [])
             allowed_wildcards_expanded = await self._get_expanded_allowed_wildcards(config, fetcher)
 
             # Check if ALL actions (excluding full wildcard "*") are in the expanded list
             non_wildcard_actions = [a for a in actions if a != "*"]
 
-            if allowed_wildcards_expanded and non_wildcard_actions:
-                # Check if all actions are in the expanded allowed list (exact match)
-                all_actions_allowed = all(
-                    action in allowed_wildcards_expanded for action in non_wildcard_actions
+            if (allowed_wildcards_config or allowed_wildcards_expanded) and non_wildcard_actions:
+                # Strategy 1: Check literal pattern match (fast path)
+                # If policy action matches config pattern literally, allow it
+                # Example: Policy has "iam:Get*", config has "iam:Get*" -> match
+                all_actions_allowed_literal = all(
+                    action in allowed_wildcards_config for action in non_wildcard_actions
                 )
 
-                # If all actions are in the expanded list, skip the wildcard resource warning
-                if all_actions_allowed:
-                    # All actions are safe, Resource: "*" is acceptable
+                if all_actions_allowed_literal:
+                    # All actions match literally, Resource: "*" is acceptable
                     return issues
 
+                # Strategy 2: Check expanded pattern match (comprehensive path)
+                # Expand both policy actions and config patterns, then compare
+                # Example: Policy has "iam:Get*" -> ["iam:GetUser", ...],
+                #          config has "iam:Get*" -> ["iam:GetUser", ...] -> all match
+                if allowed_wildcards_expanded:
+                    expanded_statement_actions = await expand_wildcard_actions(
+                        non_wildcard_actions, fetcher
+                    )
+
+                    # Check if all expanded actions are in the expanded allowed list (exact match)
+                    all_actions_allowed_expanded = all(
+                        action in allowed_wildcards_expanded
+                        for action in expanded_statement_actions
+                    )
+
+                    # If all actions are in the expanded list, skip the wildcard resource warning
+                    if all_actions_allowed_expanded:
+                        # All actions are safe, Resource: "*" is acceptable
+                        return issues
+
             # Flag the issue if actions are not all allowed or no allowed_wildcards configured
             message = config.config.get(
                 "message", 'Statement applies to all resources `"*"` (wildcard resource).'

iam_validator/core/config/defaults.py

@@ -344,13 +344,41 @@ DEFAULT_CONFIG = {
     # Check for wildcard resources (Resource: "*")
     # Flags statements that apply to all resources
     # Exception: Allowed if ALL actions are in allowed_wildcards list
+    #
+    # DUAL MATCHING STRATEGY:
+    # The check uses two complementary matching strategies for maximum flexibility:
+    #
+    # 1. LITERAL MATCH (Fast Path - no AWS API calls):
+    #    Policy actions match config patterns exactly as strings
+    #    Example: Policy "iam:Get*" matches config "iam:Get*" → PASS
+    #
+    # 2. EXPANDED MATCH (Comprehensive Path - uses AWS API):
+    #    Both policy actions and config patterns expand to actual AWS actions
+    #    Example: Policy "iam:GetUser" matches config "iam:Get*" (expanded) → PASS
+    #
+    # SUPPORTED SCENARIOS:
+    #   Policy Action         Config Pattern        Match Type   Result
+    #   iam:Get*              iam:Get*              Literal      ✅ Pass
+    #   iam:GetUser           iam:Get*              Expanded     ✅ Pass
+    #   iam:Get*, iam:List*   iam:Get*, iam:List*   Literal      ✅ Pass
+    #   iam:Get*, iam:GetUser iam:Get*              Literal      ✅ Pass
+    #   iam:Delete*           iam:Get*              None         ❌ Fail
+    #
+    # PERFORMANCE TIP: Literal matching is faster (no AWS API expansion)
     "wildcard_resource": {
         "enabled": True,
         "severity": "medium",  # Security issue
         "description": "Checks for wildcard resources (*)",
         # Allowed wildcard patterns for actions that can be used with Resource: "*"
+        # Supports BOTH literal matching and pattern expansion via AWS API
+        #
         # Default: 25 read-only patterns (Describe*, List*, Get*)
         # See: iam_validator/core/config/wildcards.py
+        #
+        # Examples:
+        #   ["ec2:Describe*"]  # Matches: ec2:Describe* (literal) OR ec2:DescribeInstances (expanded)
+        #   ["iam:GetUser"]    # Matches: iam:GetUser only
+        #   ["s3:List*"]       # Matches: s3:List* (literal) OR s3:ListBucket (expanded)
         "allowed_wildcards": list(DEFAULT_ALLOWED_WILDCARDS),
         "message": "Statement applies to all resources (*)",
         "suggestion": "Replace wildcard with specific resource ARNs",