iam-policy-validator 1.10.2__py3-none-any.whl → 1.11.0__py3-none-any.whl

{iam_policy_validator-1.10.2.dist-info → iam_policy_validator-1.11.0.dist-info}/RECORD

@@ -1,8 +1,8 @@
 iam_validator/__init__.py,sha256=xHdUASOxFHwEXfT_GSr_KrkLlnxZ-pAAr1wW1PwAGko,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=Fz08JonmD1dXoibF83ZYkSo1e0IWJO9aJ4iIAfq64mI,374
+iam_validator/__version__.py,sha256=QDfo5_PdJfgisRdaZ8ltIgqPu_z6ugxj636N7IepezA,374
 iam_validator/checks/__init__.py,sha256=OTkPnmlelu4YjMO8krjhu2wXiTV72RzopA5u1SfPQA0,1990
-iam_validator/checks/action_condition_enforcement.py,sha256=0dCH_xX-Xc0uLxtNeRjrpNjWYbdWQRzO1XNcLTSn6sI,51698
+iam_validator/checks/action_condition_enforcement.py,sha256=6LJfO7DCgf10rtPjaZ5P4fmb5hfxJUBS5w1CrOiCu5Q,52442
 iam_validator/checks/action_resource_matching.py,sha256=WiGJmCIJfx5yituMjZxpKmk-99N6nK20ueN02ddy9oM,19296
 iam_validator/checks/action_validation.py,sha256=QXfNamcstQIO41zNed1-bCmXYkXdV77owu8G2cZ09-A,2517
 iam_validator/checks/condition_key_validation.py,sha256=QJjG82wxvjdG2m-YuEzAjKRRiWaaPkf_LChdUTvm9g4,3919
@@ -14,24 +14,26 @@ iam_validator/checks/policy_structure.py,sha256=9eR8EEcERKcc5n7D3_LmFIQyDNzVV5Me
 iam_validator/checks/policy_type_validation.py,sha256=z4RiAvmPhtrf6Gj3z1Ln4dDFWnFclsokVL7x-YhkMiM,15986
 iam_validator/checks/principal_validation.py,sha256=jusBVEA-sHHft3Kfq_YdvPUgX3cBnxKqC1zhth74kCU,27691
 iam_validator/checks/resource_validation.py,sha256=G_Pfh3WZ6-C3KTk3XPpUKhOESwIO5ISgbsUXc-aK1SE,5988
-iam_validator/checks/sensitive_action.py,sha256=tKvZYjZvpRqRyS-JE1R8BaT3ecahKgghSsIZ9kwxahs,9799
+iam_validator/checks/sensitive_action.py,sha256=ckyb2n47hKuyr1smC4_Q0dkcdngfhaMueyesQcNE_6k,14912
 iam_validator/checks/service_wildcard.py,sha256=ycggiozWm1Z4lkWsDlooMEvRJflzLxZkihQDPZ9G_zw,3949
 iam_validator/checks/set_operator_validation.py,sha256=FyxZ7qWlp9-ABzZaRRkxRP_Hws7Re7qZgeQCCM9sJAM,7258
 iam_validator/checks/sid_uniqueness.py,sha256=vfpk88b9G9OApxtrotABI2mPXvGd_C_X4gJKeqIURlk,5968
 iam_validator/checks/trust_policy_validation.py,sha256=a8Sm2xu3gFOHLd7rXDl-ibqiLEmg5c-dyWv1lK2i6HA,17816
 iam_validator/checks/wildcard_action.py,sha256=CyURgURDt2fQT2468LK813RupQ3WWvpmvLVLjUZf9QQ,1960
-iam_validator/checks/wildcard_resource.py,sha256=AidyyKMQL3PxLI6Zd-iFiiI6BnvSle4ATLwDXUmV3jQ,5404
+iam_validator/checks/wildcard_resource.py,sha256=lRNZN7f3ZQrvnbGdVDCefUQF8lESIMoXVfhIgpln3mM,6679
 iam_validator/checks/utils/__init__.py,sha256=j0X4ibUB6RGx2a-kNoJnlVZwHfoEvzZsIeTmJIAoFzA,45
-iam_validator/checks/utils/policy_level_checks.py,sha256=2V60C0zhKfsFPjQ-NMlD3EemtwA9S6-4no8nETgXdQE,5274
+iam_validator/checks/utils/policy_level_checks.py,sha256=hZjexXgxuELf-wrO-JwVK8VzP8oRHK3sk0PyaG7QVfI,7070
 iam_validator/checks/utils/sensitive_action_matcher.py,sha256=qDXcJa_2sCJu9pBbjDlI7x5lPtLRc6jQCpKPMheCOJQ,11215
 iam_validator/checks/utils/wildcard_expansion.py,sha256=3W13hlyWcP2wJ6w-BwM887VOnRzglK6Bk3eHMjUtOco,3131
-iam_validator/commands/__init__.py,sha256=M-5bo8w0TCWydK0cXgJyPD2fmk8bpQs-3b26YbgLzlc,565
+iam_validator/commands/__init__.py,sha256=RBEz-Kgt3aRVn_9B1HRy_XgQMIKzlSSQs4Gtg2jQEv8,729
 iam_validator/commands/analyze.py,sha256=rvLBJ5_A3HB530xtixhaIsC19QON68olEQnn8TievgI,20784
 iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gzs,1074
 iam_validator/commands/cache.py,sha256=llfyQzPE5Azd5YcW0ohYcYjF_OCyiQ1GoJQ982t71lQ,14294
+iam_validator/commands/completion.py,sha256=oPUZkY0U3x-DU3bNB0UmdpXxxKibTBB8_TDPcQLWc10,15175
 iam_validator/commands/download_services.py,sha256=KKz3ybMLT8DQUf9aFZ0tilJ-o1b6PE8Pf1pC4K6cT8I,9175
 iam_validator/commands/post_to_pr.py,sha256=CvUXs2xvO-UhluxdfNM6F0TCWD8hDBEOiYw60fm1Dms,2363
-iam_validator/commands/validate.py,sha256=cvrgYagYm7W29MYsitZsLcttIIqVKQMRm-bCGY7N3fU,24355
+iam_validator/commands/query.py,sha256=ft8ptWfsNUK4Wprq_A11txdV_chBgqkoAo7SQfzEwK0,17079
+iam_validator/commands/validate.py,sha256=lsiHXjeY1JVKelP5CpIpwMHx1cldmEMLPqCzD-XHvL4,24214
 iam_validator/core/__init__.py,sha256=hYXkSbxplKzhM6dqrVzV4M3k7GKLsZbgExypxKq74gs,376
 iam_validator/core/access_analyzer.py,sha256=mtMaY-FnKjKEVITky_9ywZe1FaCAm61ElRv5Z_ZeC7E,24562
 iam_validator/core/access_analyzer_report.py,sha256=UMm2RNGj2rAKav1zsCw_htQZZRwRC0jjayd2zvKma1A,24896
@@ -40,13 +42,14 @@ iam_validator/core/check_registry.py,sha256=oRCdWoCGQ8VZERVYd821u9r5NdKQ9FMC54e6
 iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
 iam_validator/core/condition_validators.py,sha256=7zBjlcf2xGFKGbcFrXSLvWT5tFhWxoqwzhsJqS2E8uY,21524
 iam_validator/core/constants.py,sha256=cVBPgbXr4ALltH_NTSKsgBi6wmndLnOyUWhyBx0ZwrM,6113
+iam_validator/core/diff_parser.py,sha256=yjIplHywYWLr2lrGecwYraynmMerTpIjxFHy2a4itsM,11688
 iam_validator/core/ignore_patterns.py,sha256=pZqDJBtkbck-85QK5eFPM5ZOPEKs3McRh3avqiCT5z0,10398
 iam_validator/core/label_manager.py,sha256=48CRASWg98wyjfVF_1pUzj6dm9itzmG7SeIWf0TSUfc,7502
-iam_validator/core/models.py,sha256=yQ5iBTffdAzx88h8RyVCCmBg6kkD2zg5_lb-qLdjy3w,13386
+iam_validator/core/models.py,sha256=FhQ7fpX6T9AOvHsAPlBZL0NmPuPE_xghD3dp4cAGLZw,13534
 iam_validator/core/policy_checks.py,sha256=FNVuS2GTffwCjjrlupVIazC172gSxKYAAT_ObV6Apbo,8803
 iam_validator/core/policy_loader.py,sha256=2KJnXzGg3g9pDXWZHk3DO0xpZnZZ-wXWFEOdQ_naJ8s,17862
-iam_validator/core/pr_commenter.py,sha256=NTKoSmjvspYX2rbl3Xn8d611XkTNSfYlGUY0zBHBP4g,16801
-iam_validator/core/report.py,sha256=kzSeWnT1LqWZVA5pqKKz-maVowXVj0djdoShfRhhpz4,35899
+iam_validator/core/pr_commenter.py,sha256=vDN9meq861nVpno-GyhGX4wnBE1Z7clCIhv6pq9rZGs,22755
+iam_validator/core/report.py,sha256=BkhBFZHBKuF5WiUqXuNgEpFxcDCnbVRjzIy9qfezxdk,36071
 iam_validator/core/aws_service/__init__.py,sha256=UqMh4HUdGlx2QF5OoueJJ2UlCnhX4QW_x3KeE_bxRQc,735
 iam_validator/core/aws_service/cache.py,sha256=DPuOOPPJC867KAYgV1e0RyQs_k3mtefMdYli3jPaN64,3589
 iam_validator/core/aws_service/client.py,sha256=Zv7rIpEFdUCDXKGp3migPDkj8L5eZltgrGe64M2t2Ko,7336
@@ -58,39 +61,40 @@ iam_validator/core/aws_service/validators.py,sha256=L9XRJdGmR-vZ1r0bj5SCznULyKEY
 iam_validator/core/config/__init__.py,sha256=CWSyIA7kEyzrskEenjYbs9Iih10BXRpiY9H2dHg61rU,2671
 iam_validator/core/config/aws_api.py,sha256=HLIzOItQ0A37wxHcgWck6ZFO0wmNY8JNTiWMMK6JKYU,1248
 iam_validator/core/config/aws_global_conditions.py,sha256=gdmMxXGBy95B3uYUG-J7rnM6Ixgc6L7Y9Pcd2XAMb60,7170
-iam_validator/core/config/category_suggestions.py,sha256=QlrYi4BTkxDSTlL7NZGE9BWN-atWetZ6XjkI9F_7YzI,4370
-iam_validator/core/config/condition_requirements.py,sha256=qauIP73HFnOw1dchUeFpg1x7Y7QWkILo3GfxV_dxdQo,7696
+iam_validator/core/config/category_suggestions.py,sha256=fopaZ9kXDrsLgi_r0pERrLwgdPPJl5VIiKvXtQK9tj0,8583
+iam_validator/core/config/condition_requirements.py,sha256=1CeQJfWV-Y2ImW0Mq9YdrgvH-hj9IXe0gVOm3B36Rc8,10655
 iam_validator/core/config/config_loader.py,sha256=qKD8aR8YAswaFf68pnYJLFNwKznvcc6lNxSQWU3i6SY,17713
-iam_validator/core/config/defaults.py,sha256=qpFP534dgCQ-vjCdhkK7ZslDoTm9Ftgy20qmYZsSYUI,28637
+iam_validator/core/config/defaults.py,sha256=HYCuVXVRMT-0E8R6g609STFBU_IeMG0fFMHUYXsArAU,34685
 iam_validator/core/config/principal_requirements.py,sha256=VCX7fBDgeDTJQyoz7_x7GI7Kf9O1Eu-sbihoHOrKv6o,15105
 iam_validator/core/config/sensitive_actions.py,sha256=uATDIp_TD3OQQlsYTZp79qd1mSK2Bf9hJ0JwcqLBr84,25344
 iam_validator/core/config/service_principals.py,sha256=8pys5H_yycVJ9KTyimAKFYBg83Aol2Iri53wiHjtnEM,3959
-iam_validator/core/config/wildcards.py,sha256=H_v6hb-rZ0UUz4cul9lxkVI39e6knaK4Y-MbWz2Ebpw,3228
+iam_validator/core/config/wildcards.py,sha256=PI7Fmr7oMOkqdn_XJ0ST0U5NOUG6k4qKUEoouKWAPvc,3288
 iam_validator/core/formatters/__init__.py,sha256=fnCKAEBXItnOf2m4rhVs7zwMaTxbG6ESh3CF8V5j5ec,868
 iam_validator/core/formatters/base.py,sha256=SShDeDiy5mYQnS6BpA8xYg91N-KX1EObkOtlrVHqx1Q,4451
 iam_validator/core/formatters/console.py,sha256=FdTp7AzeILCWrUynSvSew8QJKGOMJaAA9_YiQJd-uco,2196
 iam_validator/core/formatters/csv.py,sha256=pPqgvGh4KtD5Qm36xnMaDAavXYR6MlQhs4zbcrxT550,5941
-iam_validator/core/formatters/enhanced.py,sha256=TVtkcTIow8NGoLhG45-5ms-_PTxyxMcAHxf_uPMyKAc,18155
+iam_validator/core/formatters/enhanced.py,sha256=GD7RIAL1hLDAsypCKECwDMGslAx2AaMPbdoW6YZTAlQ,18555
 iam_validator/core/formatters/html.py,sha256=j4sQi-wXiD9kCHldW5JCzbJe0frhiP5uQI9KlH3Sj_g,22994
 iam_validator/core/formatters/json.py,sha256=A7gZ8P32GEdbDvrSn6v56yQ4fOP_kyMaoFVXG2bgnew,939
 iam_validator/core/formatters/markdown.py,sha256=dk4STeY-tOEZsVrlmolIEqZvWYP9JhRtygxxNA49DEE,2293
 iam_validator/core/formatters/sarif.py,sha256=O3pn7whqFq5xxk-tuoqSb2k4Fk5ai_A2SKX_ph8GLV4,10469
 iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
-iam_validator/integrations/github_integration.py,sha256=EnrolMq3uZbKWPxUMhYnqcKAfic6Fb8qJzieDruKqsc,26485
+iam_validator/integrations/github_integration.py,sha256=hvAmoNLn4r9eglBw9KTnm4E-Or0weh_CM_tkuT2TFiI,36413
 iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
-iam_validator/sdk/__init__.py,sha256=5I-PCrEbORm1cmNkN9J8-61u9XLHftQ3xuBi_JGePKc,5306
+iam_validator/sdk/__init__.py,sha256=AZLnfdn3A9AWb0pMhsbu3GAOAzt6rV7Fi3E3d9_3ZdI,6388
 iam_validator/sdk/arn_matching.py,sha256=HSDpLltOYISq-SoPebAlM89mKOaUaghq_04urchEFDA,12778
 iam_validator/sdk/context.py,sha256=FvAEyUa_s7tHWoSdgjSkzHf1CLlYpAEmLZANxs2IJ4A,6826
 iam_validator/sdk/exceptions.py,sha256=tm91TxIwU157U_UHN7w5qICf_OhU11agj6pV5W_YP-4,1023
 iam_validator/sdk/helpers.py,sha256=sjfK0na_Fo7O8GhEVhl44rVHqOdw6nAKkBL4FVL-QdU,5697
 iam_validator/sdk/policy_utils.py,sha256=bGdJ1X1aC72dVXXpAnAwyBpAiiX-qXvblpetY5BsjKU,13658
+iam_validator/sdk/query_utils.py,sha256=kp1sORVnouRMt7kvzyZo1569l7j20jJGmHICR7O8Cqs,14455
 iam_validator/sdk/shortcuts.py,sha256=EVNSYV7rv4TFH03ulsZ3mS1UVmTSp2jKpc2AXs4j1q4,8531
 iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYuCs,1021
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
 iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
 iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
-iam_policy_validator-1.10.2.dist-info/METADATA,sha256=t5vzMawKVACC8uFWNJznjMBvw4xX9T7z1EduP8HbAQA,19070
-iam_policy_validator-1.10.2.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-iam_policy_validator-1.10.2.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.10.2.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.10.2.dist-info/RECORD,,
+iam_policy_validator-1.11.0.dist-info/METADATA,sha256=OL4Pb02Cgtv4XL1AXoupb1KYc5fUMXUNfiqquaFyn24,34456
+iam_policy_validator-1.11.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.11.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.11.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.11.0.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.10.2"
+__version__ = "1.11.0"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/checks/action_condition_enforcement.py

@@ -133,6 +133,7 @@ from typing import TYPE_CHECKING, Any, ClassVar
 from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
+from iam_validator.utils.regex import compile_and_cache
 
 if TYPE_CHECKING:
     from iam_validator.core.models import IAMPolicy
@@ -184,10 +185,16 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         issues = []
 
         # Get action condition requirements from config
-        # Support both old (policy_level_requirements) and new (action_condition_requirements) keys
+        # Support legacy keys for backward compatibility:
+        #  - "requirements" (current/preferred)
+        #  - "action_condition_requirements" (legacy)
+        #  - "policy_level_requirements" (legacy)
         requirements = config.config.get(
-            "action_condition_requirements",
-            config.config.get("policy_level_requirements", []),
+            "requirements",
+            config.config.get(
+                "action_condition_requirements",
+                config.config.get("policy_level_requirements", []),
+            ),
         )
 
         if not requirements:
@@ -683,7 +690,8 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         matching_actions: list[str] = []
 
         # Handle simple list format (backward compatibility)
-        if isinstance(actions_config, list) and actions_config:
+        # Also handle requirements with only action_patterns (when actions is empty list)
+        if isinstance(actions_config, list) and (actions_config or action_patterns):
             # Simple list - check if any action matches
             for stmt_action in statement_actions:
                 if stmt_action == "*":
@@ -701,9 +709,9 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                         matched = True
                         break
 
-                # If not matched by actions, check if wildcard overlaps with patterns
-                if not matched and "*" in stmt_action:
-                    # For wildcards, also check pattern overlap directly
+                # If not matched by actions, check against action_patterns directly
+                if not matched and action_patterns:
+                    # Check if statement action matches any of the patterns
                     matched = await self._action_matches(stmt_action, "", action_patterns, fetcher)
 
                 if matched and stmt_action not in matching_actions:
@@ -804,10 +812,11 @@ class ActionConditionEnforcementCheck(PolicyCheck):
 
         # AWS wildcard match in required_action (e.g., "s3:*", "s3:Get*")
         if "*" in required_action:
-            # Convert AWS wildcard to regex
+            # Convert AWS wildcard to regex and cache compilation
             wildcard_pattern = required_action.replace("*", ".*").replace("?", ".")
             try:
-                if re.match(f"^{wildcard_pattern}$", statement_action):
+                compiled_pattern = compile_and_cache(f"^{wildcard_pattern}$")
+                if compiled_pattern.match(statement_action):
                     return True
             except re.error:
                 # Invalid regex pattern - skip this match attempt
@@ -824,7 +833,8 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                 # Required action is specific (e.g., "iam:CreateUser")
                 # Check if statement wildcard would grant it
                 try:
-                    if re.match(f"^{stmt_wildcard_pattern}$", required_action):
+                    compiled_pattern = compile_and_cache(f"^{stmt_wildcard_pattern}$")
+                    if compiled_pattern.match(required_action):
                         return True
                 except re.error:
                     # Invalid regex pattern - skip this match attempt
@@ -856,7 +866,8 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                         full_granted_action = f"{service_prefix}:{granted_action}"
                         for pattern in patterns:
                             try:
-                                if re.match(pattern, full_granted_action):
+                                compiled_pattern = compile_and_cache(pattern)
+                                if compiled_pattern.match(full_granted_action):
                                     return True
                             except re.error:
                                 continue
@@ -866,7 +877,8 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                     stmt_prefix = statement_action.rstrip("*")
                     for pattern in patterns:
                         try:
-                            if re.match(pattern, stmt_prefix):
+                            compiled_pattern = compile_and_cache(pattern)
+                            if compiled_pattern.match(stmt_prefix):
                                 return True
                         except re.error:
                             continue
@@ -874,7 +886,8 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         # Regex pattern match (from action_patterns config)
         for pattern in patterns:
             try:
-                if re.match(pattern, statement_action):
+                compiled_pattern = compile_and_cache(pattern)
+                if compiled_pattern.match(statement_action):
                     return True
             except re.error:
                 continue
@@ -964,7 +977,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                             statement_index=statement_idx,
                             issue_type="missing_required_condition_any_of",
                             message=(
-                                f"Actions `{matching_actions_formatted}` require at least ONE of these conditions: "
+                                f"Actions {matching_actions_formatted} require at least ONE of these conditions: "
                                 f"{condition_keys_formatted}"
                             ),
                             action=", ".join(matching_actions),

iam_validator/checks/sensitive_action.py

@@ -1,6 +1,6 @@
 """Sensitive action check - detects sensitive actions without IAM conditions."""
 
-from typing import TYPE_CHECKING, ClassVar
+from typing import TYPE_CHECKING, Any, ClassVar
 
 from iam_validator.checks.utils.policy_level_checks import check_policy_level_actions
 from iam_validator.checks.utils.sensitive_action_matcher import (
@@ -17,6 +17,71 @@ if TYPE_CHECKING:
     from iam_validator.core.models import IAMPolicy
 
 
+def get_suggestion_from_requirement(requirement: dict[str, Any]) -> tuple[str, str] | None:
+    """
+    Extract suggestion and example from a condition requirement.
+
+    This is a public utility function that can be used by custom checks
+    to extract user-friendly suggestions from condition requirement structures.
+
+    Args:
+        requirement: Condition requirement dictionary containing:
+            - suggestion_text: Human-readable guidance text
+            - required_conditions: Conditions structure (list or dict with any_of/all_of/none_of)
+
+    Returns:
+        Tuple of (suggestion_text, example) if available, None otherwise
+
+    Example:
+        >>> from iam_validator.core.config.condition_requirements import IAM_PASS_ROLE_REQUIREMENT
+        >>> suggestion, example = get_suggestion_from_requirement(IAM_PASS_ROLE_REQUIREMENT)
+        >>> print(suggestion)
+        This action allows passing IAM roles to AWS services...
+    """
+    # Check if requirement has suggestion_text
+    if "suggestion_text" not in requirement:
+        return None
+
+    suggestion_text = requirement["suggestion_text"]
+
+    # Extract example from required_conditions
+    example = ""
+    required_conditions = requirement.get("required_conditions", [])
+
+    # Handle different condition structures (list, dict with any_of/all_of/none_of)
+    if isinstance(required_conditions, list) and required_conditions:
+        # Get first condition's example
+        first_condition = required_conditions[0]
+        example = first_condition.get("example", "")
+    elif isinstance(required_conditions, dict):
+        # Handle any_of, all_of, none_of structures
+        for logic_key in ["any_of", "all_of", "none_of"]:
+            if logic_key in required_conditions:
+                conditions = required_conditions[logic_key]
+                if isinstance(conditions, list) and conditions:
+                    # Get first option's example
+                    first_option = conditions[0]
+                    if isinstance(first_option, dict):
+                        if "example" in first_option:
+                            example = first_option["example"]
+                            break
+                        # Handle nested all_of/any_of/none_of structures
+                        for nested_key in ["all_of", "any_of", "none_of"]:
+                            if nested_key in first_option and isinstance(
+                                first_option[nested_key], list
+                            ):
+                                for nested in first_option[nested_key]:
+                                    if "example" in nested:
+                                        example = nested["example"]
+                                        break
+                                if example:
+                                    break
+                        if example:
+                            break
+
+    return (suggestion_text, example)
+
+
 class SensitiveActionCheck(PolicyCheck):
     """Checks for sensitive actions without IAM conditions to limit their use."""
 
@@ -48,11 +113,45 @@ class SensitiveActionCheck(PolicyCheck):
         # Fall back to default severity
         return self.get_severity(config)
 
+    def _get_actions_covered_by_condition_enforcement(self, config: CheckConfig) -> set[str]:
+        """
+        Get set of actions that are covered by action_condition_enforcement requirements.
+
+        This prevents duplicate warnings when an action is already validated by
+        formal condition requirements.
+
+        Args:
+            config: Check configuration with root_config access
+
+        Returns:
+            Set of action strings that are covered by condition requirements
+        """
+        covered_actions: set[str] = set()
+
+        # Access action_condition_enforcement config from root_config
+        ace_config = config.root_config.get("action_condition_enforcement", {})
+        requirements = ace_config.get("requirements", [])
+
+        for requirement in requirements:
+            # Get actions from requirement
+            actions_config = requirement.get("actions", [])
+            if isinstance(actions_config, list):
+                covered_actions.update(actions_config)
+
+        return covered_actions
+
     def _get_category_specific_suggestion(
         self, action: str, config: CheckConfig
     ) -> tuple[str, str]:
         """
-        Get category-specific suggestion and example for an action.
+        Get category-specific suggestion and example for an action using two-tier lookup.
+
+        This method provides suggestions for the sensitive_action check, which flags
+        actions that have NO conditions. It does NOT validate specific conditions
+        (that's handled by the action_condition_enforcement check).
+
+        Tier 1: Check action_overrides in category suggestions for important actions
+        Tier 2: Fall back to category-level default suggestions
 
         Args:
             action: The AWS action to check
@@ -61,20 +160,23 @@ class SensitiveActionCheck(PolicyCheck):
         Returns:
             Tuple of (suggestion_text, example_text) tailored to the action's category
         """
+        # TIER 1: Check action-specific overrides in category suggestions
         category = get_category_for_action(action)
-
-        # Get category suggestions from config (ABAC-focused by default)
-        # See: iam_validator/core/config/category_suggestions.py
         category_suggestions = config.config.get("category_suggestions", {})
 
-        # Get category-specific content or fall back to generic ABAC guidance
         if category and category in category_suggestions:
-            return (
-                category_suggestions[category]["suggestion"],
-                category_suggestions[category]["example"],
-            )
+            category_data = category_suggestions[category]
+
+            # Check if there's an action-specific override
+            action_overrides = category_data.get("action_overrides", {})
+            if action in action_overrides:
+                override = action_overrides[action]
+                return (override["suggestion"], override["example"])
+
+            # TIER 2: Fall back to category-level defaults
+            return (category_data["suggestion"], category_data["example"])
 
-        # Generic ABAC fallback for uncategorized actions
+        # Ultimate fallback: Generic ABAC guidance for uncategorized actions
         return (
             "Add IAM conditions to limit when this action can be used. Use ABAC for scalability:\n"
             "• Match principal tags to resource tags (`aws:PrincipalTag/<tag-name>` = `aws:ResourceTag/<tag-name>`)\n"
@@ -114,6 +216,16 @@ class SensitiveActionCheck(PolicyCheck):
         )
 
         if is_sensitive and not has_conditions:
+            # Filter out actions already covered by action_condition_enforcement
+            # This prevents duplicate warnings with different messages
+            covered_actions = self._get_actions_covered_by_condition_enforcement(config)
+            matched_actions = [
+                action for action in matched_actions if action not in covered_actions
+            ]
+
+            # If all matched actions are covered elsewhere, skip this check
+            if not matched_actions:
+                return issues
             # Create appropriate message based on matched actions using configurable templates
             if len(matched_actions) == 1:
                 message_template = config.config.get(

iam_validator/checks/utils/policy_level_checks.py

@@ -49,6 +49,7 @@ def check_policy_level_actions(
                     all_actions,
                     statement_map,
                     item["all_of"],
+                    item,  # Pass the entire item config (includes severity, message, suggestion)
                     check_config,
                     check_type,
                     get_severity_func,
@@ -62,6 +63,7 @@ def check_policy_level_actions(
             all_actions,
             statement_map,
             config["all_of"],
+            config,  # Pass the entire config dict (includes severity, message, suggestion)
             check_config,
             check_type,
             get_severity_func,
@@ -76,6 +78,7 @@ def _check_all_of_pattern(
     all_actions: list[str],
     statement_map: dict[str, list[tuple[int, str | None]]],
     required_actions: list[str],
+    item_config: dict,
     check_config: CheckConfig,
     check_type: str,
     get_severity_func,
@@ -87,6 +90,7 @@ def _check_all_of_pattern(
         all_actions: All actions across the entire policy
         statement_map: Mapping of action -> [(statement_idx, sid), ...]
         required_actions: List of required actions or patterns
+        item_config: Configuration for this specific pattern (includes severity, message, suggestion)
         check_config: Full check configuration
         check_type: Either "actions" (exact match) or "patterns" (regex match)
         get_severity_func: Function to get severity for the check
@@ -113,31 +117,64 @@ def _check_all_of_pattern(
     # Check if ALL required actions/patterns are present
     if len(matched_actions) >= len(required_actions):
         # Privilege escalation detected!
-        severity = get_severity_func(check_config, "sensitive_action_check", "error")
+        # Use severity from item_config if available, otherwise use default from check
+        severity = item_config.get("severity") or get_severity_func(check_config)
 
         # Collect which statements these actions appear in
         statement_refs = []
+        action_to_statements = {}  # Map action -> list of statement references
+
         for action in matched_actions:
+            action_to_statements[action] = []
             if action in statement_map:
                 for stmt_idx, sid in statement_map[action]:
-                    sid_str = f"'{sid}'" if sid else f"#{stmt_idx}"
+                    # Use index notation instead of # to avoid GitHub PR link interpretation
+                    sid_str = f"'{sid}'" if sid else f"[{stmt_idx}]"
                     statement_refs.append(f"Statement {sid_str}: {action}")
+                    action_to_statements[action].append(f"Statement {sid_str}")
 
-        action_list = "', '".join(matched_actions)
+        # Format actions with backticks and statement references
+        action_list = "`, `".join(matched_actions)
         stmt_details = "\n  - ".join(statement_refs)
 
+        # Build a compact statement summary for the message
+        action_stmt_summary = []
+        for action in matched_actions:
+            stmts = action_to_statements.get(action, [])
+            if stmts:
+                action_stmt_summary.append(f"`{action}` in {', '.join(stmts)}")
+
+        stmt_summary = "; ".join(action_stmt_summary)
+
+        # Use custom message if provided in item_config, otherwise use default
+        # Support {actions} and {statements} placeholders in custom messages
+        message_template = item_config.get(
+            "message",
+            f"Policy grants [`{action_list}`] across statements - enables privilege escalation. Found: {stmt_summary}",
+        )
+        # Replace placeholders if present in custom message
+        message = message_template.replace("{actions}", f"`{action_list}`").replace(
+            "{statements}", stmt_summary
+        )
+
+        # Use custom suggestion if provided in item_config, otherwise use default
+        suggestion = item_config.get(
+            "suggestion",
+            f"These actions combined allow privilege escalation. Consider:\n"
+            f"  1. Splitting into separate policies for different users/roles\n"
+            f"  2. Adding strict conditions to limit when these actions can be used together\n"
+            f"  3. Reviewing if all these permissions are truly necessary\n\n"
+            f"Actions found in:\n  - {stmt_details}",
+        )
+
         return ValidationIssue(
             severity=severity,
             statement_sid=None,  # Policy-level issue
             statement_index=-1,  # -1 indicates policy-level issue
             issue_type="privilege_escalation",
-            message=f"Policy-level privilege escalation detected: grants all of ['{action_list}'] across multiple statements",
-            suggestion=f"These actions combined allow privilege escalation. Consider:\n"
-            f"  1. Splitting into separate policies for different users/roles\n"
-            f"  2. Adding strict conditions to limit when these actions can be used together\n"
-            f"  3. Reviewing if all these permissions are truly necessary\n\n"
-            f"Actions found in:\n  - {stmt_details}",
-            line_number=None,
+            message=message,
+            suggestion=suggestion,
+            line_number=1,  # Policy-level issues point to line 1 (top of policy)
         )
 
     return None

iam_validator/checks/wildcard_resource.py

@@ -39,22 +39,44 @@ class WildcardResourceCheck(PolicyCheck):
             # to all matching AWS actions using the AWS API, then checking if the policy's
             # actions are in that expanded list. This ensures only validated AWS actions
             # are allowed with Resource: "*".
+            allowed_wildcards_config = config.config.get("allowed_wildcards", [])
             allowed_wildcards_expanded = await self._get_expanded_allowed_wildcards(config, fetcher)
 
             # Check if ALL actions (excluding full wildcard "*") are in the expanded list
             non_wildcard_actions = [a for a in actions if a != "*"]
 
-            if allowed_wildcards_expanded and non_wildcard_actions:
-                # Check if all actions are in the expanded allowed list (exact match)
-                all_actions_allowed = all(
-                    action in allowed_wildcards_expanded for action in non_wildcard_actions
+            if (allowed_wildcards_config or allowed_wildcards_expanded) and non_wildcard_actions:
+                # Strategy 1: Check literal pattern match (fast path)
+                # If policy action matches config pattern literally, allow it
+                # Example: Policy has "iam:Get*", config has "iam:Get*" -> match
+                all_actions_allowed_literal = all(
+                    action in allowed_wildcards_config for action in non_wildcard_actions
                 )
 
-                # If all actions are in the expanded list, skip the wildcard resource warning
-                if all_actions_allowed:
-                    # All actions are safe, Resource: "*" is acceptable
+                if all_actions_allowed_literal:
+                    # All actions match literally, Resource: "*" is acceptable
                     return issues
 
+                # Strategy 2: Check expanded pattern match (comprehensive path)
+                # Expand both policy actions and config patterns, then compare
+                # Example: Policy has "iam:Get*" -> ["iam:GetUser", ...],
+                #          config has "iam:Get*" -> ["iam:GetUser", ...] -> all match
+                if allowed_wildcards_expanded:
+                    expanded_statement_actions = await expand_wildcard_actions(
+                        non_wildcard_actions, fetcher
+                    )
+
+                    # Check if all expanded actions are in the expanded allowed list (exact match)
+                    all_actions_allowed_expanded = all(
+                        action in allowed_wildcards_expanded
+                        for action in expanded_statement_actions
+                    )
+
+                    # If all actions are in the expanded list, skip the wildcard resource warning
+                    if all_actions_allowed_expanded:
+                        # All actions are safe, Resource: "*" is acceptable
+                        return issues
+
             # Flag the issue if actions are not all allowed or no allowed_wildcards configured
             message = config.config.get(
                 "message", 'Statement applies to all resources `"*"` (wildcard resource).'

iam_validator/commands/__init__.py

@@ -2,8 +2,10 @@
 
 from .analyze import AnalyzeCommand
 from .cache import CacheCommand
+from .completion import CompletionCommand
 from .download_services import DownloadServicesCommand
 from .post_to_pr import PostToPRCommand
+from .query import QueryCommand
 from .validate import ValidateCommand
 
 # All available commands
@@ -13,6 +15,8 @@ ALL_COMMANDS = [
     AnalyzeCommand(),
     CacheCommand(),
     DownloadServicesCommand(),
+    QueryCommand(),
+    CompletionCommand(),
 ]
 
 __all__ = [
@@ -21,5 +25,7 @@ __all__ = [
     "AnalyzeCommand",
     "CacheCommand",
     "DownloadServicesCommand",
+    "QueryCommand",
+    "CompletionCommand",
     "ALL_COMMANDS",
 ]