iam-policy-validator 1.10.3__py3-none-any.whl → 1.11.1__py3-none-any.whl

iam_validator/core/config/condition_requirements.py

@@ -28,6 +28,13 @@ from typing import Any, Final
 IAM_PASS_ROLE_REQUIREMENT: Final[dict[str, Any]] = {
     "actions": ["iam:PassRole"],
     "severity": "high",
+    "suggestion_text": (
+        "This action allows passing IAM roles to AWS services, which can lead to privilege escalation. "
+        "Always restrict which services can receive roles:\n"
+        "• Use `iam:PassedToService` to limit specific AWS services (e.g., lambda.amazonaws.com, ecs-tasks.amazonaws.com)\n"
+        "• Consider adding `iam:AssociatedResourceArn` to restrict which resources can use the role\n"
+        "• Require MFA for sensitive role passing (`aws:MultiFactorAuthPresent` = `true`)"
+    ),
     "required_conditions": [
         {
             "condition_key": "iam:PassedToService",
@@ -50,66 +57,96 @@ IAM_PASS_ROLE_REQUIREMENT: Final[dict[str, Any]] = {
     ],
 }
 
-# S3 Write Operations - Require organization ID
-S3_WRITE_ORG_ID: Final[dict[str, Any]] = {
-    "actions": ["s3:PutObject"],
+# S3 Organization Boundary - Prevent data exfiltration for both reads and writes
+# Enforces that S3 operations only access resources within organizational boundaries
+S3_ORG_BOUNDARY: Final[dict[str, Any]] = {
+    "actions": ["s3:GetObject", "s3:GetObjectVersion", "s3:PutObject"],
     "severity": "medium",
+    "suggestion_text": (
+        "These S3 actions can read or write data. Prevent data exfiltration by ensuring operations only access organization-owned buckets:\n"
+        "• Use organization ID (`aws:ResourceOrgID` = `${aws:PrincipalOrgID}`)\n"
+        "• OR use organization paths (`aws:ResourceOrgPaths` = `${aws:PrincipalOrgPaths}`)\n"
+        "• OR restrict by network boundary (IP/VPC/VPCe) + same account (`aws:ResourceAccount` = `${aws:PrincipalAccount}`)"
+    ),
     "required_conditions": {
         "any_of": [
-            # Option 1: Use organization-level control with ResourceOrgID
+            # Option 1: Restrict to organization resources (strongest)
             {
-                "all_of": [
-                    {
-                        "condition_key": "aws:ResourceOrgID",
-                        "description": "Restrict S3 write actions to resources within your AWS Organization",
-                        "expected_value": "${aws:PrincipalOrgID}",
-                        "example": (
-                            "{\n"
-                            '  "Condition": {\n'
-                            '    "StringEquals": {\n'
-                            '      "aws:ResourceOrgID": "${aws:PrincipalOrgID}",\n'
-                            '      "aws:ResourceAccount": "${aws:PrincipalAccount}"\n'
-                            "    }\n"
-                            "  }\n"
-                            "}"
-                        ),
-                    },
-                    {
-                        "condition_key": "aws:ResourceAccount",
-                        "description": "Ensure the S3 resource belongs to the same AWS account as the principal",
-                        "expected_value": "${aws:PrincipalAccount}",
-                    },
-                ]
+                "condition_key": "aws:ResourceOrgID",
+                "description": "Restrict S3 operations to resources within your AWS Organization",
+                "expected_value": "${aws:PrincipalOrgID}",
+                "example": (
+                    "{\n"
+                    '  "Condition": {\n'
+                    '    "StringEquals": {\n'
+                    '      "aws:ResourceOrgID": "${aws:PrincipalOrgID}"\n'
+                    "    }\n"
+                    "  }\n"
+                    "}"
+                ),
+            },
+            # Option 2: Restrict to organization paths
+            {
+                "condition_key": "aws:ResourceOrgPaths",
+                "description": "Restrict S3 operations to resources within your AWS Organization path",
+                "expected_value": "${aws:PrincipalOrgPaths}",
+                "example": (
+                    "{\n"
+                    '  "Condition": {\n'
+                    '    "StringEquals": {\n'
+                    '      "aws:ResourceOrgPaths": "${aws:PrincipalOrgPaths}"\n'
+                    "    }\n"
+                    "  }\n"
+                    "}"
+                ),
             },
-            # Option 2: Use organization path-based control
+            # Option 3: Network boundary - Source IP + same account
             {
-                "all_of": [
-                    {
-                        "condition_key": "aws:ResourceOrgPaths",
-                        "description": "Restrict S3 write actions to resources within your AWS Organization path",
-                        "expected_value": "${aws:PrincipalOrgPaths}",
-                        "example": (
-                            "{\n"
-                            '  "Condition": {\n'
-                            '    "StringEquals": {\n'
-                            '      "aws:ResourceOrgPaths": "${aws:PrincipalOrgPaths}",\n'
-                            '      "aws:ResourceAccount": "${aws:PrincipalAccount}"\n'
-                            "    }\n"
-                            "  }\n"
-                            "}"
-                        ),
-                    },
-                    {
-                        "condition_key": "aws:ResourceAccount",
-                        "description": "Ensure the S3 resource belongs to the same AWS account as the principal",
-                        "expected_value": "${aws:PrincipalAccount}",
-                    },
-                ]
+                "condition_key": "aws:SourceIp",
+                "description": "Restrict S3 operations by source IP address and same account",
+                "example": (
+                    "{\n"
+                    '  "Condition": {\n'
+                    '    "IpAddress": {"aws:SourceIp": "10.0.0.0/8"},\n'
+                    '    "StringEquals": {"aws:ResourceAccount": "${aws:PrincipalAccount}"}\n'
+                    "  }\n"
+                    "}"
+                ),
+            },
+            # Option 4: Network boundary - Source VPC + same account
+            {
+                "condition_key": "aws:SourceVpc",
+                "description": "Restrict S3 operations by source VPC and same account",
+                "example": (
+                    "{\n"
+                    '  "Condition": {\n'
+                    '    "StringEquals": {\n'
+                    '      "aws:SourceVpc": "vpc-12345678",\n'
+                    '      "aws:ResourceAccount": "${aws:PrincipalAccount}"\n'
+                    "    }\n"
+                    "  }\n"
+                    "}"
+                ),
+            },
+            # Option 5: Network boundary - VPC Endpoint + same account
+            {
+                "condition_key": "aws:SourceVpce",
+                "description": "Restrict S3 operations by VPC endpoint and same account",
+                "example": (
+                    "{\n"
+                    '  "Condition": {\n'
+                    '    "StringEquals": {\n'
+                    '      "aws:SourceVpce": "vpce-12345678",\n'
+                    '      "aws:ResourceAccount": "${aws:PrincipalAccount}"\n'
+                    "    }\n"
+                    "  }\n"
+                    "}"
+                ),
             },
-            # Option 3: Account-only control (less restrictive, but still secure)
+            # Option 6: Minimum - at least require same account
             {
                 "condition_key": "aws:ResourceAccount",
-                "description": "Restrict S3 write actions to resources within the same AWS account",
+                "description": "Restrict S3 operations to resources within the same AWS account",
                 "expected_value": "${aws:PrincipalAccount}",
                 "example": (
                     "{\n"
@@ -130,10 +167,16 @@ SOURCE_IP_RESTRICTIONS: Final[dict[str, Any]] = {
     "action_patterns": [
         "^ssm:StartSession$",
         "^ssm:Run.*$",
-        "^s3:GetObject$",
         "^rds-db:Connect$",
     ],
     "severity": "low",
+    "suggestion_text": (
+        "This action accesses sensitive resources or data. Restrict network access to trusted locations:\n"
+        "• Use `aws:SourceIp` to limit to corporate IP ranges (e.g., office networks, VPN endpoints)\n"
+        "• Alternative: Use `aws:SourceVpc` or `aws:SourceVpce` for VPC-based restrictions\n"
+        "• Consider combining with secure transport requirements\n"
+        "• For S3: Ensure account ownership (`aws:ResourceAccount` = `${aws:PrincipalAccount}`)"
+    ),
     "required_conditions": [
         {
             "condition_key": "aws:SourceIp",
@@ -146,7 +189,9 @@ SOURCE_IP_RESTRICTIONS: Final[dict[str, Any]] = {
                 '        "10.0.0.0/8",\n'
                 '        "172.16.0.0/12"\n'
                 "      ]\n"
-                "    }\n"
+                "    },\n"
+                '    "Bool": {"aws:SecureTransport": "true"},\n'
+                '    "StringEquals": {"aws:ResourceAccount": "${aws:PrincipalAccount}"}\n'
                 "  }\n"
                 "}"
             ),
@@ -158,6 +203,12 @@ SOURCE_IP_RESTRICTIONS: Final[dict[str, Any]] = {
 S3_SECURE_TRANSPORT: Final[dict[str, Any]] = {
     "actions": ["s3:GetObject", "s3:PutObject"],
     "severity": "critical",
+    "suggestion_text": (
+        "CRITICAL: This S3 action must enforce encrypted connections. Unencrypted HTTP connections expose data in transit:\n"
+        "• Set `aws:SecureTransport` to `true` to enforce HTTPS/TLS\n"
+        "• NEVER set `aws:SecureTransport` to `false` (this explicitly allows unencrypted connections)\n"
+        "• Combine with other controls (IP restrictions, account boundaries) for defense in depth"
+    ),
     "required_conditions": {
         "none_of": [
             {
@@ -200,7 +251,7 @@ PREVENT_PUBLIC_IP: Final[dict[str, Any]] = {
 
 CONDITION_REQUIREMENTS: Final[list[dict[str, Any]]] = [
     IAM_PASS_ROLE_REQUIREMENT,
-    S3_WRITE_ORG_ID,
+    S3_ORG_BOUNDARY,  # Unified S3 read/write organization boundary enforcement
     SOURCE_IP_RESTRICTIONS,
     S3_SECURE_TRANSPORT,
     PREVENT_PUBLIC_IP,

iam_validator/core/config/defaults.py

@@ -521,6 +521,82 @@ DEFAULT_CONFIG = {
         "ignore_patterns": [
             {"action_matches": "^iam:PassRole$"},
         ],
+        # Cross-statement privilege escalation patterns (policy-wide detection)
+        # These patterns detect dangerous action combinations across ANY statements in the policy
+        # Uses all_of logic: ALL actions must exist somewhere in the policy
+        "sensitive_actions": [
+            # User privilege escalation: Create user + attach admin policy
+            {
+                "all_of": ["iam:CreateUser", "iam:AttachUserPolicy"],
+                "severity": "critical",
+                "message": "Policy grants {actions} across statements - enables privilege escalation. {statements}",
+                "suggestion": (
+                    "This combination allows an attacker to:\n"
+                    "1. Create a new IAM user\n"
+                    "2. Attach AdministratorAccess policy to that user\n"
+                    "3. Escalate to full account access\n\n"
+                    "Mitigation options:\n"
+                    "• Remove both of these permissions\n"
+                    "• Add strict IAM conditions (MFA, IP restrictions, force a specific policy with `iam:PolicyARN` condition)\n"
+                ),
+            },
+            # Role privilege escalation: Create role + attach admin policy
+            {
+                "all_of": ["iam:CreateRole", "iam:AttachRolePolicy"],
+                "severity": "high",
+                "message": "Policy grants {actions} across statements - enables privilege escalation. {statements}",
+                "suggestion": (
+                    "This combination allows creating privileged roles with admin policies.\n\n"
+                    "Mitigation options:\n"
+                    "• Remove both of these permissions\n"
+                    "• Add strict IAM conditions with a Permissions Boundary and ABAC Tagging, force a specific policy with `iam:PolicyARN` condition\n"
+                ),
+            },
+            # Lambda backdoor: Create/update function + invoke
+            {
+                "all_of": ["lambda:CreateFunction", "lambda:InvokeFunction"],
+                "severity": "medium",
+                "message": "Policy grants {actions} across statements - enables code execution. {statements}",
+                "suggestion": (
+                    "This combination allows an attacker to:\n"
+                    "1. Create a Lambda function with malicious code\n"
+                    "2. Execute the function to perform operations with the Lambda's role\n\n"
+                    "Mitigation options:\n"
+                    "• Restrict Lambda creation to specific function names/paths\n"
+                    "• Require resource tags on functions and tag-based invocation controls\n"
+                    "• Require MFA for Lambda function creation\n"
+                    "• Use separate policies for creation vs invocation"
+                ),
+            },
+            # Lambda code modification backdoor
+            {
+                "all_of": ["lambda:UpdateFunctionCode", "lambda:InvokeFunction"],
+                "severity": "medium",
+                "message": "Policy grants {actions} across statements - enables code injection. {statements}",
+                "suggestion": (
+                    "This combination allows modifying existing Lambda functions and executing them.\n\n"
+                    "Mitigation options:\n"
+                    "• Use resource-based policies to restrict which functions can be modified\n"
+                    "• Require MFA for code updates\n"
+                    "• Use separate policies for code updates vs invocation\n"
+                    "• Implement code signing for Lambda functions"
+                ),
+            },
+            # EC2 instance privilege escalation
+            {
+                "all_of": ["ec2:RunInstances", "iam:PassRole"],
+                "severity": "high",
+                "message": "Policy grants {actions} across statements - enables privilege escalation via instance profile. {statements}",
+                "suggestion": (
+                    "This combination allows launching EC2 instances with privileged roles.\n\n"
+                    "Mitigation options:\n"
+                    "• Add iam:PassedToService condition requiring ec2.amazonaws.com\n"
+                    "• Restrict instance creation to specific AMIs or instance types\n"
+                    "• Limit PassRole to specific low-privilege roles\n"
+                    "• Require tagging and ABAC controls"
+                ),
+            },
+        ],
     },
     # ========================================================================
     # 18. ACTION CONDITION ENFORCEMENT
@@ -533,7 +609,7 @@ DEFAULT_CONFIG = {
     # Available requirements:
     #   Default (enabled):
     #     - iam_pass_role: Requires iam:PassedToService
-    #     - s3_org_id: Requires organization ID for S3 writes
+    #     - s3_org_boundary: Prevents S3 data exfiltration (reads + writes)
     #     - source_ip_restrictions: Restricts to corporate IPs
     #     - s3_secure_transport: Prevents insecure transport
     #     - prevent_public_ip: Prevents 0.0.0.0/0 IP ranges
@@ -543,10 +619,10 @@ DEFAULT_CONFIG = {
         "enabled": True,
         "severity": "high",  # Default severity (can be overridden per-requirement)
         "description": "Enforces conditions (MFA, IP, tags, etc.) for specific actions at both statement and policy level",
-        # STATEMENT-LEVEL: Load 5 requirements from Python module
-        # Deep copy to prevent mutation of the originals
-        # These check individual statements independently
-        "action_condition_requirements": __import__("copy").deepcopy(CONDITION_REQUIREMENTS),
+        # CRITICAL: This key is used by sensitive_action check for filtering
+        # It must be named "requirements" (not "action_condition_requirements")
+        # to enable automatic deduplication of warnings
+        "requirements": __import__("copy").deepcopy(CONDITION_REQUIREMENTS),
         # POLICY-LEVEL: Scan entire policy and enforce conditions across ALL matching statements
         # Example: "If ANY statement grants iam:CreateUser, then ALL such statements must have MFA"
         # Default: Empty list (opt-in feature)
@@ -571,6 +647,6 @@ def get_default_config() -> dict:
     Returns:
         A deep copy of the default configuration dictionary
     """
-    import copy
+    import copy  # pylint: disable=import-outside-toplevel
 
     return copy.deepcopy(DEFAULT_CONFIG)

iam_validator/core/config/wildcards.py

@@ -28,8 +28,11 @@ DEFAULT_ALLOWED_WILDCARDS: Final[tuple[str, ...]] = (
     "cloudwatch:List*",
     # DynamoDB
     "dynamodb:Describe*",
+    "dynamodb:Get*",
+    "dynamodb:List*",
     # EC2
     "ec2:Describe*",
+    "ec2:List*",
     # Elastic Load Balancing
     "elasticloadbalancing:Describe*",
     # IAM (non-sensitive read operations)

iam_validator/core/diff_parser.py

@@ -0,0 +1,321 @@
+"""Diff Parser Module.
+
+This module parses GitHub PR diff information to extract changed line numbers.
+It supports GitHub's unified diff format and provides utilities for determining
+which lines and statements were modified in a PR.
+"""
+
+import logging
+import re
+from dataclasses import dataclass
+from typing import Any
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class ParsedDiff:
+    """Parsed GitHub PR diff information for a single file.
+
+    Attributes:
+        file_path: Relative path to the file from repository root
+        changed_lines: Set of all line numbers that were added or modified (new side)
+        added_lines: Set of line numbers that were added (new side)
+        deleted_lines: Set of line numbers that were deleted (old side)
+        status: File status (added, modified, removed, renamed)
+    """
+
+    file_path: str
+    changed_lines: set[int]
+    added_lines: set[int]
+    deleted_lines: set[int]
+    status: str
+
+
+@dataclass
+class StatementLocation:
+    """Location information for a statement in a policy file.
+
+    Attributes:
+        statement_index: Zero-based index of the statement
+        start_line: First line number of the statement (1-indexed)
+        end_line: Last line number of the statement (1-indexed)
+        has_changes: True if any line in this range was modified
+    """
+
+    statement_index: int
+    start_line: int
+    end_line: int
+    has_changes: bool
+
+
+class DiffParser:
+    """Parser for GitHub PR diff information."""
+
+    @staticmethod
+    def parse_pr_files(pr_files: list[dict[str, Any]]) -> dict[str, ParsedDiff]:
+        """Parse GitHub PR files response to extract changed line information.
+
+        Args:
+            pr_files: List of file dicts from GitHub API's get_pr_files() call.
+                     Each dict contains: filename, status, patch, additions, deletions
+
+        Returns:
+            Dict mapping file paths to ParsedDiff objects
+
+        Example:
+            >>> pr_files = [{
+            ...     "filename": "policies/policy.json",
+            ...     "status": "modified",
+            ...     "patch": "@@ -5,3 +5,4 @@\\n context\\n-old\\n+new\\n+added"
+            ... }]
+            >>> result = DiffParser.parse_pr_files(pr_files)
+            >>> result["policies/policy.json"].changed_lines
+            {6, 7}
+        """
+        parsed: dict[str, ParsedDiff] = {}
+
+        for file_info in pr_files:
+            if not isinstance(file_info, dict):
+                continue
+
+            filename = file_info.get("filename")
+            if not filename or not isinstance(filename, str):
+                continue
+
+            status = file_info.get("status", "modified")
+            patch = file_info.get("patch")
+
+            # Files without patches (e.g., binary files, very large files)
+            if not patch or not isinstance(patch, str):
+                logger.debug(f"No patch available for {filename}, skipping diff parsing")
+                # Still track the file with empty change sets
+                parsed[filename] = ParsedDiff(
+                    file_path=filename,
+                    changed_lines=set(),
+                    added_lines=set(),
+                    deleted_lines=set(),
+                    status=status,
+                )
+                continue
+
+            try:
+                diff = DiffParser.parse_unified_diff(patch)
+                parsed[filename] = ParsedDiff(
+                    file_path=filename,
+                    changed_lines=diff["changed_lines"],
+                    added_lines=diff["added_lines"],
+                    deleted_lines=diff["deleted_lines"],
+                    status=status,
+                )
+                logger.debug(
+                    f"Parsed diff for {filename}: {len(diff['changed_lines'])} changed lines"
+                )
+            except Exception as e:  # pylint: disable=broad-exception-caught
+                logger.warning(f"Failed to parse diff for {filename}: {e}")
+                # Track file with empty change sets on parse error
+                parsed[filename] = ParsedDiff(
+                    file_path=filename,
+                    changed_lines=set(),
+                    added_lines=set(),
+                    deleted_lines=set(),
+                    status=status,
+                )
+
+        return parsed
+
+    @staticmethod
+    def parse_unified_diff(patch: str) -> dict[str, set[int]]:
+        """Parse a unified diff patch to extract changed line numbers.
+
+        Unified diff format uses @@ headers to indicate line ranges:
+        @@ -old_start,old_count +new_start,new_count @@
+
+        Lines starting with:
+        - '-' are deletions (old side line numbers)
+        - '+' are additions (new side line numbers)
+        - ' ' are context (both sides)
+
+        Args:
+            patch: Unified diff string from GitHub API
+
+        Returns:
+            Dict with keys:
+            - changed_lines: All added/modified lines (new side)
+            - added_lines: Only added lines (new side)
+            - deleted_lines: Only deleted lines (old side)
+
+        Example:
+            >>> patch = '''@@ -5,3 +5,4 @@
+            ...  context line
+            ... -deleted line
+            ... +added line
+            ... +another added line
+            ...  context line'''
+            >>> result = DiffParser.parse_unified_diff(patch)
+            >>> result['added_lines']
+            {6, 7}
+        """
+        changed_lines: set[int] = set()
+        added_lines: set[int] = set()
+        deleted_lines: set[int] = set()
+
+        # Pattern to match @@ -old_start,old_count +new_start,new_count @@ headers
+        # Handles variations: @@ -5,3 +5,4 @@, @@ -5 +5,2 @@, etc.
+        hunk_header_pattern = re.compile(r"^@@\s+-(\d+)(?:,(\d+))?\s+\+(\d+)(?:,(\d+))?\s+@@")
+
+        lines = patch.split("\n")
+        current_new_line = 0
+        current_old_line = 0
+
+        for line in lines:
+            # Check for hunk header
+            match = hunk_header_pattern.match(line)
+            if match:
+                old_start = int(match.group(1))
+                new_start = int(match.group(3))
+                current_old_line = old_start
+                current_new_line = new_start
+                continue
+
+            # Process diff lines
+            if not line:
+                continue
+
+            first_char = line[0]
+
+            if first_char == "+":
+                # Addition (new side only)
+                added_lines.add(current_new_line)
+                changed_lines.add(current_new_line)
+                current_new_line += 1
+            elif first_char == "-":
+                # Deletion (old side only)
+                deleted_lines.add(current_old_line)
+                current_old_line += 1
+            elif first_char == " ":
+                # Context line (both sides)
+                current_new_line += 1
+                current_old_line += 1
+            # Ignore lines that don't start with +, -, or space (e.g., \ No newline)
+
+        return {
+            "changed_lines": changed_lines,
+            "added_lines": added_lines,
+            "deleted_lines": deleted_lines,
+        }
+
+    @staticmethod
+    def get_modified_statements(
+        line_mapping: dict[int, int],
+        changed_lines: set[int],
+        policy_file: str,
+    ) -> dict[int, StatementLocation]:
+        """Determine which statements were modified based on changed lines.
+
+        A statement is considered modified if ANY line within its range appears
+        in the changed_lines set.
+
+        Args:
+            line_mapping: Dict mapping statement index to statement start line
+                         (from PRCommenter._get_line_mapping())
+            changed_lines: Set of line numbers that were changed in the PR
+            policy_file: Path to the policy file (to determine statement end lines)
+
+        Returns:
+            Dict mapping statement indices to StatementLocation objects
+            Only includes statements that were modified.
+
+        Example:
+            >>> line_mapping = {0: 3, 1: 10, 2: 20}  # Statement starts
+            >>> changed_lines = {5, 6}  # Lines changed in statement 0
+            >>> result = get_modified_statements(line_mapping, changed_lines, "policy.json")
+            >>> result[0].has_changes
+            True
+            >>> 1 in result  # Statement 1 not modified
+            False
+        """
+        if not line_mapping or not changed_lines:
+            return {}
+
+        # Determine end line for each statement
+        statement_ranges: dict[int, tuple[int, int]] = {}
+        sorted_indices = sorted(line_mapping.keys())
+
+        for i, stmt_idx in enumerate(sorted_indices):
+            start_line = line_mapping[stmt_idx]
+
+            # End line is either:
+            # 1. One line before next statement starts, OR
+            # 2. EOF for the last statement
+            if i < len(sorted_indices) - 1:
+                next_start = line_mapping[sorted_indices[i + 1]]
+                end_line = next_start - 1
+            else:
+                # For last statement, try to read file to get actual end
+                end_line = DiffParser.get_statement_end_line(policy_file, start_line)
+
+            statement_ranges[stmt_idx] = (start_line, end_line)
+
+        # Check which statements have changes
+        modified_statements: dict[int, StatementLocation] = {}
+
+        for stmt_idx, (start_line, end_line) in statement_ranges.items():
+            # Check if any line in this statement's range was changed
+            statement_lines = set(range(start_line, end_line + 1))
+            has_changes = bool(statement_lines & changed_lines)
+
+            if has_changes:
+                modified_statements[stmt_idx] = StatementLocation(
+                    statement_index=stmt_idx,
+                    start_line=start_line,
+                    end_line=end_line,
+                    has_changes=True,
+                )
+                logger.debug(f"Statement {stmt_idx} (lines {start_line}-{end_line}) was modified")
+
+        return modified_statements
+
+    @staticmethod
+    def get_statement_end_line(policy_file: str, start_line: int) -> int:
+        """Find the end line of a statement block starting at start_line.
+
+        Tracks brace depth to find where the statement object closes.
+
+        Args:
+            policy_file: Path to policy file
+            start_line: Line number where statement starts (1-indexed)
+
+        Returns:
+            Line number where statement ends (1-indexed)
+        """
+        try:
+            with open(policy_file, encoding="utf-8") as f:
+                lines = f.readlines()
+
+            # Start counting from the statement's opening brace
+            brace_depth = 0
+            in_statement = False
+
+            for line_num in range(start_line - 1, len(lines)):  # Convert to 0-indexed
+                line = lines[line_num]
+
+                # Track braces
+                for char in line:
+                    if char == "{":
+                        brace_depth += 1
+                        in_statement = True
+                    elif char == "}":
+                        brace_depth -= 1
+
+                        # Found the closing brace for this statement
+                        if in_statement and brace_depth == 0:
+                            return line_num + 1  # Convert back to 1-indexed
+
+            # If we couldn't find the end, return a reasonable default
+            # (start_line + 20 or end of file)
+            return min(start_line + 20, len(lines))
+
+        except Exception as e:  # pylint: disable=broad-exception-caught
+            logger.debug(f"Could not determine statement end line: {e}")
+            return start_line + 10  # Reasonable default