iam-policy-validator 1.14.6__py3-none-any.whl → 1.15.0__py3-none-any.whl

{iam_policy_validator-1.14.6.dist-info → iam_policy_validator-1.15.0.dist-info}/METADATA

@@ -1,17 +1,17 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.14.6
+Version: 1.15.0
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
-Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs
+Project-URL: Documentation, https://boogy.github.io/iam-policy-validator
 Project-URL: Repository, https://github.com/boogy/iam-policy-validator
 Project-URL: Issues, https://github.com/boogy/iam-policy-validator/issues
-Project-URL: Changelog, https://github.com/boogy/iam-policy-validator/blob/main/docs/CHANGELOG.md
+Project-URL: Changelog, https://github.com/boogy/iam-policy-validator/blob/main/CHANGELOG.md
 Author-email: boogy <0xboogy@gmail.com>
 License: MIT
 License-File: LICENSE
 Keywords: aws,github-action,iam,policy,security,validation
-Classifier: Development Status :: 4 - Beta
+Classifier: Development Status :: 5 - Production/Stable
 Classifier: Intended Audience :: Developers
 Classifier: Intended Audience :: System Administrators
 Classifier: License :: OSI Approved :: MIT License
@@ -19,6 +19,8 @@ Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
 Classifier: Topic :: Security
 Classifier: Topic :: Software Development :: Libraries :: Python Modules
 Classifier: Topic :: System :: Systems Administration
@@ -38,17 +40,27 @@ Requires-Dist: pytest>=7.0.0; extra == 'dev'
 Requires-Dist: ruff>=0.1.0; extra == 'dev'
 Requires-Dist: types-boto3; extra == 'dev'
 Requires-Dist: types-pyyaml; extra == 'dev'
+Provides-Extra: docs
+Requires-Dist: mkdocs-gen-files>=0.5.0; extra == 'docs'
+Requires-Dist: mkdocs-literate-nav>=0.6.0; extra == 'docs'
+Requires-Dist: mkdocs-material>=9.5.0; extra == 'docs'
+Requires-Dist: mkdocs>=1.6.0; extra == 'docs'
+Requires-Dist: mkdocstrings[python]>=0.24.0; extra == 'docs'
+Provides-Extra: mcp
+Requires-Dist: fastmcp>=2.14.1; extra == 'mcp'
 Description-Content-Type: text/markdown
 
 # IAM Policy Validator
 
-**Catch IAM policy errors before they reach AWS** — Validate syntax, security misconfigurations, and dangerous permission combinations in CI/CD pipelines.
+**Stop IAM misconfigurations before they become breaches** — Catch overprivileged permissions, dangerous wildcards, and policy errors before deployment.
 
 [![GitHub Actions](https://img.shields.io/badge/GitHub%20Actions-Ready-blue)](https://github.com/marketplace/actions/iam-policy-validator)
 [![Python 3.10+](https://img.shields.io/badge/python-3.10+-blue.svg)](https://www.python.org/downloads/)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/boogy/iam-policy-validator/badge)](https://scorecard.dev/viewer/?uri=github.com/boogy/iam-policy-validator)
 
+**[📖 Full Documentation](https://boogy.github.io/iam-policy-validator/)**
+
 ---
 
 ## Why This Tool Exists
@@ -120,7 +132,7 @@ iam-validator validate --path examples/quick-start/ --format enhanced
 ```
 ╭──────────────────────────────────────────────────────────────────────────────────────────────────╮
 │                                                                                                  │
-│                              IAM Policy Validation Report (v1.10.3)                              │
+│                              IAM Policy Validation Report (v1.14.1)                              │
 │                                                                                                  │
 ╰──────────────────────────────────────────────────────────────────────────────────────────────────╯
 ───────────────────────────────────────── Detailed Results ─────────────────────────────────────────
@@ -294,7 +306,7 @@ sensitive_action:
       message: "CloudFormation + PassRole enables infrastructure privilege escalation"
 ```
 
-See [docs/privilege-escalation.md](docs/privilege-escalation.md) for all built-in patterns and custom configuration.
+See [Security Checks Documentation](docs/user-guide/checks/security-checks.md) for all built-in patterns and custom configuration.
 
 **Comparison:**
 
@@ -428,15 +440,14 @@ Validates against official AWS IAM requirements:
 
 Identifies overly permissive configurations:
 
-| Check                                 | What It Catches                                        |
-| ------------------------------------- | ------------------------------------------------------ |
-| **Wildcard Action**                   | `Action: "*"` grants all AWS permissions               |
-| **Wildcard Resource**                 | `Resource: "*"` applies to all resources               |
-| **Full Wildcard**                     | Both `Action: "*"` AND `Resource: "*"` (admin access)  |
-| **Service Wildcards**                 | `s3:*`, `iam:*`, `ec2:*` (overly broad)                |
-| **Sensitive Actions (Policy-Wide)**   | **Cross-statement** privilege escalation patterns      |
-| **Sensitive Actions (Per-Statement)** | Dangerous actions in single statement                  |
-| **Condition Enforcement**             | Organization-specific requirements (your custom rules) |
+| Check                     | What It Catches                                        |
+| ------------------------- | ------------------------------------------------------ |
+| **Wildcard Action**       | `Action: "*"` grants all AWS permissions               |
+| **Wildcard Resource**     | `Resource: "*"` applies to all resources               |
+| **Full Wildcard**         | Both `Action: "*"` AND `Resource: "*"` (admin access)  |
+| **Service Wildcards**     | `s3:*`, `iam:*`, `ec2:*` (overly broad)                |
+| **Sensitive Actions**     | 490+ privilege escalation patterns and dangerous actions |
+| **Condition Enforcement** | Organization-specific condition requirements           |
 
 **Note on Sensitive Actions:** This check has two modes:
 
@@ -635,7 +646,7 @@ sensitive_action:
 
 For more details, see:
 
-- [docs/condition-requirements.md](docs/condition-requirements.md) - How to configure condition requirements
+- [Configuration Guide](docs/user-guide/configuration.md) - How to configure condition requirements
 - [examples/configs/full-reference-config.yaml](examples/configs/full-reference-config.yaml) - Complete configuration reference
 
 ---
@@ -710,12 +721,12 @@ iam-validator analyze --path new-policy.json \
 
 **Guides:**
 
-- [Check Reference](docs/check-reference.md) - All 19 checks with examples
-- [Configuration Guide](docs/configuration.md) - Customize checks and behavior
-- [GitHub Actions Guide](docs/github-actions-workflows.md) - CI/CD integration
-- [Python Library Guide](docs/python-library-usage.md) - Use as Python package
-- [Trust Policy Guide](examples/trust-policies/README.md) - Trust policy validation
-- [Query Command](docs/query-command.md) - Query AWS service definitions
+- [Check Reference](docs/user-guide/checks/) - All checks with examples
+- [Configuration Guide](docs/user-guide/configuration.md) - Customize checks and behavior
+- [GitHub Actions Guide](docs/integrations/github-actions.md) - CI/CD integration
+- [Python Library Guide](docs/developer-guide/sdk/) - Use as Python package
+- [Trust Policy Examples](examples/trust-policies/) - Trust policy validation examples
+- [Changelog](CHANGELOG.md) - Version history and migration guides
 
 **Examples:**
 

{iam_policy_validator-1.14.6.dist-info → iam_policy_validator-1.15.0.dist-info}/RECORD

@@ -1,76 +1,78 @@
 iam_validator/__init__.py,sha256=xHdUASOxFHwEXfT_GSr_KrkLlnxZ-pAAr1wW1PwAGko,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=WpHTF6NviSa8VivWMnhlxgCYH_CGf0PJr8rvIQ0xQuQ,374
-iam_validator/checks/__init__.py,sha256=OTkPnmlelu4YjMO8krjhu2wXiTV72RzopA5u1SfPQA0,1990
+iam_validator/__version__.py,sha256=nBQw8c9_j3cm0AjlGzltWfPi7BYKIJlC0VQImhHNMGQ,374
+iam_validator/checks/__init__.py,sha256=wFU5Lz-ZIQBcn2y1u0Kl88B--vEO3btOOaTGPPSjJ74,2106
 iam_validator/checks/action_condition_enforcement.py,sha256=2-XUMbof9tQ7SHZNmAHMkR1DgbOIzY2eFWlp9S9dwLk,60625
 iam_validator/checks/action_resource_matching.py,sha256=qND0hfDgNoxFEdLWwrxOPVDfdj3k50nzedT2qF7nK7o,19428
-iam_validator/checks/action_validation.py,sha256=glA2F3iQBU-d8rruiyB9IdzVOESC2Kb-91SnwRCdQF0,2562
+iam_validator/checks/action_validation.py,sha256=gy9_mujYbojBboLk0WwuJYJjggrY2sRwHAFvJnoLTYE,4823
 iam_validator/checks/condition_key_validation.py,sha256=5i8LqqV78SjWK6pLrbttWmeMAD4pDC12_FjTjx5dFSU,4024
 iam_validator/checks/condition_type_mismatch.py,sha256=KJp7zQHDd8VeTcfjcD-ur3S4070cXEDTWkFtxfp7CuE,10652
 iam_validator/checks/full_wildcard.py,sha256=0TkkHtV0MZ6nZtJRtGdn3wwOMM96TRyGO7l7mmdHNUo,2325
 iam_validator/checks/mfa_condition_check.py,sha256=y1LbqcvQ_fL2BPTNaKRQoBYM5hM7JET9cDPUOWKFEVs,4814
+iam_validator/checks/not_action_not_resource.py,sha256=WWKOCLCq7yxOG9tgi1n5xPpphTLZ9RfcfPwZ-TP6n9Y,8097
 iam_validator/checks/policy_size.py,sha256=eJd36Nj4gqWLIkQ5imhHR1hGtQ6T-iJsC22Wd1VSUf0,4681
 iam_validator/checks/policy_structure.py,sha256=LExdm93JeqsyhikWrh9lfJ9sBiZ4818Ts0-N3MwUrtk,22089
 iam_validator/checks/policy_type_validation.py,sha256=-Q2Yn_sa7Cba_Fb9ESxSL5qNbRpncuC7NQy7R_fdJtY,16521
 iam_validator/checks/principal_validation.py,sha256=TthgDW5YXFfv5li1u4nn56k0Feqt5HeOEtQgo5pBKqo,27911
-iam_validator/checks/resource_validation.py,sha256=RIBMiCMwX45wwnDwSzpvF1mIught5QSbSbmTQSVa1wI,6192
+iam_validator/checks/resource_validation.py,sha256=k7qHIwX7IDf4MCWIvl9G17aINzTuZLOHDHRWrujbCaM,7787
 iam_validator/checks/sensitive_action.py,sha256=LHicl6dd5E1JV19cLKvFAMGzLzYr5h_Y7QvS8s57kvA,18952
 iam_validator/checks/service_wildcard.py,sha256=1epcET5oDclAmzxhtmQfKBg3Q5Rl4VXBMoZouxCJLpM,4114
 iam_validator/checks/set_operator_validation.py,sha256=GMZ1OWqySptYWV7565-K4R5ODs1eYgWXDozwtU-3sgY,7422
 iam_validator/checks/sid_uniqueness.py,sha256=MPQwALBjcvbY4Q55mpxDrGMqmVCMb13YSg621YbQYF8,6048
 iam_validator/checks/trust_policy_validation.py,sha256=r3fM2hU7W0yCFS6hbd4ZSlD8y2tm0zk99mUVlIt0LsI,17956
 iam_validator/checks/wildcard_action.py,sha256=VhWezb1JXmFnwV9WKgVu-48ythScGfZasg8fFd6tAG4,2001
-iam_validator/checks/wildcard_resource.py,sha256=5nswLCYvjgiZvv64y3OOywVwmTZMlpYBRSC94FS3X8M,16801
+iam_validator/checks/wildcard_resource.py,sha256=YO2I4q0QssOyjFrG62Yz148n3yRUJPTm_LD-bkVQj28,22351
 iam_validator/checks/utils/__init__.py,sha256=iI9jHIDlDuuPK2vxjJA-qc927PaWC9zVJb9z3vBRUsQ,356
 iam_validator/checks/utils/action_parser.py,sha256=zA_NGknc5gJvsmIlf4aC14eHFIkBLyL9if5ad80gHwY,4421
 iam_validator/checks/utils/policy_level_checks.py,sha256=pr-uLo-otB612YLZ-rd8W5Kl9ENaTHuzTNOUhQaULKc,7593
 iam_validator/checks/utils/sensitive_action_matcher.py,sha256=qDXcJa_2sCJu9pBbjDlI7x5lPtLRc6jQCpKPMheCOJQ,11215
 iam_validator/checks/utils/wildcard_expansion.py,sha256=3W13hlyWcP2wJ6w-BwM887VOnRzglK6Bk3eHMjUtOco,3131
-iam_validator/commands/__init__.py,sha256=RBEz-Kgt3aRVn_9B1HRy_XgQMIKzlSSQs4Gtg2jQEv8,729
+iam_validator/commands/__init__.py,sha256=BgtZqCIazIhCpQIw49J8hOG853Y-sltg4w-SsSEDr14,793
 iam_validator/commands/analyze.py,sha256=rtXZmevC7GCXrADoGrxihRkrLbma59wMAMP2yBhqWPU,21752
 iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gzs,1074
-iam_validator/commands/cache.py,sha256=llfyQzPE5Azd5YcW0ohYcYjF_OCyiQ1GoJQ982t71lQ,14294
-iam_validator/commands/completion.py,sha256=cnQf3qcV5WSNpwJlPyl_hMNB1z3TkeeXCxj8K2FmEBw,19320
+iam_validator/commands/cache.py,sha256=ZMfNe1HfKlCKESqa-9OkBcgZUqAIcV6m7rDrBxLq700,16162
+iam_validator/commands/completion.py,sha256=mrvGoOOYJVC68SJbqmEJYBvqDHsDVm_4kLRbl15TtHY,23265
 iam_validator/commands/download_services.py,sha256=KKz3ybMLT8DQUf9aFZ0tilJ-o1b6PE8Pf1pC4K6cT8I,9175
+iam_validator/commands/mcp.py,sha256=ttJXeWvV9GIK7ipa5xjS0gMjRjw3qcuRhJajF_8_rrU,6315
 iam_validator/commands/post_to_pr.py,sha256=CvUXs2xvO-UhluxdfNM6F0TCWD8hDBEOiYw60fm1Dms,2363
-iam_validator/commands/query.py,sha256=ft8ptWfsNUK4Wprq_A11txdV_chBgqkoAo7SQfzEwK0,17079
+iam_validator/commands/query.py,sha256=6EQc3mGRqTZ8k8-yMNMBzV6vLCI0NaP-1P5zeAL1Vvo,35948
 iam_validator/commands/validate.py,sha256=4wk-eSwhgqnQvyUre426S831JadVUctb0FDeCZD4RTk,34176
 iam_validator/core/__init__.py,sha256=hYXkSbxplKzhM6dqrVzV4M3k7GKLsZbgExypxKq74gs,376
 iam_validator/core/access_analyzer.py,sha256=mtMaY-FnKjKEVITky_9ywZe1FaCAm61ElRv5Z_ZeC7E,24562
 iam_validator/core/access_analyzer_report.py,sha256=UMm2RNGj2rAKav1zsCw_htQZZRwRC0jjayd2zvKma1A,24896
 iam_validator/core/aws_fetcher.py,sha256=op93QvtGmeLF9dHobl2IuoPDeunn33pBLb8h7XjtmoQ,920
-iam_validator/core/check_registry.py,sha256=oRCdWoCGQ8VZERVYd821u9r5NdKQ9FMC54e6dRWJfqw,25475
+iam_validator/core/check_registry.py,sha256=cRvFko_cTrip94VgVqwkxgrjR6oz3JfSiwertESicRc,28567
 iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
 iam_validator/core/codeowners.py,sha256=dfRjYTpcTVmc-h95i4EoPXCXlcblD8yryeJBaTKQfjM,7530
 iam_validator/core/condition_validators.py,sha256=7zBjlcf2xGFKGbcFrXSLvWT5tFhWxoqwzhsJqS2E8uY,21524
-iam_validator/core/constants.py,sha256=YRT_uOUs1Dnt9J1hE-zG6Ja0numsH4Mf7RNNXNJWZIY,7447
+iam_validator/core/constants.py,sha256=O80dQ6AtgsCJPempRtNlKaSIVE61rg6YDPV5vgaSnAY,7771
 iam_validator/core/diff_parser.py,sha256=5Jxa6WvQZtG5grblZeUH2OQ2R46tFLK-h8tvkHOSfLk,12110
 iam_validator/core/finding_fingerprint.py,sha256=NJIlu8NhdenWbLS7ww8LyWFasJgpKWN63-DprrNW7Zs,4353
 iam_validator/core/ignore_patterns.py,sha256=pZqDJBtkbck-85QK5eFPM5ZOPEKs3McRh3avqiCT5z0,10398
 iam_validator/core/ignore_processor.py,sha256=zgWfS-4BU4c_W6VxUxHIHorMtB5XzB410wZ3bbzVgH8,10686
 iam_validator/core/ignored_findings.py,sha256=b4PySz46so1rGKNt4prg2dkysHPfTJP4wsHYorVn1FA,12756
 iam_validator/core/label_manager.py,sha256=qKQ60shsW8yJELkHgd9rXgzLW9oKErPd4hFTTQkHjbI,8776
-iam_validator/core/models.py,sha256=lXUadIsTpp_j0Vt89Ez7aJkTKs2GD2ty3Ukl2NeY9Zo,15680
+iam_validator/core/models.py,sha256=QgL1p5-GEPOSEi6VB-eqHR0dHH4Akq0bI_r-yVa2V9c,17060
 iam_validator/core/policy_checks.py,sha256=FNVuS2GTffwCjjrlupVIazC172gSxKYAAT_ObV6Apbo,8803
 iam_validator/core/policy_loader.py,sha256=iid3mGfDzSXASzKDqbLnrqJHBdVQvvebofVqNImsGKM,29201
 iam_validator/core/pr_commenter.py,sha256=IZu2FQqzw73U_8ugTUq197ECLqk9mRCQpTWXPu5qk0k,35490
 iam_validator/core/report.py,sha256=IDjBjSrzrE_JdkA8eTiSxyUL3g36sJMhTkxehEYzuBQ,45476
-iam_validator/core/aws_service/__init__.py,sha256=UqMh4HUdGlx2QF5OoueJJ2UlCnhX4QW_x3KeE_bxRQc,735
-iam_validator/core/aws_service/cache.py,sha256=DPuOOPPJC867KAYgV1e0RyQs_k3mtefMdYli3jPaN64,3589
+iam_validator/core/aws_service/__init__.py,sha256=vSmYBn6GGeEcRxxyBmeKcBHFioZlWWBEwbvXmE6ZXVk,800
+iam_validator/core/aws_service/cache.py,sha256=HkxBLCkgf9VYOZKVZd_MidR_TOlUkwbvX3D421ADFZ8,4421
 iam_validator/core/aws_service/client.py,sha256=Zv7rIpEFdUCDXKGp3migPDkj8L5eZltgrGe64M2t2Ko,7336
-iam_validator/core/aws_service/fetcher.py,sha256=TD9qQ4tQF4xdEGhVVADGgF8QlXe15R3nAc2hWZnVoUw,23996
+iam_validator/core/aws_service/fetcher.py,sha256=TqaCp6yKOEXCJdcQIFVBB5RW0pxLMOmQXjJFHZsrBr4,31209
 iam_validator/core/aws_service/parsers.py,sha256=gJzR7HCD8ItCWCCbguTQIZpPEdj2rdMwC7LPhu7ve14,5174
 iam_validator/core/aws_service/patterns.py,sha256=gGc55Tn-EJ3cmcWtmYAZROUajKYz7DaMchYWGEhHpC0,1726
-iam_validator/core/aws_service/storage.py,sha256=PrfKdvF60IL7E_8xYs_XwFoAJPRcVYw57FVLHCoqwVk,10429
-iam_validator/core/aws_service/validators.py,sha256=7izAvL92TsWpQePU7g9qvegT_F2xz8CqpbrnSgE40Xg,19890
+iam_validator/core/aws_service/storage.py,sha256=A98ui_THAyZ86ik-t6HWB22vOqwmbFklG10uhdf26p4,10881
+iam_validator/core/aws_service/validators.py,sha256=qWMB4iQi9Oc0SGXOJVrlyjnsMwmPlqhUaywyRL4d-hM,19385
 iam_validator/core/config/__init__.py,sha256=CWSyIA7kEyzrskEenjYbs9Iih10BXRpiY9H2dHg61rU,2671
 iam_validator/core/config/aws_api.py,sha256=HLIzOItQ0A37wxHcgWck6ZFO0wmNY8JNTiWMMK6JKYU,1248
-iam_validator/core/config/aws_global_conditions.py,sha256=PO3zMdzM_QWZduxL3lV2nrmpcMEEwKASCUYHcqX0LBg,7363
+iam_validator/core/config/aws_global_conditions.py,sha256=Ny20rnwp0OGxW8NdrHw8d3Lv3wh8YbL5vCIFQw7ZQh4,8006
 iam_validator/core/config/category_suggestions.py,sha256=fopaZ9kXDrsLgi_r0pERrLwgdPPJl5VIiKvXtQK9tj0,8583
-iam_validator/core/config/check_documentation.py,sha256=Adyt3Q4JSRlVNPWulXVlRIEorxXG_nt0mkPz_ySa8y4,15931
+iam_validator/core/config/check_documentation.py,sha256=-wK6-wfU7SEHX3h2Jj5pOFqgxD9ULW-NvEkSVp_66WA,18718
 iam_validator/core/config/condition_requirements.py,sha256=1CeQJfWV-Y2ImW0Mq9YdrgvH-hj9IXe0gVOm3B36Rc8,10655
-iam_validator/core/config/config_loader.py,sha256=M51apOv_JwRXC8VM0Spghu8ns-_qnbSoYQZWmgBP3Ww,24059
-iam_validator/core/config/defaults.py,sha256=poREMGKiDLWy9hSWfuWLPy6xXNLf9bkROUQ2A_cJIn4,38502
+iam_validator/core/config/config_loader.py,sha256=Fohz9R-H5edYMYXoT3HkjmsmZE32rjLWlAjnZaz1Xrc,25649
+iam_validator/core/config/defaults.py,sha256=EKlmfX04IGPb4Qs9ctqrStoJ-_LAGEr2PWTJX9fjenk,38920
 iam_validator/core/config/principal_requirements.py,sha256=VCX7fBDgeDTJQyoz7_x7GI7Kf9O1Eu-sbihoHOrKv6o,15105
 iam_validator/core/config/sensitive_actions.py,sha256=uATDIp_TD3OQQlsYTZp79qd1mSK2Bf9hJ0JwcqLBr84,25344
 iam_validator/core/config/service_principals.py,sha256=8pys5H_yycVJ9KTyimAKFYBg83Aol2Iri53wiHjtnEM,3959
@@ -87,20 +89,31 @@ iam_validator/core/formatters/sarif.py,sha256=03MHSyuZm9FlzaPeWg7wH-UTzzCDhSy6vM
 iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
 iam_validator/integrations/github_integration.py,sha256=0aeQ_RPTZf5ij7dsBjmtIDz4oHl0BXLno9GperFzTbc,69004
 iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
-iam_validator/sdk/__init__.py,sha256=AZLnfdn3A9AWb0pMhsbu3GAOAzt6rV7Fi3E3d9_3ZdI,6388
+iam_validator/mcp/__init__.py,sha256=dHCPuxLNKG3EMDYTBum8FTdskoebWJN6TaC03rkcnYQ,4927
+iam_validator/mcp/models.py,sha256=EJaDHaGdVvNzSauxYH3L4hmfbtBLLyzuHX_CbXOZr8Q,4473
+iam_validator/mcp/server.py,sha256=V_d4SmNSNMsPG6nul6II0G9GyvWiAvfnMX5B9_U3RQw,108422
+iam_validator/mcp/session_config.py,sha256=dtzPqHVycpMUQH7qG68LW7ZikUz6APJrzttyFZkXwak,10336
+iam_validator/mcp/templates/__init__.py,sha256=OY1C7Af9O46W5-A2TEuZb3jB7gwrG6N-dZ-LQS6FHpw,2408
+iam_validator/mcp/templates/builtin.py,sha256=3cSPOqAzSQSWY2rBEwQ_sTHHKxur64NVASe0kVErbS8,31032
+iam_validator/mcp/tools/__init__.py,sha256=JqFaQaBpavPpGEWF_GIY6YIXWhIL4kDcKCZQvUzmZyE,2040
+iam_validator/mcp/tools/generation.py,sha256=R_pSLv5uxMyg6Pj-TEY2fY5UV9Pd1mh-P9A44Nvws-I,37124
+iam_validator/mcp/tools/org_config_tools.py,sha256=Y13srYplK3SRIxpK3Sat9TocanThcrF8hWblcS7sJhI,7754
+iam_validator/mcp/tools/query.py,sha256=05X0dhNGY0KcmyKJIn9vYw2ed3yGlFnRC2rqOoyVMLQ,13316
+iam_validator/mcp/tools/validation.py,sha256=XrG7rBGbHnpeZSgNZdfNWyD3XeZwmdBTj-w5ErLOt2c,13219
+iam_validator/sdk/__init__.py,sha256=rfWkijjIA8iKrHE2Wd1HnXAl0jJWHHwYgUFZeISQGiI,6297
 iam_validator/sdk/arn_matching.py,sha256=HSDpLltOYISq-SoPebAlM89mKOaUaghq_04urchEFDA,12778
-iam_validator/sdk/context.py,sha256=FvAEyUa_s7tHWoSdgjSkzHf1CLlYpAEmLZANxs2IJ4A,6826
+iam_validator/sdk/context.py,sha256=b2XXlvsnqxl42d1wsdoynTqsZOy8nRjV73RgxIdKdPQ,6940
 iam_validator/sdk/exceptions.py,sha256=tm91TxIwU157U_UHN7w5qICf_OhU11agj6pV5W_YP-4,1023
 iam_validator/sdk/helpers.py,sha256=sjfK0na_Fo7O8GhEVhl44rVHqOdw6nAKkBL4FVL-QdU,5697
-iam_validator/sdk/policy_utils.py,sha256=bGdJ1X1aC72dVXXpAnAwyBpAiiX-qXvblpetY5BsjKU,13658
+iam_validator/sdk/policy_utils.py,sha256=zSn3UFdwr5pik-n1Y4pv_AZheyCuFqaGlSIt403L0is,14386
 iam_validator/sdk/query_utils.py,sha256=kp1sORVnouRMt7kvzyZo1569l7j20jJGmHICR7O8Cqs,14455
 iam_validator/sdk/shortcuts.py,sha256=EVNSYV7rv4TFH03ulsZ3mS1UVmTSp2jKpc2AXs4j1q4,8531
 iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYuCs,1021
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
 iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
 iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
-iam_policy_validator-1.14.6.dist-info/METADATA,sha256=pAPaTarqbLi7q_cdHu3bkCVeu9BHed34jIQHgMXlj5I,34456
-iam_policy_validator-1.14.6.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-iam_policy_validator-1.14.6.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.14.6.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.14.6.dist-info/RECORD,,
+iam_policy_validator-1.15.0.dist-info/METADATA,sha256=CkJmAGo-FcnQ0qpEb0_EDjNcbKRzTErYiIic3gUyHD8,34808
+iam_policy_validator-1.15.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+iam_policy_validator-1.15.0.dist-info/entry_points.txt,sha256=VXAcx1evo9fuxX0Gtj3J2HnzWcBHSXugiZwBtQ1BXE0,162
+iam_policy_validator-1.15.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.15.0.dist-info/RECORD,,

iam_policy_validator-1.15.0.dist-info/entry_points.txt

@@ -0,0 +1,4 @@
+[console_scripts]
+iam-policy-validator = iam_validator.core.cli:main
+iam-validator = iam_validator.core.cli:main
+iam-validator-mcp = iam_validator.mcp:run_server

iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.14.6"
+__version__ = "1.15.0"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/checks/__init__.py

@@ -11,6 +11,7 @@ from iam_validator.checks.condition_key_validation import ConditionKeyValidation
 from iam_validator.checks.condition_type_mismatch import ConditionTypeMismatchCheck
 from iam_validator.checks.full_wildcard import FullWildcardCheck
 from iam_validator.checks.mfa_condition_check import MFAConditionCheck
+from iam_validator.checks.not_action_not_resource import NotActionNotResourceCheck
 from iam_validator.checks.policy_size import PolicySizeCheck
 from iam_validator.checks.policy_structure import PolicyStructureCheck
 from iam_validator.checks.principal_validation import PrincipalValidationCheck
@@ -31,6 +32,7 @@ __all__ = [
     "ConditionTypeMismatchCheck",
     "FullWildcardCheck",
     "MFAConditionCheck",
+    "NotActionNotResourceCheck",
     "PolicySizeCheck",
     "PolicyStructureCheck",
     "PrincipalValidationCheck",

iam_validator/checks/action_validation.py

@@ -9,6 +9,7 @@ validations. However, it can be useful in environments where Access Analyzer is
 not available or for pre-deployment policy validation to catch errors early.
 """
 
+import asyncio
 from typing import ClassVar
 
 from iam_validator.core.aws_service import AWSServiceFetcher
@@ -23,6 +24,51 @@ class ActionValidationCheck(PolicyCheck):
     description: ClassVar[str] = "Validates that actions exist in AWS service definitions"
     default_severity: ClassVar[str] = "error"
 
+    async def _validate_action(
+        self,
+        action: str,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+        statement_sid: str | None,
+        statement_idx: int,
+        line_number: int | None,
+        field_name: str,
+    ) -> ValidationIssue | None:
+        """Validate a single action and return an issue if invalid.
+
+        Args:
+            action: The action string to validate (e.g., "s3:GetObject")
+            fetcher: AWS service fetcher for validation
+            config: Check configuration
+            statement_sid: Statement ID for error reporting
+            statement_idx: Statement index for error reporting
+            line_number: Line number for error reporting
+            field_name: Field name ("action" or "not_action") for error reporting
+
+        Returns:
+            ValidationIssue if action is invalid, None otherwise
+        """
+        # Skip full wildcard - it's valid but handled by security checks
+        if action == "*":
+            return None
+
+        # Validate the action exists in AWS (handles both exact and wildcard patterns)
+        is_valid, error_msg, _is_wildcard = await fetcher.validate_action(action)
+
+        if not is_valid:
+            return ValidationIssue(
+                severity=self.get_severity(config),
+                statement_sid=statement_sid,
+                statement_index=statement_idx,
+                issue_type="invalid_action",
+                message=error_msg or f"Invalid action: `{action}`",
+                action=action,
+                line_number=line_number,
+                field_name=field_name,
+            )
+
+        return None
+
     async def execute(
         self,
         statement: Statement,
@@ -32,36 +78,54 @@ class ActionValidationCheck(PolicyCheck):
     ) -> list[ValidationIssue]:
         """Execute action validation on a statement.
 
-        This check ONLY validates that actions exist in AWS service definitions.
-        Wildcard security checks are handled by security_best_practices_check.
-        """
-        issues = []
+        Validates both Action and NotAction fields to ensure all specified
+        actions exist in AWS service definitions. Wildcard patterns like
+        "s3:Get*" are validated to ensure they match at least one real action.
+
+        Actions are validated in parallel for better performance.
 
-        # Get actions from statement
-        actions = statement.get_actions()
+        Security implications of wildcards are handled by separate checks
+        (wildcard_action, service_wildcard, etc.).
+        """
         statement_sid = statement.sid
         line_number = statement.line_number
 
-        for action in actions:
-            # Skip wildcard actions - they're handled by security_best_practices_check
-            if action == "*" or "*" in action:
-                continue
-
-            # Validate the action exists in AWS
-            is_valid, error_msg, _is_wildcard = await fetcher.validate_action(action)
-
-            if not is_valid:
-                issues.append(
-                    ValidationIssue(
-                        severity=self.get_severity(config),
-                        statement_sid=statement_sid,
-                        statement_index=statement_idx,
-                        issue_type="invalid_action",
-                        message=error_msg or f"Invalid action: `{action}`",
-                        action=action,
-                        line_number=line_number,
-                        field_name="action",
-                    )
+        # Build list of validation tasks for parallel execution
+        tasks = []
+
+        # Validate Action field
+        for action in statement.get_actions():
+            tasks.append(
+                self._validate_action(
+                    action=action,
+                    fetcher=fetcher,
+                    config=config,
+                    statement_sid=statement_sid,
+                    statement_idx=statement_idx,
+                    line_number=line_number,
+                    field_name="action",
                 )
+            )
+
+        # Validate NotAction field (same validation - typos in NotAction are equally problematic)
+        for action in statement.get_not_actions():
+            tasks.append(
+                self._validate_action(
+                    action=action,
+                    fetcher=fetcher,
+                    config=config,
+                    statement_sid=statement_sid,
+                    statement_idx=statement_idx,
+                    line_number=line_number,
+                    field_name="not_action",
+                )
+            )
+
+        # Execute all validations in parallel
+        if not tasks:
+            return []
+
+        results = await asyncio.gather(*tasks)
 
-        return issues
+        # Filter out None results (valid actions)
+        return [issue for issue in results if issue is not None]

iam_validator/checks/not_action_not_resource.py

@@ -0,0 +1,163 @@
+"""NotAction/NotResource check - detects dangerous Not* patterns in IAM policies.
+
+NotAction and NotResource are powerful IAM features that can be misused to
+grant overly broad permissions. This check detects patterns that violate
+the principle of least privilege.
+"""
+
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class NotActionNotResourceCheck(PolicyCheck):
+    """Checks for dangerous NotAction/NotResource patterns.
+
+    Patterns detected:
+    1. NotAction with Effect: Allow - grants everything EXCEPT listed actions
+    2. NotResource with wildcards - grants access to all resources except listed
+    3. NotAction in Allow without strict conditions - missing safeguards
+
+    These patterns are particularly dangerous because they grant permissions
+    by exclusion rather than explicit inclusion, making it easy to accidentally
+    grant more access than intended.
+    """
+
+    check_id: ClassVar[str] = "not_action_not_resource"
+    description: ClassVar[str] = "Checks for dangerous NotAction/NotResource patterns"
+    default_severity: ClassVar[str] = "high"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute NotAction/NotResource check on a statement."""
+        del fetcher  # Unused
+
+        issues = []
+
+        not_actions = statement.get_not_actions()
+        not_resources = statement.get_not_resources()
+        effect = statement.effect
+
+        # Check 1: NotAction with Effect: Allow
+        # This grants ALL actions EXCEPT the listed ones - extremely dangerous
+        if not_actions and effect == "Allow":
+            has_conditions = bool(statement.condition)
+
+            if has_conditions:
+                # NotAction with conditions is still risky but less severe
+                issues.append(
+                    ValidationIssue(
+                        severity="medium",
+                        statement_sid=statement.sid,
+                        statement_index=statement_idx,
+                        issue_type="not_action_allow",
+                        message=(
+                            "Statement uses NotAction with Allow effect. "
+                            "This grants ALL actions except the listed ones. "
+                            "While conditions are present, this pattern is still risky."
+                        ),
+                        suggestion=(
+                            "Consider using explicit Action lists instead of NotAction. "
+                            "If NotAction is required, ensure conditions are comprehensive."
+                        ),
+                        example='{\n  "Effect": "Allow",\n  "Action": ["s3:GetObject", "s3:ListBucket"],\n  "Resource": "*"\n}',
+                        line_number=statement.line_number,
+                        field_name="action",
+                        action=", ".join(not_actions[:3]) + ("..." if len(not_actions) > 3 else ""),
+                    )
+                )
+            else:
+                # NotAction Allow without conditions is critical
+                issues.append(
+                    ValidationIssue(
+                        severity=self.get_severity(config),
+                        statement_sid=statement.sid,
+                        statement_index=statement_idx,
+                        issue_type="not_action_allow_no_condition",
+                        message=(
+                            "Statement uses NotAction with Allow effect and NO conditions. "
+                            f"This grants ALL AWS actions except: {', '.join(not_actions[:5])}"
+                            f"{'...' if len(not_actions) > 5 else ''}. "
+                            "This is equivalent to granting near-administrator access."
+                        ),
+                        suggestion=(
+                            "Replace NotAction with explicit Action list. "
+                            "If NotAction is required, add strict conditions like "
+                            "aws:SourceIp, aws:PrincipalArn, or aws:MultiFactorAuthPresent."
+                        ),
+                        example='{\n  "Effect": "Allow",\n  "Action": ["specific:Action"],\n  "Resource": "*",\n  "Condition": {\n    "Bool": {"aws:MultiFactorAuthPresent": "true"}\n  }\n}',
+                        line_number=statement.line_number,
+                        field_name="action",
+                        action=", ".join(not_actions[:3]) + ("..." if len(not_actions) > 3 else ""),
+                    )
+                )
+
+        # Check 2: NotResource with wildcards or broad patterns
+        if not_resources and effect == "Allow":
+            # Check if NotResource is used with wildcard Resource
+            resources = statement.get_resources()
+            has_wildcard_resource = "*" in resources or any("*" in r for r in resources)
+
+            if has_wildcard_resource or not resources:
+                issues.append(
+                    ValidationIssue(
+                        severity=self.get_severity(config),
+                        statement_sid=statement.sid,
+                        statement_index=statement_idx,
+                        issue_type="not_resource_broad",
+                        message=(
+                            "Statement uses NotResource with Allow effect and broad Resource. "
+                            f"This grants access to ALL resources except: {', '.join(not_resources[:3])}"
+                            f"{'...' if len(not_resources) > 3 else ''}."
+                        ),
+                        suggestion=(
+                            "Replace NotResource with explicit Resource ARNs. "
+                            "Using NotResource grants access to all current and future resources "
+                            "except those explicitly excluded."
+                        ),
+                        example='{\n  "Effect": "Allow",\n  "Action": ["s3:GetObject"],\n  "Resource": "arn:aws:s3:::my-bucket/*"\n}',
+                        line_number=statement.line_number,
+                        field_name="resource",
+                        resource=", ".join(not_resources[:3])
+                        + ("..." if len(not_resources) > 3 else ""),
+                    )
+                )
+
+        # Check 3: NotAction with Deny - less dangerous but worth noting
+        # NotAction with Deny means "deny everything except these actions"
+        # which is actually a valid deny pattern but should be reviewed
+        if not_actions and effect == "Deny":
+            resources = statement.get_resources()
+            has_wildcard_resource = "*" in resources
+
+            if has_wildcard_resource:
+                issues.append(
+                    ValidationIssue(
+                        severity="low",
+                        statement_sid=statement.sid,
+                        statement_index=statement_idx,
+                        issue_type="not_action_deny_review",
+                        message=(
+                            "Statement uses NotAction with Deny effect on all resources. "
+                            f"This denies everything except: {', '.join(not_actions[:5])}"
+                            f"{'...' if len(not_actions) > 5 else ''}. "
+                            "Review to ensure this is the intended behavior."
+                        ),
+                        suggestion=(
+                            "Verify that allowing only these specific actions is intended. "
+                            "Consider if an explicit Allow list would be clearer."
+                        ),
+                        line_number=statement.line_number,
+                        field_name="action",
+                        action=", ".join(not_actions[:3]) + ("..." if len(not_actions) > 3 else ""),
+                    )
+                )
+
+        return issues