PyPI - iam-policy-validator - Versions diffs - 1.14.7__py3-none-any.whl → 1.15.0__py3-none-any.whl - Mend

iam-policy-validator 1.14.7py3-none-any.whl → 1.15.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (42) hide show

{iam_policy_validator-1.14.7.dist-info → iam_policy_validator-1.15.0.dist-info}/METADATA +16 -11
{iam_policy_validator-1.14.7.dist-info → iam_policy_validator-1.15.0.dist-info}/RECORD +41 -28
iam_policy_validator-1.15.0.dist-info/entry_points.txt +4 -0
iam_validator/__version__.py +1 -1
iam_validator/checks/__init__.py +2 -0
iam_validator/checks/action_validation.py +91 -27
iam_validator/checks/not_action_not_resource.py +163 -0
iam_validator/checks/resource_validation.py +132 -81
iam_validator/checks/wildcard_resource.py +136 -6
iam_validator/commands/__init__.py +3 -0
iam_validator/commands/cache.py +66 -24
iam_validator/commands/completion.py +94 -15
iam_validator/commands/mcp.py +210 -0
iam_validator/commands/query.py +489 -65
iam_validator/core/aws_service/__init__.py +5 -1
iam_validator/core/aws_service/cache.py +20 -0
iam_validator/core/aws_service/fetcher.py +180 -11
iam_validator/core/aws_service/storage.py +14 -6
iam_validator/core/aws_service/validators.py +32 -41
iam_validator/core/check_registry.py +100 -35
iam_validator/core/config/aws_global_conditions.py +13 -0
iam_validator/core/config/check_documentation.py +104 -51
iam_validator/core/config/config_loader.py +39 -3
iam_validator/core/config/defaults.py +6 -0
iam_validator/core/constants.py +11 -4
iam_validator/core/models.py +39 -14
iam_validator/mcp/__init__.py +162 -0
iam_validator/mcp/models.py +118 -0
iam_validator/mcp/server.py +2928 -0
iam_validator/mcp/session_config.py +319 -0
iam_validator/mcp/templates/__init__.py +79 -0
iam_validator/mcp/templates/builtin.py +856 -0
iam_validator/mcp/tools/__init__.py +72 -0
iam_validator/mcp/tools/generation.py +888 -0
iam_validator/mcp/tools/org_config_tools.py +263 -0
iam_validator/mcp/tools/query.py +395 -0
iam_validator/mcp/tools/validation.py +376 -0
iam_validator/sdk/__init__.py +2 -0
iam_validator/sdk/policy_utils.py +31 -5
iam_policy_validator-1.14.7.dist-info/entry_points.txt +0 -2
{iam_policy_validator-1.14.7.dist-info → iam_policy_validator-1.15.0.dist-info}/WHEEL +0 -0
{iam_policy_validator-1.14.7.dist-info → iam_policy_validator-1.15.0.dist-info}/licenses/LICENSE +0 -0

{iam_policy_validator-1.14.7.dist-info → iam_policy_validator-1.15.0.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.14.7
+Version: 1.15.0
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://boogy.github.io/iam-policy-validator
@@ -11,7 +11,7 @@ Author-email: boogy <0xboogy@gmail.com>
 License: MIT
 License-File: LICENSE
 Keywords: aws,github-action,iam,policy,security,validation
-Classifier: Development Status :: 4 - Beta
+Classifier: Development Status :: 5 - Production/Stable
 Classifier: Intended Audience :: Developers
 Classifier: Intended Audience :: System Administrators
 Classifier: License :: OSI Approved :: MIT License
@@ -19,6 +19,8 @@ Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
 Classifier: Topic :: Security
 Classifier: Topic :: Software Development :: Libraries :: Python Modules
 Classifier: Topic :: System :: Systems Administration
@@ -44,6 +46,8 @@ Requires-Dist: mkdocs-literate-nav>=0.6.0; extra == 'docs'
 Requires-Dist: mkdocs-material>=9.5.0; extra == 'docs'
 Requires-Dist: mkdocs>=1.6.0; extra == 'docs'
 Requires-Dist: mkdocstrings[python]>=0.24.0; extra == 'docs'
+Provides-Extra: mcp
+Requires-Dist: fastmcp>=2.14.1; extra == 'mcp'
 Description-Content-Type: text/markdown
 # IAM Policy Validator
@@ -55,6 +59,8 @@ Description-Content-Type: text/markdown
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
 [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/boogy/iam-policy-validator/badge)](https://scorecard.dev/viewer/?uri=github.com/boogy/iam-policy-validator)
+**[📖 Full Documentation](https://boogy.github.io/iam-policy-validator/)**
 ---
 ## Why This Tool Exists
@@ -434,15 +440,14 @@ Validates against official AWS IAM requirements:
 Identifies overly permissive configurations:
-| Check                                 | What It Catches                                        |
-| ------------------------------------- | ------------------------------------------------------ |
-| **Wildcard Action**                   | `Action: "*"` grants all AWS permissions               |
-| **Wildcard Resource**                 | `Resource: "*"` applies to all resources               |
-| **Full Wildcard**                     | Both `Action: "*"` AND `Resource: "*"` (admin access)  |
-| **Service Wildcards**                 | `s3:*`, `iam:*`, `ec2:*` (overly broad)                |
-| **Sensitive Actions (Policy-Wide)**   | **Cross-statement** privilege escalation patterns      |
-| **Sensitive Actions (Per-Statement)** | Dangerous actions in single statement                  |
-| **Condition Enforcement**             | Organization-specific requirements (your custom rules) |
+| Check                     | What It Catches                                        |
+| ------------------------- | ------------------------------------------------------ |
+| **Wildcard Action**       | `Action: "*"` grants all AWS permissions               |
+| **Wildcard Resource**     | `Resource: "*"` applies to all resources               |
+| **Full Wildcard**         | Both `Action: "*"` AND `Resource: "*"` (admin access)  |
+| **Service Wildcards**     | `s3:*`, `iam:*`, `ec2:*` (overly broad)                |
+| **Sensitive Actions**     | 490+ privilege escalation patterns and dangerous actions |
+| **Condition Enforcement** | Organization-specific condition requirements           |
 **Note on Sensitive Actions:** This check has two modes:

{iam_policy_validator-1.14.7.dist-info → iam_policy_validator-1.15.0.dist-info}/RECORD RENAMED Viewed

@@ -1,76 +1,78 @@
 iam_validator/__init__.py,sha256=xHdUASOxFHwEXfT_GSr_KrkLlnxZ-pAAr1wW1PwAGko,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=gzNFhw4Ir0RuOpe7hw6D6K-mQnE1zvBtL7jSlcAUnrE,374
-iam_validator/checks/__init__.py,sha256=OTkPnmlelu4YjMO8krjhu2wXiTV72RzopA5u1SfPQA0,1990
+iam_validator/__version__.py,sha256=nBQw8c9_j3cm0AjlGzltWfPi7BYKIJlC0VQImhHNMGQ,374
+iam_validator/checks/__init__.py,sha256=wFU5Lz-ZIQBcn2y1u0Kl88B--vEO3btOOaTGPPSjJ74,2106
 iam_validator/checks/action_condition_enforcement.py,sha256=2-XUMbof9tQ7SHZNmAHMkR1DgbOIzY2eFWlp9S9dwLk,60625
 iam_validator/checks/action_resource_matching.py,sha256=qND0hfDgNoxFEdLWwrxOPVDfdj3k50nzedT2qF7nK7o,19428
-iam_validator/checks/action_validation.py,sha256=glA2F3iQBU-d8rruiyB9IdzVOESC2Kb-91SnwRCdQF0,2562
+iam_validator/checks/action_validation.py,sha256=gy9_mujYbojBboLk0WwuJYJjggrY2sRwHAFvJnoLTYE,4823
 iam_validator/checks/condition_key_validation.py,sha256=5i8LqqV78SjWK6pLrbttWmeMAD4pDC12_FjTjx5dFSU,4024
 iam_validator/checks/condition_type_mismatch.py,sha256=KJp7zQHDd8VeTcfjcD-ur3S4070cXEDTWkFtxfp7CuE,10652
 iam_validator/checks/full_wildcard.py,sha256=0TkkHtV0MZ6nZtJRtGdn3wwOMM96TRyGO7l7mmdHNUo,2325
 iam_validator/checks/mfa_condition_check.py,sha256=y1LbqcvQ_fL2BPTNaKRQoBYM5hM7JET9cDPUOWKFEVs,4814
+iam_validator/checks/not_action_not_resource.py,sha256=WWKOCLCq7yxOG9tgi1n5xPpphTLZ9RfcfPwZ-TP6n9Y,8097
 iam_validator/checks/policy_size.py,sha256=eJd36Nj4gqWLIkQ5imhHR1hGtQ6T-iJsC22Wd1VSUf0,4681
 iam_validator/checks/policy_structure.py,sha256=LExdm93JeqsyhikWrh9lfJ9sBiZ4818Ts0-N3MwUrtk,22089
 iam_validator/checks/policy_type_validation.py,sha256=-Q2Yn_sa7Cba_Fb9ESxSL5qNbRpncuC7NQy7R_fdJtY,16521
 iam_validator/checks/principal_validation.py,sha256=TthgDW5YXFfv5li1u4nn56k0Feqt5HeOEtQgo5pBKqo,27911
-iam_validator/checks/resource_validation.py,sha256=RIBMiCMwX45wwnDwSzpvF1mIught5QSbSbmTQSVa1wI,6192
+iam_validator/checks/resource_validation.py,sha256=k7qHIwX7IDf4MCWIvl9G17aINzTuZLOHDHRWrujbCaM,7787
 iam_validator/checks/sensitive_action.py,sha256=LHicl6dd5E1JV19cLKvFAMGzLzYr5h_Y7QvS8s57kvA,18952
 iam_validator/checks/service_wildcard.py,sha256=1epcET5oDclAmzxhtmQfKBg3Q5Rl4VXBMoZouxCJLpM,4114
 iam_validator/checks/set_operator_validation.py,sha256=GMZ1OWqySptYWV7565-K4R5ODs1eYgWXDozwtU-3sgY,7422
 iam_validator/checks/sid_uniqueness.py,sha256=MPQwALBjcvbY4Q55mpxDrGMqmVCMb13YSg621YbQYF8,6048
 iam_validator/checks/trust_policy_validation.py,sha256=r3fM2hU7W0yCFS6hbd4ZSlD8y2tm0zk99mUVlIt0LsI,17956
 iam_validator/checks/wildcard_action.py,sha256=VhWezb1JXmFnwV9WKgVu-48ythScGfZasg8fFd6tAG4,2001
-iam_validator/checks/wildcard_resource.py,sha256=5nswLCYvjgiZvv64y3OOywVwmTZMlpYBRSC94FS3X8M,16801
+iam_validator/checks/wildcard_resource.py,sha256=YO2I4q0QssOyjFrG62Yz148n3yRUJPTm_LD-bkVQj28,22351
 iam_validator/checks/utils/__init__.py,sha256=iI9jHIDlDuuPK2vxjJA-qc927PaWC9zVJb9z3vBRUsQ,356
 iam_validator/checks/utils/action_parser.py,sha256=zA_NGknc5gJvsmIlf4aC14eHFIkBLyL9if5ad80gHwY,4421
 iam_validator/checks/utils/policy_level_checks.py,sha256=pr-uLo-otB612YLZ-rd8W5Kl9ENaTHuzTNOUhQaULKc,7593
 iam_validator/checks/utils/sensitive_action_matcher.py,sha256=qDXcJa_2sCJu9pBbjDlI7x5lPtLRc6jQCpKPMheCOJQ,11215
 iam_validator/checks/utils/wildcard_expansion.py,sha256=3W13hlyWcP2wJ6w-BwM887VOnRzglK6Bk3eHMjUtOco,3131
-iam_validator/commands/__init__.py,sha256=RBEz-Kgt3aRVn_9B1HRy_XgQMIKzlSSQs4Gtg2jQEv8,729
+iam_validator/commands/__init__.py,sha256=BgtZqCIazIhCpQIw49J8hOG853Y-sltg4w-SsSEDr14,793
 iam_validator/commands/analyze.py,sha256=rtXZmevC7GCXrADoGrxihRkrLbma59wMAMP2yBhqWPU,21752
 iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gzs,1074
-iam_validator/commands/cache.py,sha256=llfyQzPE5Azd5YcW0ohYcYjF_OCyiQ1GoJQ982t71lQ,14294
-iam_validator/commands/completion.py,sha256=cnQf3qcV5WSNpwJlPyl_hMNB1z3TkeeXCxj8K2FmEBw,19320
+iam_validator/commands/cache.py,sha256=ZMfNe1HfKlCKESqa-9OkBcgZUqAIcV6m7rDrBxLq700,16162
+iam_validator/commands/completion.py,sha256=mrvGoOOYJVC68SJbqmEJYBvqDHsDVm_4kLRbl15TtHY,23265
 iam_validator/commands/download_services.py,sha256=KKz3ybMLT8DQUf9aFZ0tilJ-o1b6PE8Pf1pC4K6cT8I,9175
+iam_validator/commands/mcp.py,sha256=ttJXeWvV9GIK7ipa5xjS0gMjRjw3qcuRhJajF_8_rrU,6315
 iam_validator/commands/post_to_pr.py,sha256=CvUXs2xvO-UhluxdfNM6F0TCWD8hDBEOiYw60fm1Dms,2363
-iam_validator/commands/query.py,sha256=ft8ptWfsNUK4Wprq_A11txdV_chBgqkoAo7SQfzEwK0,17079
+iam_validator/commands/query.py,sha256=6EQc3mGRqTZ8k8-yMNMBzV6vLCI0NaP-1P5zeAL1Vvo,35948
 iam_validator/commands/validate.py,sha256=4wk-eSwhgqnQvyUre426S831JadVUctb0FDeCZD4RTk,34176
 iam_validator/core/__init__.py,sha256=hYXkSbxplKzhM6dqrVzV4M3k7GKLsZbgExypxKq74gs,376
 iam_validator/core/access_analyzer.py,sha256=mtMaY-FnKjKEVITky_9ywZe1FaCAm61ElRv5Z_ZeC7E,24562
 iam_validator/core/access_analyzer_report.py,sha256=UMm2RNGj2rAKav1zsCw_htQZZRwRC0jjayd2zvKma1A,24896
 iam_validator/core/aws_fetcher.py,sha256=op93QvtGmeLF9dHobl2IuoPDeunn33pBLb8h7XjtmoQ,920
-iam_validator/core/check_registry.py,sha256=oRCdWoCGQ8VZERVYd821u9r5NdKQ9FMC54e6dRWJfqw,25475
+iam_validator/core/check_registry.py,sha256=cRvFko_cTrip94VgVqwkxgrjR6oz3JfSiwertESicRc,28567
 iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
 iam_validator/core/codeowners.py,sha256=dfRjYTpcTVmc-h95i4EoPXCXlcblD8yryeJBaTKQfjM,7530
 iam_validator/core/condition_validators.py,sha256=7zBjlcf2xGFKGbcFrXSLvWT5tFhWxoqwzhsJqS2E8uY,21524
-iam_validator/core/constants.py,sha256=YRT_uOUs1Dnt9J1hE-zG6Ja0numsH4Mf7RNNXNJWZIY,7447
+iam_validator/core/constants.py,sha256=O80dQ6AtgsCJPempRtNlKaSIVE61rg6YDPV5vgaSnAY,7771
 iam_validator/core/diff_parser.py,sha256=5Jxa6WvQZtG5grblZeUH2OQ2R46tFLK-h8tvkHOSfLk,12110
 iam_validator/core/finding_fingerprint.py,sha256=NJIlu8NhdenWbLS7ww8LyWFasJgpKWN63-DprrNW7Zs,4353
 iam_validator/core/ignore_patterns.py,sha256=pZqDJBtkbck-85QK5eFPM5ZOPEKs3McRh3avqiCT5z0,10398
 iam_validator/core/ignore_processor.py,sha256=zgWfS-4BU4c_W6VxUxHIHorMtB5XzB410wZ3bbzVgH8,10686
 iam_validator/core/ignored_findings.py,sha256=b4PySz46so1rGKNt4prg2dkysHPfTJP4wsHYorVn1FA,12756
 iam_validator/core/label_manager.py,sha256=qKQ60shsW8yJELkHgd9rXgzLW9oKErPd4hFTTQkHjbI,8776
-iam_validator/core/models.py,sha256=lXUadIsTpp_j0Vt89Ez7aJkTKs2GD2ty3Ukl2NeY9Zo,15680
+iam_validator/core/models.py,sha256=QgL1p5-GEPOSEi6VB-eqHR0dHH4Akq0bI_r-yVa2V9c,17060
 iam_validator/core/policy_checks.py,sha256=FNVuS2GTffwCjjrlupVIazC172gSxKYAAT_ObV6Apbo,8803
 iam_validator/core/policy_loader.py,sha256=iid3mGfDzSXASzKDqbLnrqJHBdVQvvebofVqNImsGKM,29201
 iam_validator/core/pr_commenter.py,sha256=IZu2FQqzw73U_8ugTUq197ECLqk9mRCQpTWXPu5qk0k,35490
 iam_validator/core/report.py,sha256=IDjBjSrzrE_JdkA8eTiSxyUL3g36sJMhTkxehEYzuBQ,45476
-iam_validator/core/aws_service/__init__.py,sha256=UqMh4HUdGlx2QF5OoueJJ2UlCnhX4QW_x3KeE_bxRQc,735
-iam_validator/core/aws_service/cache.py,sha256=DPuOOPPJC867KAYgV1e0RyQs_k3mtefMdYli3jPaN64,3589
+iam_validator/core/aws_service/__init__.py,sha256=vSmYBn6GGeEcRxxyBmeKcBHFioZlWWBEwbvXmE6ZXVk,800
+iam_validator/core/aws_service/cache.py,sha256=HkxBLCkgf9VYOZKVZd_MidR_TOlUkwbvX3D421ADFZ8,4421
 iam_validator/core/aws_service/client.py,sha256=Zv7rIpEFdUCDXKGp3migPDkj8L5eZltgrGe64M2t2Ko,7336
-iam_validator/core/aws_service/fetcher.py,sha256=TD9qQ4tQF4xdEGhVVADGgF8QlXe15R3nAc2hWZnVoUw,23996
+iam_validator/core/aws_service/fetcher.py,sha256=TqaCp6yKOEXCJdcQIFVBB5RW0pxLMOmQXjJFHZsrBr4,31209
 iam_validator/core/aws_service/parsers.py,sha256=gJzR7HCD8ItCWCCbguTQIZpPEdj2rdMwC7LPhu7ve14,5174
 iam_validator/core/aws_service/patterns.py,sha256=gGc55Tn-EJ3cmcWtmYAZROUajKYz7DaMchYWGEhHpC0,1726
-iam_validator/core/aws_service/storage.py,sha256=PrfKdvF60IL7E_8xYs_XwFoAJPRcVYw57FVLHCoqwVk,10429
-iam_validator/core/aws_service/validators.py,sha256=7izAvL92TsWpQePU7g9qvegT_F2xz8CqpbrnSgE40Xg,19890
+iam_validator/core/aws_service/storage.py,sha256=A98ui_THAyZ86ik-t6HWB22vOqwmbFklG10uhdf26p4,10881
+iam_validator/core/aws_service/validators.py,sha256=qWMB4iQi9Oc0SGXOJVrlyjnsMwmPlqhUaywyRL4d-hM,19385
 iam_validator/core/config/__init__.py,sha256=CWSyIA7kEyzrskEenjYbs9Iih10BXRpiY9H2dHg61rU,2671
 iam_validator/core/config/aws_api.py,sha256=HLIzOItQ0A37wxHcgWck6ZFO0wmNY8JNTiWMMK6JKYU,1248
-iam_validator/core/config/aws_global_conditions.py,sha256=PO3zMdzM_QWZduxL3lV2nrmpcMEEwKASCUYHcqX0LBg,7363
+iam_validator/core/config/aws_global_conditions.py,sha256=Ny20rnwp0OGxW8NdrHw8d3Lv3wh8YbL5vCIFQw7ZQh4,8006
 iam_validator/core/config/category_suggestions.py,sha256=fopaZ9kXDrsLgi_r0pERrLwgdPPJl5VIiKvXtQK9tj0,8583
-iam_validator/core/config/check_documentation.py,sha256=Adyt3Q4JSRlVNPWulXVlRIEorxXG_nt0mkPz_ySa8y4,15931
+iam_validator/core/config/check_documentation.py,sha256=-wK6-wfU7SEHX3h2Jj5pOFqgxD9ULW-NvEkSVp_66WA,18718
 iam_validator/core/config/condition_requirements.py,sha256=1CeQJfWV-Y2ImW0Mq9YdrgvH-hj9IXe0gVOm3B36Rc8,10655
-iam_validator/core/config/config_loader.py,sha256=M51apOv_JwRXC8VM0Spghu8ns-_qnbSoYQZWmgBP3Ww,24059
-iam_validator/core/config/defaults.py,sha256=poREMGKiDLWy9hSWfuWLPy6xXNLf9bkROUQ2A_cJIn4,38502
+iam_validator/core/config/config_loader.py,sha256=Fohz9R-H5edYMYXoT3HkjmsmZE32rjLWlAjnZaz1Xrc,25649
+iam_validator/core/config/defaults.py,sha256=EKlmfX04IGPb4Qs9ctqrStoJ-_LAGEr2PWTJX9fjenk,38920
 iam_validator/core/config/principal_requirements.py,sha256=VCX7fBDgeDTJQyoz7_x7GI7Kf9O1Eu-sbihoHOrKv6o,15105
 iam_validator/core/config/sensitive_actions.py,sha256=uATDIp_TD3OQQlsYTZp79qd1mSK2Bf9hJ0JwcqLBr84,25344
 iam_validator/core/config/service_principals.py,sha256=8pys5H_yycVJ9KTyimAKFYBg83Aol2Iri53wiHjtnEM,3959
@@ -87,20 +89,31 @@ iam_validator/core/formatters/sarif.py,sha256=03MHSyuZm9FlzaPeWg7wH-UTzzCDhSy6vM
 iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
 iam_validator/integrations/github_integration.py,sha256=0aeQ_RPTZf5ij7dsBjmtIDz4oHl0BXLno9GperFzTbc,69004
 iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
-iam_validator/sdk/__init__.py,sha256=1voMXldzhLJ0mZ4AxwYPXwJd_kKFjQ-zp_tN8eWvkP4,6209
+iam_validator/mcp/__init__.py,sha256=dHCPuxLNKG3EMDYTBum8FTdskoebWJN6TaC03rkcnYQ,4927
+iam_validator/mcp/models.py,sha256=EJaDHaGdVvNzSauxYH3L4hmfbtBLLyzuHX_CbXOZr8Q,4473
+iam_validator/mcp/server.py,sha256=V_d4SmNSNMsPG6nul6II0G9GyvWiAvfnMX5B9_U3RQw,108422
+iam_validator/mcp/session_config.py,sha256=dtzPqHVycpMUQH7qG68LW7ZikUz6APJrzttyFZkXwak,10336
+iam_validator/mcp/templates/__init__.py,sha256=OY1C7Af9O46W5-A2TEuZb3jB7gwrG6N-dZ-LQS6FHpw,2408
+iam_validator/mcp/templates/builtin.py,sha256=3cSPOqAzSQSWY2rBEwQ_sTHHKxur64NVASe0kVErbS8,31032
+iam_validator/mcp/tools/__init__.py,sha256=JqFaQaBpavPpGEWF_GIY6YIXWhIL4kDcKCZQvUzmZyE,2040
+iam_validator/mcp/tools/generation.py,sha256=R_pSLv5uxMyg6Pj-TEY2fY5UV9Pd1mh-P9A44Nvws-I,37124
+iam_validator/mcp/tools/org_config_tools.py,sha256=Y13srYplK3SRIxpK3Sat9TocanThcrF8hWblcS7sJhI,7754
+iam_validator/mcp/tools/query.py,sha256=05X0dhNGY0KcmyKJIn9vYw2ed3yGlFnRC2rqOoyVMLQ,13316
+iam_validator/mcp/tools/validation.py,sha256=XrG7rBGbHnpeZSgNZdfNWyD3XeZwmdBTj-w5ErLOt2c,13219
+iam_validator/sdk/__init__.py,sha256=rfWkijjIA8iKrHE2Wd1HnXAl0jJWHHwYgUFZeISQGiI,6297
 iam_validator/sdk/arn_matching.py,sha256=HSDpLltOYISq-SoPebAlM89mKOaUaghq_04urchEFDA,12778
 iam_validator/sdk/context.py,sha256=b2XXlvsnqxl42d1wsdoynTqsZOy8nRjV73RgxIdKdPQ,6940
 iam_validator/sdk/exceptions.py,sha256=tm91TxIwU157U_UHN7w5qICf_OhU11agj6pV5W_YP-4,1023
 iam_validator/sdk/helpers.py,sha256=sjfK0na_Fo7O8GhEVhl44rVHqOdw6nAKkBL4FVL-QdU,5697
-iam_validator/sdk/policy_utils.py,sha256=bGdJ1X1aC72dVXXpAnAwyBpAiiX-qXvblpetY5BsjKU,13658
+iam_validator/sdk/policy_utils.py,sha256=zSn3UFdwr5pik-n1Y4pv_AZheyCuFqaGlSIt403L0is,14386
 iam_validator/sdk/query_utils.py,sha256=kp1sORVnouRMt7kvzyZo1569l7j20jJGmHICR7O8Cqs,14455
 iam_validator/sdk/shortcuts.py,sha256=EVNSYV7rv4TFH03ulsZ3mS1UVmTSp2jKpc2AXs4j1q4,8531
 iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYuCs,1021
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
 iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
 iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
-iam_policy_validator-1.14.7.dist-info/METADATA,sha256=l4PstdoYzO1kqFBTI2M7UDbvoQMAcVC9sHamKl43x9Y,34741
-iam_policy_validator-1.14.7.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-iam_policy_validator-1.14.7.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.14.7.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.14.7.dist-info/RECORD,,
+iam_policy_validator-1.15.0.dist-info/METADATA,sha256=CkJmAGo-FcnQ0qpEb0_EDjNcbKRzTErYiIic3gUyHD8,34808
+iam_policy_validator-1.15.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+iam_policy_validator-1.15.0.dist-info/entry_points.txt,sha256=VXAcx1evo9fuxX0Gtj3J2HnzWcBHSXugiZwBtQ1BXE0,162
+iam_policy_validator-1.15.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.15.0.dist-info/RECORD,,

iam_policy_validator-1.15.0.dist-info/entry_points.txt ADDED Viewed

@@ -0,0 +1,4 @@
+[console_scripts]
+iam-policy-validator = iam_validator.core.cli:main
+iam-validator = iam_validator.core.cli:main
+iam-validator-mcp = iam_validator.mcp:run_server

iam_validator/__version__.py CHANGED Viewed

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
-__version__ = "1.14.7"
+__version__ = "1.15.0"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/checks/__init__.py CHANGED Viewed

@@ -11,6 +11,7 @@ from iam_validator.checks.condition_key_validation import ConditionKeyValidation
 from iam_validator.checks.condition_type_mismatch import ConditionTypeMismatchCheck
 from iam_validator.checks.full_wildcard import FullWildcardCheck
 from iam_validator.checks.mfa_condition_check import MFAConditionCheck
+from iam_validator.checks.not_action_not_resource import NotActionNotResourceCheck
 from iam_validator.checks.policy_size import PolicySizeCheck
 from iam_validator.checks.policy_structure import PolicyStructureCheck
 from iam_validator.checks.principal_validation import PrincipalValidationCheck
@@ -31,6 +32,7 @@ __all__ = [
     "ConditionTypeMismatchCheck",
     "FullWildcardCheck",
     "MFAConditionCheck",
+    "NotActionNotResourceCheck",
     "PolicySizeCheck",
     "PolicyStructureCheck",
     "PrincipalValidationCheck",

iam_validator/checks/action_validation.py CHANGED Viewed

@@ -9,6 +9,7 @@ validations. However, it can be useful in environments where Access Analyzer is
 not available or for pre-deployment policy validation to catch errors early.
 """
+import asyncio
 from typing import ClassVar
 from iam_validator.core.aws_service import AWSServiceFetcher
@@ -23,6 +24,51 @@ class ActionValidationCheck(PolicyCheck):
     description: ClassVar[str] = "Validates that actions exist in AWS service definitions"
     default_severity: ClassVar[str] = "error"
+    async def _validate_action(
+        self,
+        action: str,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+        statement_sid: str | None,
+        statement_idx: int,
+        line_number: int | None,
+        field_name: str,
+    ) -> ValidationIssue | None:
+        """Validate a single action and return an issue if invalid.
+        Args:
+            action: The action string to validate (e.g., "s3:GetObject")
+            fetcher: AWS service fetcher for validation
+            config: Check configuration
+            statement_sid: Statement ID for error reporting
+            statement_idx: Statement index for error reporting
+            line_number: Line number for error reporting
+            field_name: Field name ("action" or "not_action") for error reporting
+        Returns:
+            ValidationIssue if action is invalid, None otherwise
+        """
+        # Skip full wildcard - it's valid but handled by security checks
+        if action == "*":
+            return None
+        # Validate the action exists in AWS (handles both exact and wildcard patterns)
+        is_valid, error_msg, _is_wildcard = await fetcher.validate_action(action)
+        if not is_valid:
+            return ValidationIssue(
+                severity=self.get_severity(config),
+                statement_sid=statement_sid,
+                statement_index=statement_idx,
+                issue_type="invalid_action",
+                message=error_msg or f"Invalid action: `{action}`",
+                action=action,
+                line_number=line_number,
+                field_name=field_name,
+            )
+        return None
     async def execute(
         self,
         statement: Statement,
@@ -32,36 +78,54 @@ class ActionValidationCheck(PolicyCheck):
     ) -> list[ValidationIssue]:
         """Execute action validation on a statement.
-        This check ONLY validates that actions exist in AWS service definitions.
-        Wildcard security checks are handled by security_best_practices_check.
-        """
-        issues = []
+        Validates both Action and NotAction fields to ensure all specified
+        actions exist in AWS service definitions. Wildcard patterns like
+        "s3:Get*" are validated to ensure they match at least one real action.
+        Actions are validated in parallel for better performance.
-        # Get actions from statement
-        actions = statement.get_actions()
+        Security implications of wildcards are handled by separate checks
+        (wildcard_action, service_wildcard, etc.).
+        """
         statement_sid = statement.sid
         line_number = statement.line_number
-        for action in actions:
-            # Skip wildcard actions - they're handled by security_best_practices_check
-            if action == "*" or "*" in action:
-                continue
-            # Validate the action exists in AWS
-            is_valid, error_msg, _is_wildcard = await fetcher.validate_action(action)
-            if not is_valid:
-                issues.append(
-                    ValidationIssue(
-                        severity=self.get_severity(config),
-                        statement_sid=statement_sid,
-                        statement_index=statement_idx,
-                        issue_type="invalid_action",
-                        message=error_msg or f"Invalid action: `{action}`",
-                        action=action,
-                        line_number=line_number,
-                        field_name="action",
-                    )
+        # Build list of validation tasks for parallel execution
+        tasks = []
+        # Validate Action field
+        for action in statement.get_actions():
+            tasks.append(
+                self._validate_action(
+                    action=action,
+                    fetcher=fetcher,
+                    config=config,
+                    statement_sid=statement_sid,
+                    statement_idx=statement_idx,
+                    line_number=line_number,
+                    field_name="action",
                 )
+            )
+        # Validate NotAction field (same validation - typos in NotAction are equally problematic)
+        for action in statement.get_not_actions():
+            tasks.append(
+                self._validate_action(
+                    action=action,
+                    fetcher=fetcher,
+                    config=config,
+                    statement_sid=statement_sid,
+                    statement_idx=statement_idx,
+                    line_number=line_number,
+                    field_name="not_action",
+                )
+            )
+        # Execute all validations in parallel
+        if not tasks:
+            return []
+        results = await asyncio.gather(*tasks)
-        return issues
+        # Filter out None results (valid actions)
+        return [issue for issue in results if issue is not None]

iam_validator/checks/not_action_not_resource.py ADDED Viewed

@@ -0,0 +1,163 @@
+"""NotAction/NotResource check - detects dangerous Not* patterns in IAM policies.
+NotAction and NotResource are powerful IAM features that can be misused to
+grant overly broad permissions. This check detects patterns that violate
+the principle of least privilege.
+"""
+from typing import ClassVar
+from iam_validator.core.aws_service import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+class NotActionNotResourceCheck(PolicyCheck):
+    """Checks for dangerous NotAction/NotResource patterns.
+    Patterns detected:
+    1. NotAction with Effect: Allow - grants everything EXCEPT listed actions
+    2. NotResource with wildcards - grants access to all resources except listed
+    3. NotAction in Allow without strict conditions - missing safeguards
+    These patterns are particularly dangerous because they grant permissions
+    by exclusion rather than explicit inclusion, making it easy to accidentally
+    grant more access than intended.
+    """
+    check_id: ClassVar[str] = "not_action_not_resource"
+    description: ClassVar[str] = "Checks for dangerous NotAction/NotResource patterns"
+    default_severity: ClassVar[str] = "high"
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute NotAction/NotResource check on a statement."""
+        del fetcher  # Unused
+        issues = []
+        not_actions = statement.get_not_actions()
+        not_resources = statement.get_not_resources()
+        effect = statement.effect
+        # Check 1: NotAction with Effect: Allow
+        # This grants ALL actions EXCEPT the listed ones - extremely dangerous
+        if not_actions and effect == "Allow":
+            has_conditions = bool(statement.condition)
+            if has_conditions:
+                # NotAction with conditions is still risky but less severe
+                issues.append(
+                    ValidationIssue(
+                        severity="medium",
+                        statement_sid=statement.sid,
+                        statement_index=statement_idx,
+                        issue_type="not_action_allow",
+                        message=(
+                            "Statement uses NotAction with Allow effect. "
+                            "This grants ALL actions except the listed ones. "
+                            "While conditions are present, this pattern is still risky."
+                        ),
+                        suggestion=(
+                            "Consider using explicit Action lists instead of NotAction. "
+                            "If NotAction is required, ensure conditions are comprehensive."
+                        ),
+                        example='{\n  "Effect": "Allow",\n  "Action": ["s3:GetObject", "s3:ListBucket"],\n  "Resource": "*"\n}',
+                        line_number=statement.line_number,
+                        field_name="action",
+                        action=", ".join(not_actions[:3]) + ("..." if len(not_actions) > 3 else ""),
+                    )
+                )
+            else:
+                # NotAction Allow without conditions is critical
+                issues.append(
+                    ValidationIssue(
+                        severity=self.get_severity(config),
+                        statement_sid=statement.sid,
+                        statement_index=statement_idx,
+                        issue_type="not_action_allow_no_condition",
+                        message=(
+                            "Statement uses NotAction with Allow effect and NO conditions. "
+                            f"This grants ALL AWS actions except: {', '.join(not_actions[:5])}"
+                            f"{'...' if len(not_actions) > 5 else ''}. "
+                            "This is equivalent to granting near-administrator access."
+                        ),
+                        suggestion=(
+                            "Replace NotAction with explicit Action list. "
+                            "If NotAction is required, add strict conditions like "
+                            "aws:SourceIp, aws:PrincipalArn, or aws:MultiFactorAuthPresent."
+                        ),
+                        example='{\n  "Effect": "Allow",\n  "Action": ["specific:Action"],\n  "Resource": "*",\n  "Condition": {\n    "Bool": {"aws:MultiFactorAuthPresent": "true"}\n  }\n}',
+                        line_number=statement.line_number,
+                        field_name="action",
+                        action=", ".join(not_actions[:3]) + ("..." if len(not_actions) > 3 else ""),
+                    )
+                )
+        # Check 2: NotResource with wildcards or broad patterns
+        if not_resources and effect == "Allow":
+            # Check if NotResource is used with wildcard Resource
+            resources = statement.get_resources()
+            has_wildcard_resource = "*" in resources or any("*" in r for r in resources)
+            if has_wildcard_resource or not resources:
+                issues.append(
+                    ValidationIssue(
+                        severity=self.get_severity(config),
+                        statement_sid=statement.sid,
+                        statement_index=statement_idx,
+                        issue_type="not_resource_broad",
+                        message=(
+                            "Statement uses NotResource with Allow effect and broad Resource. "
+                            f"This grants access to ALL resources except: {', '.join(not_resources[:3])}"
+                            f"{'...' if len(not_resources) > 3 else ''}."
+                        ),
+                        suggestion=(
+                            "Replace NotResource with explicit Resource ARNs. "
+                            "Using NotResource grants access to all current and future resources "
+                            "except those explicitly excluded."
+                        ),
+                        example='{\n  "Effect": "Allow",\n  "Action": ["s3:GetObject"],\n  "Resource": "arn:aws:s3:::my-bucket/*"\n}',
+                        line_number=statement.line_number,
+                        field_name="resource",
+                        resource=", ".join(not_resources[:3])
+                        + ("..." if len(not_resources) > 3 else ""),
+                    )
+                )
+        # Check 3: NotAction with Deny - less dangerous but worth noting
+        # NotAction with Deny means "deny everything except these actions"
+        # which is actually a valid deny pattern but should be reviewed
+        if not_actions and effect == "Deny":
+            resources = statement.get_resources()
+            has_wildcard_resource = "*" in resources
+            if has_wildcard_resource:
+                issues.append(
+                    ValidationIssue(
+                        severity="low",
+                        statement_sid=statement.sid,
+                        statement_index=statement_idx,
+                        issue_type="not_action_deny_review",
+                        message=(
+                            "Statement uses NotAction with Deny effect on all resources. "
+                            f"This denies everything except: {', '.join(not_actions[:5])}"
+                            f"{'...' if len(not_actions) > 5 else ''}. "
+                            "Review to ensure this is the intended behavior."
+                        ),
+                        suggestion=(
+                            "Verify that allowing only these specific actions is intended. "
+                            "Consider if an explicit Allow list would be clearer."
+                        ),
+                        line_number=statement.line_number,
+                        field_name="action",
+                        action=", ".join(not_actions[:3]) + ("..." if len(not_actions) > 3 else ""),
+                    )
+                )
+        return issues

iam-policy-validator 1.14.7__py3-none-any.whl → 1.15.0__py3-none-any.whl

iam-policy-validator 1.14.7py3-none-any.whl → 1.15.0py3-none-any.whl