iam-policy-validator 1.15.0__py3-none-any.whl → 1.15.2__py3-none-any.whl

{iam_policy_validator-1.15.0.dist-info → iam_policy_validator-1.15.2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.15.0
+Version: 1.15.2
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://boogy.github.io/iam-policy-validator
@@ -99,8 +99,16 @@ iam-validator validate --path examples/quick-start/ --format enhanced
 {
   "Version": "2012-10-17",
   "Statement": [
-    {"Effect": "Allow", "Action": "s3:GetObjekt", "Resource": "arn:aws:s3:::my-bucket/*"},
-    {"Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/lambda-role"}
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObjekt",
+      "Resource": "arn:aws:s3:::my-bucket/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "iam:PassRole",
+      "Resource": "arn:aws:iam::123456789012:role/lambda-role"
+    }
   ]
 }
 ```
@@ -111,7 +119,11 @@ iam-validator validate --path examples/quick-start/ --format enhanced
 {
   "Version": "2012-10-17",
   "Statement": [
-    {"Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::my-bucket/*"
+    }
   ]
 }
 ```
@@ -122,7 +134,11 @@ iam-validator validate --path examples/quick-start/ --format enhanced
 {
   "Version": "2012-10-17",
   "Statement": [
-    {"Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"}
+    {
+      "Effect": "Allow",
+      "Action": "lambda:InvokeFunction",
+      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"
+    }
   ]
 }
 ```
@@ -228,7 +244,8 @@ action_condition_enforcement:
           description: "Restrict which services can use passed roles"
 
     # Enforce IP restrictions for privileged actions (automation from CI/CD)
-    - actions: ["iam:AttachUserPolicy", "iam:PutUserPolicy", "iam:CreateAccessKey"]
+    - actions:
+        ["iam:AttachUserPolicy", "iam:PutUserPolicy", "iam:CreateAccessKey"]
       required_conditions:
         - condition_key: "aws:SourceIp"
           expected_value: ["10.0.0.0/8", "172.16.0.0/12"]
@@ -270,9 +287,17 @@ Privilege escalation often occurs when multiple actions are scattered across dif
 ```json
 {
   "Statement": [
-    {"Sid": "AllowUserManagement", "Action": "iam:CreateUser", "Resource": "*"},
-    {"Sid": "AllowS3Read", "Action": "s3:GetObject", "Resource": "*"},
-    {"Sid": "AllowPolicyAttachment", "Action": "iam:AttachUserPolicy", "Resource": "*"}
+    {
+      "Sid": "AllowUserManagement",
+      "Action": "iam:CreateUser",
+      "Resource": "*"
+    },
+    { "Sid": "AllowS3Read", "Action": "s3:GetObject", "Resource": "*" },
+    {
+      "Sid": "AllowPolicyAttachment",
+      "Action": "iam:AttachUserPolicy",
+      "Resource": "*"
+    }
   ]
 }
 ```
@@ -408,9 +433,9 @@ iam-validator validate --path policies/ --aws-services-dir ./aws-services
 - uses: boogy/iam-policy-validator@v1
   with:
     path: policies/
-    github-review: true        # Inline PR comments
-    github-summary: true       # Actions summary tab
-    fail-on-severity: high     # Block merge on high/critical
+    github-review: true # Inline PR comments
+    github-summary: true # Actions summary tab
+    fail-on-severity: high # Block merge on high/critical
 ```
 
 ---
@@ -440,14 +465,14 @@ Validates against official AWS IAM requirements:
 
 Identifies overly permissive configurations:
 
-| Check                     | What It Catches                                        |
-| ------------------------- | ------------------------------------------------------ |
-| **Wildcard Action**       | `Action: "*"` grants all AWS permissions               |
-| **Wildcard Resource**     | `Resource: "*"` applies to all resources               |
-| **Full Wildcard**         | Both `Action: "*"` AND `Resource: "*"` (admin access)  |
-| **Service Wildcards**     | `s3:*`, `iam:*`, `ec2:*` (overly broad)                |
+| Check                     | What It Catches                                          |
+| ------------------------- | -------------------------------------------------------- |
+| **Wildcard Action**       | `Action: "*"` grants all AWS permissions                 |
+| **Wildcard Resource**     | `Resource: "*"` applies to all resources                 |
+| **Full Wildcard**         | Both `Action: "*"` AND `Resource: "*"` (admin access)    |
+| **Service Wildcards**     | `s3:*`, `iam:*`, `ec2:*` (overly broad)                  |
 | **Sensitive Actions**     | 490+ privilege escalation patterns and dangerous actions |
-| **Condition Enforcement** | Organization-specific condition requirements           |
+| **Condition Enforcement** | Organization-specific condition requirements             |
 
 **Note on Sensitive Actions:** This check has two modes:
 
@@ -540,7 +565,7 @@ action_condition_enforcement:
     - actions: ["iam:CreateUser", "iam:DeleteUser", "iam:CreateAccessKey"]
       required_conditions:
         - condition_key: "aws:SourceIp"
-          expected_value: ["10.0.0.0/8", "52.94.76.0/24"]  # Corporate + GitHub Actions
+          expected_value: ["10.0.0.0/8", "52.94.76.0/24"] # Corporate + GitHub Actions
 
 # Ignore patterns
 ignore_patterns:
@@ -677,19 +702,19 @@ iam-validator analyze --path new-policy.json \
 
 ## Comparison Matrix
 
-| Feature                        | IAM Policy Validator             | IAM Lens                      | IAMSpy                 | Policy Sentry              |
-| ------------------------------ | -------------------------------- | ----------------------------- | ---------------------- | -------------------------- |
-| **Primary Purpose**            | Pre-deployment validation        | Runtime permission analysis   | Permission enumeration | Least-privilege generation |
-| **Use Case**                   | CI/CD policy scanning            | "What can this principal do?" | Pentesting/audit       | Policy creation            |
-| **Custom Security Rules**      | ✅ Full support                   | ❌ No                          | ❌ No                   | ❌ No                       |
+| Feature                        | IAM Policy Validator              | IAM Lens                      | IAMSpy                 | Policy Sentry              |
+| ------------------------------ | --------------------------------- | ----------------------------- | ---------------------- | -------------------------- |
+| **Primary Purpose**            | Pre-deployment validation         | Runtime permission analysis   | Permission enumeration | Least-privilege generation |
+| **Use Case**                   | CI/CD policy scanning             | "What can this principal do?" | Pentesting/audit       | Policy creation            |
+| **Custom Security Rules**      | ✅ Full support                   | ❌ No                         | ❌ No                  | ❌ No                      |
 | **Cross-Statement Patterns**   | ✅ Privilege escalation detection | N/A (different purpose)       | N/A                    | N/A                        |
-| **Action-Resource Validation** | ✅ Catches incompatible pairs     | N/A                           | ❌ No                   | ✅ Generates correct        |
-| **Organization Conditions**    | ✅ IP, tags, encryption, etc.     | ❌ No                          | ❌ No                   | ❌ No                       |
-| **CI/CD Ready**                | ✅ GitHub Actions native          | ⚠️ Manual setup                | ⚠️ Manual               | ⚠️ Manual                   |
-| **PR Line Comments**           | ✅ Diff-aware                     | ❌ No                          | ❌ No                   | ❌ No                       |
-| **AWS Service Data**           | ✅ Official API (auto-update)     | ✅ Real AWS account data       | ⚠️ Static               | ✅ Official API             |
-| **Offline Mode**               | ✅ Yes                            | ❌ Needs AWS account           | ✅ Yes                  | ❌ Needs internet           |
-| **Query Permissions**          | ✅ Yes                            | ✅ Yes (different approach)    | ⚠️ Enumerate only       | ✅ Excellent                |
+| **Action-Resource Validation** | ✅ Catches incompatible pairs     | N/A                           | ❌ No                  | ✅ Generates correct       |
+| **Organization Conditions**    | ✅ IP, tags, encryption, etc.     | ❌ No                         | ❌ No                  | ❌ No                      |
+| **CI/CD Ready**                | ✅ GitHub Actions native          | ⚠️ Manual setup               | ⚠️ Manual              | ⚠️ Manual                  |
+| **PR Line Comments**           | ✅ Diff-aware                     | ❌ No                         | ❌ No                  | ❌ No                      |
+| **AWS Service Data**           | ✅ Official API (auto-update)     | ✅ Real AWS account data      | ⚠️ Static              | ✅ Official API            |
+| **Offline Mode**               | ✅ Yes                            | ❌ Needs AWS account          | ✅ Yes                 | ❌ Needs internet          |
+| **Query Permissions**          | ✅ Yes                            | ✅ Yes (different approach)   | ⚠️ Enumerate only      | ✅ Excellent               |
 
 **Choose this tool if you:**
 

{iam_policy_validator-1.15.0.dist-info → iam_policy_validator-1.15.2.dist-info}/RECORD

@@ -1,6 +1,6 @@
 iam_validator/__init__.py,sha256=xHdUASOxFHwEXfT_GSr_KrkLlnxZ-pAAr1wW1PwAGko,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=nBQw8c9_j3cm0AjlGzltWfPi7BYKIJlC0VQImhHNMGQ,374
+iam_validator/__version__.py,sha256=Bgc0qLeAX9DtaxWp2EJRUbZweOqF_-YeAxjCOs2BIuM,374
 iam_validator/checks/__init__.py,sha256=wFU5Lz-ZIQBcn2y1u0Kl88B--vEO3btOOaTGPPSjJ74,2106
 iam_validator/checks/action_condition_enforcement.py,sha256=2-XUMbof9tQ7SHZNmAHMkR1DgbOIzY2eFWlp9S9dwLk,60625
 iam_validator/checks/action_resource_matching.py,sha256=qND0hfDgNoxFEdLWwrxOPVDfdj3k50nzedT2qF7nK7o,19428
@@ -13,7 +13,7 @@ iam_validator/checks/not_action_not_resource.py,sha256=WWKOCLCq7yxOG9tgi1n5xPpph
 iam_validator/checks/policy_size.py,sha256=eJd36Nj4gqWLIkQ5imhHR1hGtQ6T-iJsC22Wd1VSUf0,4681
 iam_validator/checks/policy_structure.py,sha256=LExdm93JeqsyhikWrh9lfJ9sBiZ4818Ts0-N3MwUrtk,22089
 iam_validator/checks/policy_type_validation.py,sha256=-Q2Yn_sa7Cba_Fb9ESxSL5qNbRpncuC7NQy7R_fdJtY,16521
-iam_validator/checks/principal_validation.py,sha256=TthgDW5YXFfv5li1u4nn56k0Feqt5HeOEtQgo5pBKqo,27911
+iam_validator/checks/principal_validation.py,sha256=oXSooVQIgUfbTRulgpiLACSJ2LZXM0Q4I00tOX3YTAI,34679
 iam_validator/checks/resource_validation.py,sha256=k7qHIwX7IDf4MCWIvl9G17aINzTuZLOHDHRWrujbCaM,7787
 iam_validator/checks/sensitive_action.py,sha256=LHicl6dd5E1JV19cLKvFAMGzLzYr5h_Y7QvS8s57kvA,18952
 iam_validator/checks/service_wildcard.py,sha256=1epcET5oDclAmzxhtmQfKBg3Q5Rl4VXBMoZouxCJLpM,4114
@@ -44,7 +44,7 @@ iam_validator/core/aws_fetcher.py,sha256=op93QvtGmeLF9dHobl2IuoPDeunn33pBLb8h7Xj
 iam_validator/core/check_registry.py,sha256=cRvFko_cTrip94VgVqwkxgrjR6oz3JfSiwertESicRc,28567
 iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
 iam_validator/core/codeowners.py,sha256=dfRjYTpcTVmc-h95i4EoPXCXlcblD8yryeJBaTKQfjM,7530
-iam_validator/core/condition_validators.py,sha256=7zBjlcf2xGFKGbcFrXSLvWT5tFhWxoqwzhsJqS2E8uY,21524
+iam_validator/core/condition_validators.py,sha256=5IdCZG0w8qQL37_wYv8TPQD3rIsmrB-845Ff4N-WXDU,27357
 iam_validator/core/constants.py,sha256=O80dQ6AtgsCJPempRtNlKaSIVE61rg6YDPV5vgaSnAY,7771
 iam_validator/core/diff_parser.py,sha256=5Jxa6WvQZtG5grblZeUH2OQ2R46tFLK-h8tvkHOSfLk,12110
 iam_validator/core/finding_fingerprint.py,sha256=NJIlu8NhdenWbLS7ww8LyWFasJgpKWN63-DprrNW7Zs,4353
@@ -64,15 +64,15 @@ iam_validator/core/aws_service/fetcher.py,sha256=TqaCp6yKOEXCJdcQIFVBB5RW0pxLMOm
 iam_validator/core/aws_service/parsers.py,sha256=gJzR7HCD8ItCWCCbguTQIZpPEdj2rdMwC7LPhu7ve14,5174
 iam_validator/core/aws_service/patterns.py,sha256=gGc55Tn-EJ3cmcWtmYAZROUajKYz7DaMchYWGEhHpC0,1726
 iam_validator/core/aws_service/storage.py,sha256=A98ui_THAyZ86ik-t6HWB22vOqwmbFklG10uhdf26p4,10881
-iam_validator/core/aws_service/validators.py,sha256=qWMB4iQi9Oc0SGXOJVrlyjnsMwmPlqhUaywyRL4d-hM,19385
+iam_validator/core/aws_service/validators.py,sha256=d2nGuy4NifbBiKbLIFHxP-wZctYDtK4qniSdq3l8-T0,21574
 iam_validator/core/config/__init__.py,sha256=CWSyIA7kEyzrskEenjYbs9Iih10BXRpiY9H2dHg61rU,2671
 iam_validator/core/config/aws_api.py,sha256=HLIzOItQ0A37wxHcgWck6ZFO0wmNY8JNTiWMMK6JKYU,1248
-iam_validator/core/config/aws_global_conditions.py,sha256=Ny20rnwp0OGxW8NdrHw8d3Lv3wh8YbL5vCIFQw7ZQh4,8006
+iam_validator/core/config/aws_global_conditions.py,sha256=WQjR8z1Mhc8H874CnzwEMvKOz9rCifBNUltvo0oFYbM,7894
 iam_validator/core/config/category_suggestions.py,sha256=fopaZ9kXDrsLgi_r0pERrLwgdPPJl5VIiKvXtQK9tj0,8583
 iam_validator/core/config/check_documentation.py,sha256=-wK6-wfU7SEHX3h2Jj5pOFqgxD9ULW-NvEkSVp_66WA,18718
 iam_validator/core/config/condition_requirements.py,sha256=1CeQJfWV-Y2ImW0Mq9YdrgvH-hj9IXe0gVOm3B36Rc8,10655
 iam_validator/core/config/config_loader.py,sha256=Fohz9R-H5edYMYXoT3HkjmsmZE32rjLWlAjnZaz1Xrc,25649
-iam_validator/core/config/defaults.py,sha256=EKlmfX04IGPb4Qs9ctqrStoJ-_LAGEr2PWTJX9fjenk,38920
+iam_validator/core/config/defaults.py,sha256=z5gSBi3r5h2iBmjH7lKuLaYQY9oSgSBqXgWxxIr33gw,39956
 iam_validator/core/config/principal_requirements.py,sha256=VCX7fBDgeDTJQyoz7_x7GI7Kf9O1Eu-sbihoHOrKv6o,15105
 iam_validator/core/config/sensitive_actions.py,sha256=uATDIp_TD3OQQlsYTZp79qd1mSK2Bf9hJ0JwcqLBr84,25344
 iam_validator/core/config/service_principals.py,sha256=8pys5H_yycVJ9KTyimAKFYBg83Aol2Iri53wiHjtnEM,3959
@@ -112,8 +112,8 @@ iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYu
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
 iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
 iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
-iam_policy_validator-1.15.0.dist-info/METADATA,sha256=CkJmAGo-FcnQ0qpEb0_EDjNcbKRzTErYiIic3gUyHD8,34808
-iam_policy_validator-1.15.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-iam_policy_validator-1.15.0.dist-info/entry_points.txt,sha256=VXAcx1evo9fuxX0Gtj3J2HnzWcBHSXugiZwBtQ1BXE0,162
-iam_policy_validator-1.15.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.15.0.dist-info/RECORD,,
+iam_policy_validator-1.15.2.dist-info/METADATA,sha256=3YWLi7WFFLI4s-vCyjfkxJ8WB9QJCQthXl1-_isP9wE,34939
+iam_policy_validator-1.15.2.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+iam_policy_validator-1.15.2.dist-info/entry_points.txt,sha256=VXAcx1evo9fuxX0Gtj3J2HnzWcBHSXugiZwBtQ1BXE0,162
+iam_policy_validator-1.15.2.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.15.2.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.15.0"
+__version__ = "1.15.2"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/checks/principal_validation.py

@@ -3,6 +3,7 @@
 Validates Principal elements in resource-based policies for security best practices.
 This check enforces:
 - Blocked principals (e.g., public access via "*")
+- Service principal wildcards (e.g., {"Service": "*"} - extremely dangerous)
 - Allowed principals whitelist (optional)
 - Rich condition requirements for principals (supports any_of/all_of/none_of)
 - Service principal validation
@@ -77,21 +78,55 @@ class PrincipalValidationCheck(PolicyCheck):
             return issues
 
         # Get configuration (defaults match defaults.py)
-        blocked_principals = config.config.get("blocked_principals", ["*"])
+        blocked_principals = list(config.config.get("blocked_principals", []))
         allowed_principals = config.config.get("allowed_principals", [])
         principal_condition_requirements = config.config.get("principal_condition_requirements", [])
         # Default: "aws:*" allows ALL AWS service principals (*.amazonaws.com)
-        # This matches the default in defaults.py:251
+        # This matches the default in defaults.py
         allowed_service_principals = config.config.get("allowed_service_principals", ["aws:*"])
+        # Default: block service principal wildcards ({"Service": "*"})
+        # This is extremely dangerous as it allows ANY AWS service to assume the role
+        block_service_principal_wildcard = config.config.get(
+            "block_service_principal_wildcard", True
+        )
+        # block_wildcard_principal: Strict mode for Principal: "*"
+        # false (default): Allow wildcard principal but require conditions
+        # true: Block wildcard principal entirely, skip condition checks
+        block_wildcard_principal = config.config.get("block_wildcard_principal", False)
+        if block_wildcard_principal and "*" not in blocked_principals:
+            blocked_principals.append("*")
+
+        # Check for service principal wildcards FIRST (highest priority security issue)
+        # If detected, return early - no conditions can make {"Service": "*"} safe
+        if block_service_principal_wildcard:
+            service_wildcard_issues = self._check_service_principal_wildcards(
+                statement, statement_idx, config
+            )
+            if service_wildcard_issues:
+                # Return early - this is unfixable, don't suggest conditions
+                return service_wildcard_issues
 
         # Extract principals from statement
         principals = self._extract_principals(statement)
 
+        # Track blocked principals to skip condition checks for them
+        blocked_principal_values: set[str] = set()
+
+        # Check if statement has {"Service": "*"} pattern
+        # If so, we shouldn't also flag the * as a blocked principal
+        has_service_wildcard = self._has_service_principal_wildcard(statement)
+
         for principal in principals:
+            # Skip blocking check for "*" if it came from {"Service": "*"}
+            # That case is handled by _check_service_principal_wildcards
+            if principal == "*" and has_service_wildcard:
+                continue
+
             # Check if principal is blocked
             if self._is_blocked_principal(
                 principal, blocked_principals, allowed_service_principals
             ):
+                blocked_principal_values.add(principal)
                 issues.append(
                     ValidationIssue(
                         severity=self.get_severity(config),
@@ -129,15 +164,19 @@ class PrincipalValidationCheck(PolicyCheck):
                 continue
 
         # Check principal_condition_requirements (supports any_of/all_of/none_of)
+        # Skip condition checks for principals that are already blocked
         if principal_condition_requirements:
-            condition_issues = self._validate_principal_condition_requirements(
-                statement,
-                statement_idx,
-                principals,
-                principal_condition_requirements,
-                config,
-            )
-            issues.extend(condition_issues)
+            # Filter out blocked principals - they need to be removed, not conditioned
+            principals_to_check = [p for p in principals if p not in blocked_principal_values]
+            if principals_to_check:
+                condition_issues = self._validate_principal_condition_requirements(
+                    statement,
+                    statement_idx,
+                    principals_to_check,
+                    principal_condition_requirements,
+                    config,
+                )
+                issues.extend(condition_issues)
 
         return issues
 
@@ -178,6 +217,106 @@ class PrincipalValidationCheck(PolicyCheck):
 
         return principals
 
+    def _has_service_principal_wildcard(self, statement: Statement) -> bool:
+        """Check if statement has {"Service": "*"} pattern.
+
+        This is used to avoid double-flagging - if the statement has a service
+        principal wildcard, we shouldn't also block it as a regular wildcard.
+        """
+        if statement.principal and isinstance(statement.principal, dict):
+            service_principals = statement.principal.get("Service")
+            if service_principals:
+                if isinstance(service_principals, str) and service_principals == "*":
+                    return True
+                if isinstance(service_principals, list) and "*" in service_principals:
+                    return True
+        return False
+
+    def _check_service_principal_wildcards(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        _config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Check for dangerous service principal wildcards in Principal field.
+
+        Detects patterns like:
+        - "Principal": {"Service": "*"}
+        - "Principal": {"Service": ["*"]}
+        - "Principal": {"Service": ["lambda.amazonaws.com", "*"]}
+
+        These are dangerous because they allow ANY AWS service to access the resource
+        or assume the role. Without proper source verification conditions (aws:SourceArn,
+        aws:SourceAccount), any service in any account could potentially access the resource.
+
+        Note: NotPrincipal with {"Service": "*"} is NOT flagged here because it means
+        "allow everyone EXCEPT all services" - a different concern (overly broad exclusion)
+        but not an overly permissive grant.
+
+        Args:
+            statement: The statement to check
+            statement_idx: Index of the statement
+            config: Check configuration
+
+        Returns:
+            List of validation issues
+        """
+        issues: list[ValidationIssue] = []
+
+        # Only check Principal field (not NotPrincipal)
+        # NotPrincipal: {"Service": "*"} means "everyone EXCEPT services" which is
+        # a different concern (overly broad exclusion) but not an overly permissive grant
+        if statement.principal is None:
+            return issues
+
+        if not isinstance(statement.principal, dict):
+            return issues
+
+        # Check the "Service" key specifically
+        service_principals = statement.principal.get("Service")
+        if service_principals is None:
+            return issues
+
+        # Normalize to list
+        if isinstance(service_principals, str):
+            service_principals = [service_principals]
+
+        # Check for wildcard in service principals
+        for service_principal in service_principals:
+            if service_principal == "*":
+                issues.append(
+                    ValidationIssue(
+                        severity="critical",  # Always critical - extremely permissive
+                        issue_type="service_principal_wildcard",
+                        message=(
+                            'Dangerous service principal wildcard: `"Principal": {"Service": "*"}`. '
+                            "This allows ANY AWS service to access this resource or assume this role. "
+                            "Without source verification conditions, this creates an overly permissive "
+                            "trust relationship."
+                        ),
+                        statement_index=statement_idx,
+                        statement_sid=statement.sid,
+                        line_number=statement.line_number,
+                        suggestion=(
+                            "Replace the wildcard with specific AWS service principals and add "
+                            "source verification conditions:\n\n"
+                            "1. Specify exact services:\n"
+                            '   `"Principal": {"Service": "lambda.amazonaws.com"}`\n\n'
+                            "2. Add source conditions:\n"
+                            "```json\n"
+                            '   "Condition": {\n'
+                            '     "ArnLike": {"aws:SourceArn": "arn:aws:lambda:*:ACCOUNT:function:*"},\n'
+                            '     "StringEquals": {"aws:SourceAccount": "ACCOUNT"}\n\n'
+                            "   }\n"
+                            "```\n"
+                        ),
+                        field_name="principal",
+                    )
+                )
+                break  # One issue is enough
+
+        return issues
+
     def _is_blocked_principal(
         self, principal: str, blocked_list: list[str], service_whitelist: list[str]
     ) -> bool:

iam_validator/core/aws_service/validators.py

@@ -243,22 +243,30 @@ class ServiceValidator:
             _, action_name = self._parser.parse_action(action)
 
             # Check if it's a global condition key
+            # Note: Some aws: prefixed keys like aws:RequestTag/* and aws:ResourceTag/* are NOT
+            # global keys - they're action-specific or resource-specific. We'll check those later.
             is_global_key = False
             if condition_key.startswith("aws:"):
                 global_conditions = get_global_conditions()
                 if global_conditions.is_valid_global_key(condition_key):
                     is_global_key = True
-                else:
-                    return ConditionKeyValidationResult(
-                        is_valid=False,
-                        error_message=f"Invalid AWS global condition key: `{condition_key}`.",
-                    )
+                # If not a global key, continue to check action/resource-specific keys
+                # Don't return an error yet - aws:RequestTag, aws:ResourceTag are action-specific
 
             # Check service-specific condition keys (with pattern matching for tag keys)
-            if service_detail.condition_keys and condition_key_in_list(
-                condition_key, list(service_detail.condition_keys.keys())
-            ):
-                return ConditionKeyValidationResult(is_valid=True)
+            # IMPORTANT: aws:RequestTag and aws:ResourceTag patterns in service-level keys
+            # are NOT universally valid for all actions. Skip them here - they'll be checked
+            # at action/resource level.
+            if service_detail.condition_keys:
+                # Check if it matches service-level keys, but exclude RequestTag/ResourceTag
+                if condition_key_in_list(condition_key, list(service_detail.condition_keys.keys())):
+                    # If it's RequestTag or ResourceTag, don't return valid here - check action/resource level
+                    if not (
+                        condition_key.startswith("aws:RequestTag/")
+                        or condition_key.startswith("aws:ResourceTag/")
+                    ):
+                        return ConditionKeyValidationResult(is_valid=True)
+                    # For RequestTag/ResourceTag, continue to check action/resource level
 
             # Check action-specific condition keys
             if action_name in service_detail.actions:
@@ -298,8 +306,26 @@ class ServiceValidator:
             if is_global_key:
                 return ConditionKeyValidationResult(is_valid=True)
 
-            # Short error message
-            error_msg = f"Condition key `{condition_key}` is not valid for action `{action}`"
+            # If we reach here, the condition key was not found in any valid location
+            # Check if it's an aws: prefixed key that's not global - provide specific error
+            if condition_key.startswith("aws:"):
+                # Special handling for aws:RequestTag and aws:ResourceTag patterns
+                if condition_key.startswith("aws:RequestTag/"):
+                    error_msg = (
+                        f"Condition key `{condition_key}` is not supported by action `{action}`. "
+                        f"The `aws:RequestTag/${{TagKey}}` condition is only supported by actions that "
+                        f"create or modify resources with tags. This action does not support tag operations."
+                    )
+                elif condition_key.startswith("aws:ResourceTag/"):
+                    error_msg = (
+                        f"Condition key `{condition_key}` is not supported by the resources used by action `{action}`. "
+                        f"The `aws:ResourceTag/${{TagKey}}` condition is only supported by resources that have tags."
+                    )
+                else:
+                    error_msg = f"Invalid AWS condition key: `{condition_key}`. This key is not a valid global condition key and is not supported by action `{action}`."
+            else:
+                # Short error message for non-aws: keys
+                error_msg = f"Condition key `{condition_key}` is not valid for action `{action}`"
 
             # Collect valid condition keys for this action
             valid_keys: set[str] = set()

iam_validator/core/condition_validators.py

@@ -14,8 +14,17 @@ Supports:
 
 import ipaddress
 import re
+from datetime import datetime
 from typing import Any
 
+# Pre-compiled regex patterns for performance (compiled once at module load)
+# Timezone offset pattern for ISO 8601 dates (e.g., 2025-01-01T12:00:00+00:00)
+_TZ_OFFSET_PATTERN = re.compile(
+    r"^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})"
+    r"(?:\.(\d{1,6}))?"  # Optional milliseconds/microseconds
+    r"([+-])(\d{2}):(\d{2})$"  # Timezone offset
+)
+
 # IAM Condition Operators mapped to their expected value types
 # Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
 CONDITION_OPERATORS = {
@@ -223,6 +232,163 @@ def validate_value_for_type(value_type: str, values: list[Any]) -> tuple[bool, s
     return True, None
 
 
+def _validate_date_value(value_str: str) -> tuple[bool, str | None]:
+    """
+    Validate a date value for IAM condition operators.
+
+    AWS IAM accepts the following date formats:
+    1. ISO 8601 with UTC (Z suffix): 2019-07-16T12:00:00Z
+    2. ISO 8601 with timezone offset: 2019-07-16T12:00:00+00:00
+    3. ISO 8601 with milliseconds: 2019-07-16T12:00:00.000Z
+    4. UNIX epoch timestamp: 1563278400 (seconds since 1970-01-01)
+
+    This function validates both syntactic correctness AND semantic validity
+    (e.g., month must be 1-12, day must be valid for the month).
+
+    Args:
+        value_str: The date string to validate
+
+    Returns:
+        Tuple of (is_valid, error_message)
+
+    Reference:
+        https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Date
+    """
+    # Fast path: Check for UNIX epoch timestamp (digits only)
+    # Using str.isdigit() is ~3x faster than re.match(r"^\d+$", ...)
+    if value_str.isdigit():
+        # Validate epoch timestamp is reasonable (not before 1970, not too far in future)
+        try:
+            epoch = int(value_str)
+            # Allow dates from 1970 to year 3000 (covers all reasonable use cases)
+            if epoch > 32503680000:  # Year 3000 in seconds
+                return (
+                    False,
+                    f"UNIX epoch timestamp appears unreasonably large: {value_str}. "
+                    "Expected seconds since 1970-01-01.",
+                )
+            return True, None
+        except (ValueError, OverflowError):
+            return (
+                False,
+                f"Invalid UNIX epoch timestamp: {value_str}. Must be a valid integer.",
+            )
+
+    # Try parsing ISO 8601 formats (ordered by most common first for performance)
+    # Using datetime.strptime with try/except is the most efficient approach
+    # as it validates both format AND semantic validity (e.g., month 13 is rejected)
+    for fmt in (
+        "%Y-%m-%dT%H:%M:%SZ",  # Basic UTC format (most common)
+        "%Y-%m-%dT%H:%M:%S.%fZ",  # With milliseconds
+        "%Y-%m-%d",  # Date only
+    ):
+        try:
+            datetime.strptime(value_str, fmt)
+            return True, None
+        except ValueError:
+            continue
+
+    # Fall back to timezone offset parsing (e.g., +00:00, -05:00)
+    # Uses pre-compiled regex pattern for performance
+    match = _TZ_OFFSET_PATTERN.match(value_str)
+    if match:
+        year, month, day, hour, minute, second = (
+            int(match.group(1)),
+            int(match.group(2)),
+            int(match.group(3)),
+            int(match.group(4)),
+            int(match.group(5)),
+            int(match.group(6)),
+        )
+        tz_hour, tz_minute = int(match.group(9)), int(match.group(10))
+
+        # Validate ranges
+        validation_error = _validate_datetime_components(
+            year, month, day, hour, minute, second, tz_hour, tz_minute
+        )
+        if validation_error:
+            return False, validation_error
+
+        return True, None
+
+    # If nothing matched, provide a helpful error
+    return (
+        False,
+        f"Invalid Date value: `{value_str}`. Expected ISO 8601 format "
+        "(e.g., `2019-07-16T12:00:00Z`, `2019-07-16T12:00:00+00:00`) "
+        "or UNIX epoch timestamp (e.g., `1563278400`).",
+    )
+
+
+def _validate_datetime_components(
+    year: int,
+    month: int,
+    day: int,
+    hour: int,
+    minute: int,
+    second: int,
+    tz_hour: int = 0,
+    tz_minute: int = 0,
+) -> str | None:
+    """
+    Validate individual datetime components for semantic correctness.
+
+    Args:
+        year: Year (1-9999)
+        month: Month (1-12)
+        day: Day (1-31, depends on month)
+        hour: Hour (0-23)
+        minute: Minute (0-59)
+        second: Second (0-59)
+        tz_hour: Timezone hour offset (0-14)
+        tz_minute: Timezone minute offset (0-59)
+
+    Returns:
+        Error message string if invalid, None if valid
+    """
+    # Validate month
+    if not 1 <= month <= 12:
+        return f"Invalid month: {month}. Must be between 1 and 12."
+
+    # Validate day based on month
+    days_in_month = [0, 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31]
+
+    # Handle leap year for February
+    is_leap_year = (year % 4 == 0 and year % 100 != 0) or (year % 400 == 0)
+    if is_leap_year and month == 2:
+        max_day = 29
+    else:
+        max_day = days_in_month[month]
+
+    if not 1 <= day <= max_day:
+        return f"Invalid day: {day}. For month {month}, day must be between 1 and {max_day}."
+
+    # Validate hour
+    if not 0 <= hour <= 23:
+        return f"Invalid hour: {hour}. Must be between 0 and 23."
+
+    # Validate minute
+    if not 0 <= minute <= 59:
+        return f"Invalid minute: {minute}. Must be between 0 and 59."
+
+    # Validate second (allow 59 for leap seconds)
+    if not 0 <= second <= 59:
+        return f"Invalid second: {second}. Must be between 0 and 59."
+
+    # Validate timezone offset (max +/- 14:00 per ISO 8601)
+    if not 0 <= tz_hour <= 14:
+        return f"Invalid timezone hour offset: {tz_hour}. Must be between 0 and 14."
+
+    if not 0 <= tz_minute <= 59:
+        return f"Invalid timezone minute offset: {tz_minute}. Must be between 0 and 59."
+
+    # Validate that tz offset doesn't exceed 14:00
+    if tz_hour == 14 and tz_minute > 0:
+        return "Invalid timezone offset. Maximum is +/-14:00."
+
+    return None
+
+
 def _validate_single_value(value_type: str, value_str: str) -> tuple[bool, str | None]:
     """
     Validate a single value against its expected type.
@@ -256,15 +422,15 @@ def _validate_single_value(value_type: str, value_str: str) -> tuple[bool, str |
             return False, f"Expected Bool value (true/false) but got: {value_str}"
 
     elif value_type == "Date":
-        # Date: W3C ISO 8601 format (YYYY-MM-DDTHH:MM:SSZ) or UNIX epoch timestamp
-        iso_pattern = r"^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$"
-        epoch_pattern = r"^\d+$"
-
-        if not (re.match(iso_pattern, value_str) or re.match(epoch_pattern, value_str)):
-            return (
-                False,
-                f"Expected Date value (2019-07-16T12:00:00Z or UNIX epoch timestamp) but got: {value_str}",
-            )
+        # Date: W3C ISO 8601 format or UNIX epoch timestamp
+        # AWS accepts multiple ISO 8601 variants:
+        # - 2019-07-16T12:00:00Z (UTC with Z suffix)
+        # - 2019-07-16T12:00:00+00:00 (with timezone offset)
+        # - 2019-07-16T12:00:00.000Z (with milliseconds)
+        # - UNIX epoch timestamp (seconds since 1970-01-01)
+        is_valid_date, date_error = _validate_date_value(value_str)
+        if not is_valid_date:
+            return False, date_error
 
     elif value_type == "IPAddress":
         # IP Address: IPv4 or IPv6 with optional CIDR notation

iam_validator/core/config/aws_global_conditions.py

@@ -85,17 +85,13 @@ GLOBAL_RESOURCE_SCOPING_CONDITION_KEYS = frozenset(
 )
 
 # Patterns that should be recognized (wildcards and tag-based keys)
-# These allow things like aws:RequestTag/Department or aws:PrincipalTag/Environment
+# IMPORTANT: aws:RequestTag and aws:ResourceTag are NOT global condition keys!
+# They are action-specific or resource-specific and must be explicitly listed in
+# the action's ActionConditionKeys or the resource's ConditionKeys.
+# Only aws:PrincipalTag is a true global condition key.
+#
 # Uses centralized tag key character class from constants
 AWS_CONDITION_KEY_PATTERNS = [
-    {
-        "pattern": rf"^aws:RequestTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
-        "description": "Tag keys in the request (for tag-based access control)",
-    },
-    {
-        "pattern": rf"^aws:ResourceTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
-        "description": "Tags on the resource being accessed",
-    },
     {
         "pattern": rf"^aws:PrincipalTag/[{AWS_TAG_KEY_ALLOWED_CHARS}]+$",
         "description": "Tags attached to the principal making the request",

iam_validator/core/config/defaults.py

@@ -238,18 +238,26 @@ DEFAULT_CONFIG = {
     # Applies to: S3 buckets, SNS topics, SQS queues, Lambda functions, etc.
     # Only runs when: --policy-type RESOURCE_POLICY
     #
-    # Three control mechanisms:
-    #   1. blocked_principals - Block specific principals (deny list)
-    #   2. allowed_principals - Allow only specific principals (whitelist mode)
-    #   3. principal_condition_requirements - Require conditions for principals
-    #   4. allowed_service_principals - Always allow AWS service principals
+    # Control mechanisms:
+    #   1. block_wildcard_principal - Simple toggle for wildcard principal handling
+    #   2. blocked_principals - Block specific principals (deny list)
+    #   3. allowed_principals - Allow only specific principals (whitelist mode)
+    #   4. principal_condition_requirements - Require conditions for principals
+    #   5. allowed_service_principals - Always allow AWS service principals
+    #   6. block_service_principal_wildcard - Block {"Service": "*"} patterns
     "principal_validation": {
         "enabled": True,
         "severity": "high",  # Security issue, not IAM validity error
         "description": "Validates Principal elements in resource policies for security best practices",
-        # blocked_principals: Deny list - these principals are never allowed
-        # Default: ["*"] blocks public access
-        "blocked_principals": ["*"],
+        # block_wildcard_principal: Strict mode toggle for Principal: "*"
+        #   false (default): Allow wildcard principal but require conditions
+        #   true: Block wildcard principal entirely - strictest option
+        # When false, principal_condition_requirements for "*" are enforced,
+        # allowing patterns like S3 bucket policies with aws:SourceArn conditions.
+        "block_wildcard_principal": False,
+        # blocked_principals: Deny list - additional principals to block
+        # Note: When block_wildcard_principal is true, "*" is automatically blocked.
+        "blocked_principals": [],
         # allowed_principals: Whitelist mode - when set, ONLY these are allowed
         # Default: [] allows all (except blocked)
         "allowed_principals": [],
@@ -262,6 +270,12 @@ DEFAULT_CONFIG = {
         # Default: ["aws:*"] allows ALL AWS service principals
         # Note: "aws:*" is different from "*" (public access)
         "allowed_service_principals": ["aws:*"],
+        # block_service_principal_wildcard: Block {"Service": "*"} in Principal
+        # This pattern allows ANY AWS service to access the resource, which is
+        # extremely permissive. Without source verification conditions like
+        # aws:SourceArn or aws:SourceAccount, this creates a security risk.
+        # Default: True (always block this dangerous pattern)
+        "block_service_principal_wildcard": True,
     },
     # ========================================================================
     # 10. TRUST POLICY VALIDATION