iam-policy-validator 1.15.1__py3-none-any.whl → 1.15.3__py3-none-any.whl

{iam_policy_validator-1.15.1.dist-info → iam_policy_validator-1.15.3.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.15.1
+Version: 1.15.3
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://boogy.github.io/iam-policy-validator
@@ -99,8 +99,16 @@ iam-validator validate --path examples/quick-start/ --format enhanced
 {
   "Version": "2012-10-17",
   "Statement": [
-    {"Effect": "Allow", "Action": "s3:GetObjekt", "Resource": "arn:aws:s3:::my-bucket/*"},
-    {"Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/lambda-role"}
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObjekt",
+      "Resource": "arn:aws:s3:::my-bucket/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "iam:PassRole",
+      "Resource": "arn:aws:iam::123456789012:role/lambda-role"
+    }
   ]
 }
 ```
@@ -111,7 +119,11 @@ iam-validator validate --path examples/quick-start/ --format enhanced
 {
   "Version": "2012-10-17",
   "Statement": [
-    {"Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::my-bucket/*"
+    }
   ]
 }
 ```
@@ -122,7 +134,11 @@ iam-validator validate --path examples/quick-start/ --format enhanced
 {
   "Version": "2012-10-17",
   "Statement": [
-    {"Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"}
+    {
+      "Effect": "Allow",
+      "Action": "lambda:InvokeFunction",
+      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"
+    }
   ]
 }
 ```
@@ -228,7 +244,8 @@ action_condition_enforcement:
           description: "Restrict which services can use passed roles"
 
     # Enforce IP restrictions for privileged actions (automation from CI/CD)
-    - actions: ["iam:AttachUserPolicy", "iam:PutUserPolicy", "iam:CreateAccessKey"]
+    - actions:
+        ["iam:AttachUserPolicy", "iam:PutUserPolicy", "iam:CreateAccessKey"]
       required_conditions:
         - condition_key: "aws:SourceIp"
           expected_value: ["10.0.0.0/8", "172.16.0.0/12"]
@@ -270,9 +287,17 @@ Privilege escalation often occurs when multiple actions are scattered across dif
 ```json
 {
   "Statement": [
-    {"Sid": "AllowUserManagement", "Action": "iam:CreateUser", "Resource": "*"},
-    {"Sid": "AllowS3Read", "Action": "s3:GetObject", "Resource": "*"},
-    {"Sid": "AllowPolicyAttachment", "Action": "iam:AttachUserPolicy", "Resource": "*"}
+    {
+      "Sid": "AllowUserManagement",
+      "Action": "iam:CreateUser",
+      "Resource": "*"
+    },
+    { "Sid": "AllowS3Read", "Action": "s3:GetObject", "Resource": "*" },
+    {
+      "Sid": "AllowPolicyAttachment",
+      "Action": "iam:AttachUserPolicy",
+      "Resource": "*"
+    }
   ]
 }
 ```
@@ -408,9 +433,9 @@ iam-validator validate --path policies/ --aws-services-dir ./aws-services
 - uses: boogy/iam-policy-validator@v1
   with:
     path: policies/
-    github-review: true        # Inline PR comments
-    github-summary: true       # Actions summary tab
-    fail-on-severity: high     # Block merge on high/critical
+    github-review: true # Inline PR comments
+    github-summary: true # Actions summary tab
+    fail-on-severity: high # Block merge on high/critical
 ```
 
 ---
@@ -440,14 +465,14 @@ Validates against official AWS IAM requirements:
 
 Identifies overly permissive configurations:
 
-| Check                     | What It Catches                                        |
-| ------------------------- | ------------------------------------------------------ |
-| **Wildcard Action**       | `Action: "*"` grants all AWS permissions               |
-| **Wildcard Resource**     | `Resource: "*"` applies to all resources               |
-| **Full Wildcard**         | Both `Action: "*"` AND `Resource: "*"` (admin access)  |
-| **Service Wildcards**     | `s3:*`, `iam:*`, `ec2:*` (overly broad)                |
+| Check                     | What It Catches                                          |
+| ------------------------- | -------------------------------------------------------- |
+| **Wildcard Action**       | `Action: "*"` grants all AWS permissions                 |
+| **Wildcard Resource**     | `Resource: "*"` applies to all resources                 |
+| **Full Wildcard**         | Both `Action: "*"` AND `Resource: "*"` (admin access)    |
+| **Service Wildcards**     | `s3:*`, `iam:*`, `ec2:*` (overly broad)                  |
 | **Sensitive Actions**     | 490+ privilege escalation patterns and dangerous actions |
-| **Condition Enforcement** | Organization-specific condition requirements           |
+| **Condition Enforcement** | Organization-specific condition requirements             |
 
 **Note on Sensitive Actions:** This check has two modes:
 
@@ -540,7 +565,7 @@ action_condition_enforcement:
     - actions: ["iam:CreateUser", "iam:DeleteUser", "iam:CreateAccessKey"]
       required_conditions:
         - condition_key: "aws:SourceIp"
-          expected_value: ["10.0.0.0/8", "52.94.76.0/24"]  # Corporate + GitHub Actions
+          expected_value: ["10.0.0.0/8", "52.94.76.0/24"] # Corporate + GitHub Actions
 
 # Ignore patterns
 ignore_patterns:
@@ -677,19 +702,19 @@ iam-validator analyze --path new-policy.json \
 
 ## Comparison Matrix
 
-| Feature                        | IAM Policy Validator             | IAM Lens                      | IAMSpy                 | Policy Sentry              |
-| ------------------------------ | -------------------------------- | ----------------------------- | ---------------------- | -------------------------- |
-| **Primary Purpose**            | Pre-deployment validation        | Runtime permission analysis   | Permission enumeration | Least-privilege generation |
-| **Use Case**                   | CI/CD policy scanning            | "What can this principal do?" | Pentesting/audit       | Policy creation            |
-| **Custom Security Rules**      | ✅ Full support                   | ❌ No                          | ❌ No                   | ❌ No                       |
+| Feature                        | IAM Policy Validator              | IAM Lens                      | IAMSpy                 | Policy Sentry              |
+| ------------------------------ | --------------------------------- | ----------------------------- | ---------------------- | -------------------------- |
+| **Primary Purpose**            | Pre-deployment validation         | Runtime permission analysis   | Permission enumeration | Least-privilege generation |
+| **Use Case**                   | CI/CD policy scanning             | "What can this principal do?" | Pentesting/audit       | Policy creation            |
+| **Custom Security Rules**      | ✅ Full support                   | ❌ No                         | ❌ No                  | ❌ No                      |
 | **Cross-Statement Patterns**   | ✅ Privilege escalation detection | N/A (different purpose)       | N/A                    | N/A                        |
-| **Action-Resource Validation** | ✅ Catches incompatible pairs     | N/A                           | ❌ No                   | ✅ Generates correct        |
-| **Organization Conditions**    | ✅ IP, tags, encryption, etc.     | ❌ No                          | ❌ No                   | ❌ No                       |
-| **CI/CD Ready**                | ✅ GitHub Actions native          | ⚠️ Manual setup                | ⚠️ Manual               | ⚠️ Manual                   |
-| **PR Line Comments**           | ✅ Diff-aware                     | ❌ No                          | ❌ No                   | ❌ No                       |
-| **AWS Service Data**           | ✅ Official API (auto-update)     | ✅ Real AWS account data       | ⚠️ Static               | ✅ Official API             |
-| **Offline Mode**               | ✅ Yes                            | ❌ Needs AWS account           | ✅ Yes                  | ❌ Needs internet           |
-| **Query Permissions**          | ✅ Yes                            | ✅ Yes (different approach)    | ⚠️ Enumerate only       | ✅ Excellent                |
+| **Action-Resource Validation** | ✅ Catches incompatible pairs     | N/A                           | ❌ No                  | ✅ Generates correct       |
+| **Organization Conditions**    | ✅ IP, tags, encryption, etc.     | ❌ No                         | ❌ No                  | ❌ No                      |
+| **CI/CD Ready**                | ✅ GitHub Actions native          | ⚠️ Manual setup               | ⚠️ Manual              | ⚠️ Manual                  |
+| **PR Line Comments**           | ✅ Diff-aware                     | ❌ No                         | ❌ No                  | ❌ No                      |
+| **AWS Service Data**           | ✅ Official API (auto-update)     | ✅ Real AWS account data      | ⚠️ Static              | ✅ Official API            |
+| **Offline Mode**               | ✅ Yes                            | ❌ Needs AWS account          | ✅ Yes                 | ❌ Needs internet          |
+| **Query Permissions**          | ✅ Yes                            | ✅ Yes (different approach)   | ⚠️ Enumerate only      | ✅ Excellent               |
 
 **Choose this tool if you:**
 

{iam_policy_validator-1.15.1.dist-info → iam_policy_validator-1.15.3.dist-info}/RECORD

@@ -1,6 +1,6 @@
 iam_validator/__init__.py,sha256=xHdUASOxFHwEXfT_GSr_KrkLlnxZ-pAAr1wW1PwAGko,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=3sYnVKt3REhH-Klaa8pLaSXpDxcV1dV0Se9CjHHE4Nc,374
+iam_validator/__version__.py,sha256=2oTvvCnwbVqgXWNdEDQWe8-xj2ecUXJtl1jF_CIIGxk,374
 iam_validator/checks/__init__.py,sha256=wFU5Lz-ZIQBcn2y1u0Kl88B--vEO3btOOaTGPPSjJ74,2106
 iam_validator/checks/action_condition_enforcement.py,sha256=2-XUMbof9tQ7SHZNmAHMkR1DgbOIzY2eFWlp9S9dwLk,60625
 iam_validator/checks/action_resource_matching.py,sha256=qND0hfDgNoxFEdLWwrxOPVDfdj3k50nzedT2qF7nK7o,19428
@@ -8,12 +8,12 @@ iam_validator/checks/action_validation.py,sha256=gy9_mujYbojBboLk0WwuJYJjggrY2sR
 iam_validator/checks/condition_key_validation.py,sha256=5i8LqqV78SjWK6pLrbttWmeMAD4pDC12_FjTjx5dFSU,4024
 iam_validator/checks/condition_type_mismatch.py,sha256=KJp7zQHDd8VeTcfjcD-ur3S4070cXEDTWkFtxfp7CuE,10652
 iam_validator/checks/full_wildcard.py,sha256=0TkkHtV0MZ6nZtJRtGdn3wwOMM96TRyGO7l7mmdHNUo,2325
-iam_validator/checks/mfa_condition_check.py,sha256=y1LbqcvQ_fL2BPTNaKRQoBYM5hM7JET9cDPUOWKFEVs,4814
-iam_validator/checks/not_action_not_resource.py,sha256=WWKOCLCq7yxOG9tgi1n5xPpphTLZ9RfcfPwZ-TP6n9Y,8097
+iam_validator/checks/mfa_condition_check.py,sha256=EYOzESzsZVlxW9Pp6hSqPZkH0UT1h21SoZibBX7k_OU,7705
+iam_validator/checks/not_action_not_resource.py,sha256=18wB1NKaCj4X7o8xcTLmtFjsXFJLXTukzp1FhZzvMa8,9779
 iam_validator/checks/policy_size.py,sha256=eJd36Nj4gqWLIkQ5imhHR1hGtQ6T-iJsC22Wd1VSUf0,4681
 iam_validator/checks/policy_structure.py,sha256=LExdm93JeqsyhikWrh9lfJ9sBiZ4818Ts0-N3MwUrtk,22089
 iam_validator/checks/policy_type_validation.py,sha256=-Q2Yn_sa7Cba_Fb9ESxSL5qNbRpncuC7NQy7R_fdJtY,16521
-iam_validator/checks/principal_validation.py,sha256=TthgDW5YXFfv5li1u4nn56k0Feqt5HeOEtQgo5pBKqo,27911
+iam_validator/checks/principal_validation.py,sha256=oXSooVQIgUfbTRulgpiLACSJ2LZXM0Q4I00tOX3YTAI,34679
 iam_validator/checks/resource_validation.py,sha256=k7qHIwX7IDf4MCWIvl9G17aINzTuZLOHDHRWrujbCaM,7787
 iam_validator/checks/sensitive_action.py,sha256=LHicl6dd5E1JV19cLKvFAMGzLzYr5h_Y7QvS8s57kvA,18952
 iam_validator/checks/service_wildcard.py,sha256=1epcET5oDclAmzxhtmQfKBg3Q5Rl4VXBMoZouxCJLpM,4114
@@ -44,7 +44,7 @@ iam_validator/core/aws_fetcher.py,sha256=op93QvtGmeLF9dHobl2IuoPDeunn33pBLb8h7Xj
 iam_validator/core/check_registry.py,sha256=cRvFko_cTrip94VgVqwkxgrjR6oz3JfSiwertESicRc,28567
 iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
 iam_validator/core/codeowners.py,sha256=dfRjYTpcTVmc-h95i4EoPXCXlcblD8yryeJBaTKQfjM,7530
-iam_validator/core/condition_validators.py,sha256=7zBjlcf2xGFKGbcFrXSLvWT5tFhWxoqwzhsJqS2E8uY,21524
+iam_validator/core/condition_validators.py,sha256=5IdCZG0w8qQL37_wYv8TPQD3rIsmrB-845Ff4N-WXDU,27357
 iam_validator/core/constants.py,sha256=O80dQ6AtgsCJPempRtNlKaSIVE61rg6YDPV5vgaSnAY,7771
 iam_validator/core/diff_parser.py,sha256=5Jxa6WvQZtG5grblZeUH2OQ2R46tFLK-h8tvkHOSfLk,12110
 iam_validator/core/finding_fingerprint.py,sha256=NJIlu8NhdenWbLS7ww8LyWFasJgpKWN63-DprrNW7Zs,4353
@@ -72,7 +72,7 @@ iam_validator/core/config/category_suggestions.py,sha256=fopaZ9kXDrsLgi_r0pERrLw
 iam_validator/core/config/check_documentation.py,sha256=-wK6-wfU7SEHX3h2Jj5pOFqgxD9ULW-NvEkSVp_66WA,18718
 iam_validator/core/config/condition_requirements.py,sha256=1CeQJfWV-Y2ImW0Mq9YdrgvH-hj9IXe0gVOm3B36Rc8,10655
 iam_validator/core/config/config_loader.py,sha256=Fohz9R-H5edYMYXoT3HkjmsmZE32rjLWlAjnZaz1Xrc,25649
-iam_validator/core/config/defaults.py,sha256=EKlmfX04IGPb4Qs9ctqrStoJ-_LAGEr2PWTJX9fjenk,38920
+iam_validator/core/config/defaults.py,sha256=z5gSBi3r5h2iBmjH7lKuLaYQY9oSgSBqXgWxxIr33gw,39956
 iam_validator/core/config/principal_requirements.py,sha256=VCX7fBDgeDTJQyoz7_x7GI7Kf9O1Eu-sbihoHOrKv6o,15105
 iam_validator/core/config/sensitive_actions.py,sha256=uATDIp_TD3OQQlsYTZp79qd1mSK2Bf9hJ0JwcqLBr84,25344
 iam_validator/core/config/service_principals.py,sha256=8pys5H_yycVJ9KTyimAKFYBg83Aol2Iri53wiHjtnEM,3959
@@ -112,8 +112,8 @@ iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYu
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
 iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
 iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
-iam_policy_validator-1.15.1.dist-info/METADATA,sha256=5U2vmBBtv-GXPRTflISPL-sOmq_kT9aWlDdOBsfbMnI,34808
-iam_policy_validator-1.15.1.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-iam_policy_validator-1.15.1.dist-info/entry_points.txt,sha256=VXAcx1evo9fuxX0Gtj3J2HnzWcBHSXugiZwBtQ1BXE0,162
-iam_policy_validator-1.15.1.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.15.1.dist-info/RECORD,,
+iam_policy_validator-1.15.3.dist-info/METADATA,sha256=r1dXILWhINVsEMyiTTC3IJpAEAoS0usdkBkt7lVe1og,34939
+iam_policy_validator-1.15.3.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+iam_policy_validator-1.15.3.dist-info/entry_points.txt,sha256=VXAcx1evo9fuxX0Gtj3J2HnzWcBHSXugiZwBtQ1BXE0,162
+iam_policy_validator-1.15.3.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.15.3.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.15.1"
+__version__ = "1.15.3"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/checks/mfa_condition_check.py

@@ -75,7 +75,36 @@ class MFAConditionCheck(PolicyCheck):
                         )
                     )
 
-        # Check for anti-pattern #2: Null with aws:MultiFactorAuthPresent = false
+        # Check for anti-pattern #2: BoolIfExists with aws:MultiFactorAuthPresent = false
+        # This is MORE dangerous than Bool because it also matches when the key is missing
+        bool_if_exists_conditions = statement.condition.get("BoolIfExists", {})
+        for key, value in bool_if_exists_conditions.items():
+            if key.lower() == "aws:multifactorauthpresent":
+                # Normalize value to list
+                values = value if isinstance(value, list) else [value]
+                # Convert to lowercase strings for comparison
+                values_lower = [str(v).lower() for v in values]
+
+                if "false" in values_lower or False in values:
+                    issues.append(
+                        ValidationIssue(
+                            severity="high",  # Higher than default - this is worse than Bool
+                            message=(
+                                "**DANGEROUS MFA condition pattern detected.** "
+                                'Using `{"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}}` '
+                                "is MORE dangerous than using `Bool` because it also matches when "
+                                "the key is missing entirely (no MFA context in the request). "
+                                "This effectively allows access without any MFA verification."
+                            ),
+                            statement_sid=statement_sid,
+                            statement_index=statement_idx,
+                            issue_type="mfa_antipattern_boolif_exists_false",
+                            line_number=line_number,
+                            field_name="condition",
+                        )
+                    )
+
+        # Check for anti-pattern #3: Null with aws:MultiFactorAuthPresent = false
         null_conditions = statement.condition.get("Null", {})
         for key, value in null_conditions.items():
             if key.lower() == "aws:multifactorauthpresent":
@@ -102,4 +131,24 @@ class MFAConditionCheck(PolicyCheck):
                         )
                     )
 
+                # Check for anti-pattern #4: Null with aws:MultiFactorAuthPresent = true
+                # This means "key does NOT exist" = no MFA was used
+                if "true" in values_lower or True in values:
+                    issues.append(
+                        ValidationIssue(
+                            severity=self.get_severity(config),
+                            message=(
+                                "**Dangerous MFA condition pattern detected.** "
+                                'Using `{"Null": {"aws:MultiFactorAuthPresent": "true"}}` checks if the key '
+                                "does NOT exist, which means no MFA was provided in the request context. "
+                                "This condition allows access when MFA is absent."
+                            ),
+                            statement_sid=statement_sid,
+                            statement_index=statement_idx,
+                            issue_type="mfa_antipattern_null_true",
+                            line_number=line_number,
+                            field_name="condition",
+                        )
+                    )
+
         return issues

iam_validator/checks/not_action_not_resource.py

@@ -12,6 +12,13 @@ from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
 
+def _format_list_with_backticks(items: list[str], max_items: int = 3) -> str:
+    """Format a list of items with backticks for markdown rendering."""
+    formatted = [f"`{item}`" for item in items[:max_items]]
+    suffix = "..." if len(items) > max_items else ""
+    return ", ".join(formatted) + suffix
+
+
 class NotActionNotResourceCheck(PolicyCheck):
     """Checks for dangerous NotAction/NotResource patterns.
 
@@ -59,18 +66,18 @@ class NotActionNotResourceCheck(PolicyCheck):
                         statement_index=statement_idx,
                         issue_type="not_action_allow",
                         message=(
-                            "Statement uses NotAction with Allow effect. "
+                            "Statement uses `NotAction` with `Allow` effect. "
                             "This grants ALL actions except the listed ones. "
                             "While conditions are present, this pattern is still risky."
                         ),
                         suggestion=(
-                            "Consider using explicit Action lists instead of NotAction. "
-                            "If NotAction is required, ensure conditions are comprehensive."
+                            "Consider using explicit `Action` lists instead of `NotAction`. "
+                            "If `NotAction` is required, ensure conditions are comprehensive."
                         ),
                         example='{\n  "Effect": "Allow",\n  "Action": ["s3:GetObject", "s3:ListBucket"],\n  "Resource": "*"\n}',
                         line_number=statement.line_number,
                         field_name="action",
-                        action=", ".join(not_actions[:3]) + ("..." if len(not_actions) > 3 else ""),
+                        action=_format_list_with_backticks(not_actions, 3),
                     )
                 )
             else:
@@ -82,20 +89,19 @@ class NotActionNotResourceCheck(PolicyCheck):
                         statement_index=statement_idx,
                         issue_type="not_action_allow_no_condition",
                         message=(
-                            "Statement uses NotAction with Allow effect and NO conditions. "
-                            f"This grants ALL AWS actions except: {', '.join(not_actions[:5])}"
-                            f"{'...' if len(not_actions) > 5 else ''}. "
+                            "Statement uses `NotAction` with `Allow` effect and NO conditions. "
+                            f"This grants ALL AWS actions except: {_format_list_with_backticks(not_actions, 5)}. "
                             "This is equivalent to granting near-administrator access."
                         ),
                         suggestion=(
-                            "Replace NotAction with explicit Action list. "
-                            "If NotAction is required, add strict conditions like "
-                            "aws:SourceIp, aws:PrincipalArn, or aws:MultiFactorAuthPresent."
+                            "Replace `NotAction` with explicit `Action` list. "
+                            "If `NotAction` is required, add strict conditions like "
+                            "`aws:SourceIp`, `aws:PrincipalArn`, or `aws:MultiFactorAuthPresent`."
                         ),
                         example='{\n  "Effect": "Allow",\n  "Action": ["specific:Action"],\n  "Resource": "*",\n  "Condition": {\n    "Bool": {"aws:MultiFactorAuthPresent": "true"}\n  }\n}',
                         line_number=statement.line_number,
                         field_name="action",
-                        action=", ".join(not_actions[:3]) + ("..." if len(not_actions) > 3 else ""),
+                        action=_format_list_with_backticks(not_actions, 3),
                     )
                 )
 
@@ -113,24 +119,49 @@ class NotActionNotResourceCheck(PolicyCheck):
                         statement_index=statement_idx,
                         issue_type="not_resource_broad",
                         message=(
-                            "Statement uses NotResource with Allow effect and broad Resource. "
-                            f"This grants access to ALL resources except: {', '.join(not_resources[:3])}"
-                            f"{'...' if len(not_resources) > 3 else ''}."
+                            "Statement uses `NotResource` with `Allow` effect and broad `Resource`. "
+                            f"This grants access to ALL resources except: {_format_list_with_backticks(not_resources, 3)}."
                         ),
                         suggestion=(
-                            "Replace NotResource with explicit Resource ARNs. "
-                            "Using NotResource grants access to all current and future resources "
+                            "Replace `NotResource` with explicit `Resource` ARNs. "
+                            "Using `NotResource` grants access to all current and future resources "
                             "except those explicitly excluded."
                         ),
                         example='{\n  "Effect": "Allow",\n  "Action": ["s3:GetObject"],\n  "Resource": "arn:aws:s3:::my-bucket/*"\n}',
                         line_number=statement.line_number,
                         field_name="resource",
-                        resource=", ".join(not_resources[:3])
-                        + ("..." if len(not_resources) > 3 else ""),
+                        resource=_format_list_with_backticks(not_resources, 3),
                     )
                 )
 
-        # Check 3: NotAction with Deny - less dangerous but worth noting
+        # Check 3: Combined NotAction AND NotResource with Allow
+        # This is the most dangerous pattern - grants nearly all actions on nearly all resources
+        if not_actions and not_resources and effect == "Allow":
+            issues.append(
+                ValidationIssue(
+                    severity="critical",
+                    statement_sid=statement.sid,
+                    statement_index=statement_idx,
+                    issue_type="combined_not_action_not_resource",
+                    message=(
+                        "**CRITICAL:** Policy uses both `NotAction` AND `NotResource` with `Allow` effect. "
+                        f"This grants ALL actions except [{_format_list_with_backticks(not_actions, 3)}] "
+                        f"on ALL resources except [{_format_list_with_backticks(not_resources, 3)}]. "
+                        "This is equivalent to near-administrator access."
+                    ),
+                    suggestion=(
+                        "Rewrite using explicit `Action` and `Resource` lists instead of negations. "
+                        "The combination of `NotAction` + `NotResource` is almost always a mistake."
+                    ),
+                    example='{\n  "Effect": "Allow",\n  "Action": ["specific:Action"],\n  "Resource": "arn:aws:service:::specific-resource"\n}',
+                    line_number=statement.line_number,
+                    field_name="action",
+                    action=_format_list_with_backticks(not_actions, 3),
+                    resource=_format_list_with_backticks(not_resources, 3),
+                )
+            )
+
+        # Check 4: NotAction with Deny - less dangerous but worth noting
         # NotAction with Deny means "deny everything except these actions"
         # which is actually a valid deny pattern but should be reviewed
         if not_actions and effect == "Deny":
@@ -145,18 +176,17 @@ class NotActionNotResourceCheck(PolicyCheck):
                         statement_index=statement_idx,
                         issue_type="not_action_deny_review",
                         message=(
-                            "Statement uses NotAction with Deny effect on all resources. "
-                            f"This denies everything except: {', '.join(not_actions[:5])}"
-                            f"{'...' if len(not_actions) > 5 else ''}. "
+                            "Statement uses `NotAction` with `Deny` effect on all resources. "
+                            f"This denies everything except: {_format_list_with_backticks(not_actions, 5)}. "
                             "Review to ensure this is the intended behavior."
                         ),
                         suggestion=(
                             "Verify that allowing only these specific actions is intended. "
-                            "Consider if an explicit Allow list would be clearer."
+                            "Consider if an explicit `Allow` list would be clearer."
                         ),
                         line_number=statement.line_number,
                         field_name="action",
-                        action=", ".join(not_actions[:3]) + ("..." if len(not_actions) > 3 else ""),
+                        action=_format_list_with_backticks(not_actions, 3),
                     )
                 )
 

iam_validator/checks/principal_validation.py

@@ -3,6 +3,7 @@
 Validates Principal elements in resource-based policies for security best practices.
 This check enforces:
 - Blocked principals (e.g., public access via "*")
+- Service principal wildcards (e.g., {"Service": "*"} - extremely dangerous)
 - Allowed principals whitelist (optional)
 - Rich condition requirements for principals (supports any_of/all_of/none_of)
 - Service principal validation
@@ -77,21 +78,55 @@ class PrincipalValidationCheck(PolicyCheck):
             return issues
 
         # Get configuration (defaults match defaults.py)
-        blocked_principals = config.config.get("blocked_principals", ["*"])
+        blocked_principals = list(config.config.get("blocked_principals", []))
         allowed_principals = config.config.get("allowed_principals", [])
         principal_condition_requirements = config.config.get("principal_condition_requirements", [])
         # Default: "aws:*" allows ALL AWS service principals (*.amazonaws.com)
-        # This matches the default in defaults.py:251
+        # This matches the default in defaults.py
         allowed_service_principals = config.config.get("allowed_service_principals", ["aws:*"])
+        # Default: block service principal wildcards ({"Service": "*"})
+        # This is extremely dangerous as it allows ANY AWS service to assume the role
+        block_service_principal_wildcard = config.config.get(
+            "block_service_principal_wildcard", True
+        )
+        # block_wildcard_principal: Strict mode for Principal: "*"
+        # false (default): Allow wildcard principal but require conditions
+        # true: Block wildcard principal entirely, skip condition checks
+        block_wildcard_principal = config.config.get("block_wildcard_principal", False)
+        if block_wildcard_principal and "*" not in blocked_principals:
+            blocked_principals.append("*")
+
+        # Check for service principal wildcards FIRST (highest priority security issue)
+        # If detected, return early - no conditions can make {"Service": "*"} safe
+        if block_service_principal_wildcard:
+            service_wildcard_issues = self._check_service_principal_wildcards(
+                statement, statement_idx, config
+            )
+            if service_wildcard_issues:
+                # Return early - this is unfixable, don't suggest conditions
+                return service_wildcard_issues
 
         # Extract principals from statement
         principals = self._extract_principals(statement)
 
+        # Track blocked principals to skip condition checks for them
+        blocked_principal_values: set[str] = set()
+
+        # Check if statement has {"Service": "*"} pattern
+        # If so, we shouldn't also flag the * as a blocked principal
+        has_service_wildcard = self._has_service_principal_wildcard(statement)
+
         for principal in principals:
+            # Skip blocking check for "*" if it came from {"Service": "*"}
+            # That case is handled by _check_service_principal_wildcards
+            if principal == "*" and has_service_wildcard:
+                continue
+
             # Check if principal is blocked
             if self._is_blocked_principal(
                 principal, blocked_principals, allowed_service_principals
             ):
+                blocked_principal_values.add(principal)
                 issues.append(
                     ValidationIssue(
                         severity=self.get_severity(config),
@@ -129,15 +164,19 @@ class PrincipalValidationCheck(PolicyCheck):
                 continue
 
         # Check principal_condition_requirements (supports any_of/all_of/none_of)
+        # Skip condition checks for principals that are already blocked
         if principal_condition_requirements:
-            condition_issues = self._validate_principal_condition_requirements(
-                statement,
-                statement_idx,
-                principals,
-                principal_condition_requirements,
-                config,
-            )
-            issues.extend(condition_issues)
+            # Filter out blocked principals - they need to be removed, not conditioned
+            principals_to_check = [p for p in principals if p not in blocked_principal_values]
+            if principals_to_check:
+                condition_issues = self._validate_principal_condition_requirements(
+                    statement,
+                    statement_idx,
+                    principals_to_check,
+                    principal_condition_requirements,
+                    config,
+                )
+                issues.extend(condition_issues)
 
         return issues
 
@@ -178,6 +217,106 @@ class PrincipalValidationCheck(PolicyCheck):
 
         return principals
 
+    def _has_service_principal_wildcard(self, statement: Statement) -> bool:
+        """Check if statement has {"Service": "*"} pattern.
+
+        This is used to avoid double-flagging - if the statement has a service
+        principal wildcard, we shouldn't also block it as a regular wildcard.
+        """
+        if statement.principal and isinstance(statement.principal, dict):
+            service_principals = statement.principal.get("Service")
+            if service_principals:
+                if isinstance(service_principals, str) and service_principals == "*":
+                    return True
+                if isinstance(service_principals, list) and "*" in service_principals:
+                    return True
+        return False
+
+    def _check_service_principal_wildcards(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        _config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Check for dangerous service principal wildcards in Principal field.
+
+        Detects patterns like:
+        - "Principal": {"Service": "*"}
+        - "Principal": {"Service": ["*"]}
+        - "Principal": {"Service": ["lambda.amazonaws.com", "*"]}
+
+        These are dangerous because they allow ANY AWS service to access the resource
+        or assume the role. Without proper source verification conditions (aws:SourceArn,
+        aws:SourceAccount), any service in any account could potentially access the resource.
+
+        Note: NotPrincipal with {"Service": "*"} is NOT flagged here because it means
+        "allow everyone EXCEPT all services" - a different concern (overly broad exclusion)
+        but not an overly permissive grant.
+
+        Args:
+            statement: The statement to check
+            statement_idx: Index of the statement
+            config: Check configuration
+
+        Returns:
+            List of validation issues
+        """
+        issues: list[ValidationIssue] = []
+
+        # Only check Principal field (not NotPrincipal)
+        # NotPrincipal: {"Service": "*"} means "everyone EXCEPT services" which is
+        # a different concern (overly broad exclusion) but not an overly permissive grant
+        if statement.principal is None:
+            return issues
+
+        if not isinstance(statement.principal, dict):
+            return issues
+
+        # Check the "Service" key specifically
+        service_principals = statement.principal.get("Service")
+        if service_principals is None:
+            return issues
+
+        # Normalize to list
+        if isinstance(service_principals, str):
+            service_principals = [service_principals]
+
+        # Check for wildcard in service principals
+        for service_principal in service_principals:
+            if service_principal == "*":
+                issues.append(
+                    ValidationIssue(
+                        severity="critical",  # Always critical - extremely permissive
+                        issue_type="service_principal_wildcard",
+                        message=(
+                            'Dangerous service principal wildcard: `"Principal": {"Service": "*"}`. '
+                            "This allows ANY AWS service to access this resource or assume this role. "
+                            "Without source verification conditions, this creates an overly permissive "
+                            "trust relationship."
+                        ),
+                        statement_index=statement_idx,
+                        statement_sid=statement.sid,
+                        line_number=statement.line_number,
+                        suggestion=(
+                            "Replace the wildcard with specific AWS service principals and add "
+                            "source verification conditions:\n\n"
+                            "1. Specify exact services:\n"
+                            '   `"Principal": {"Service": "lambda.amazonaws.com"}`\n\n'
+                            "2. Add source conditions:\n"
+                            "```json\n"
+                            '   "Condition": {\n'
+                            '     "ArnLike": {"aws:SourceArn": "arn:aws:lambda:*:ACCOUNT:function:*"},\n'
+                            '     "StringEquals": {"aws:SourceAccount": "ACCOUNT"}\n\n'
+                            "   }\n"
+                            "```\n"
+                        ),
+                        field_name="principal",
+                    )
+                )
+                break  # One issue is enough
+
+        return issues
+
     def _is_blocked_principal(
         self, principal: str, blocked_list: list[str], service_whitelist: list[str]
     ) -> bool:

iam_validator/core/condition_validators.py

@@ -14,8 +14,17 @@ Supports:
 
 import ipaddress
 import re
+from datetime import datetime
 from typing import Any
 
+# Pre-compiled regex patterns for performance (compiled once at module load)
+# Timezone offset pattern for ISO 8601 dates (e.g., 2025-01-01T12:00:00+00:00)
+_TZ_OFFSET_PATTERN = re.compile(
+    r"^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})"
+    r"(?:\.(\d{1,6}))?"  # Optional milliseconds/microseconds
+    r"([+-])(\d{2}):(\d{2})$"  # Timezone offset
+)
+
 # IAM Condition Operators mapped to their expected value types
 # Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
 CONDITION_OPERATORS = {
@@ -223,6 +232,163 @@ def validate_value_for_type(value_type: str, values: list[Any]) -> tuple[bool, s
     return True, None
 
 
+def _validate_date_value(value_str: str) -> tuple[bool, str | None]:
+    """
+    Validate a date value for IAM condition operators.
+
+    AWS IAM accepts the following date formats:
+    1. ISO 8601 with UTC (Z suffix): 2019-07-16T12:00:00Z
+    2. ISO 8601 with timezone offset: 2019-07-16T12:00:00+00:00
+    3. ISO 8601 with milliseconds: 2019-07-16T12:00:00.000Z
+    4. UNIX epoch timestamp: 1563278400 (seconds since 1970-01-01)
+
+    This function validates both syntactic correctness AND semantic validity
+    (e.g., month must be 1-12, day must be valid for the month).
+
+    Args:
+        value_str: The date string to validate
+
+    Returns:
+        Tuple of (is_valid, error_message)
+
+    Reference:
+        https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Date
+    """
+    # Fast path: Check for UNIX epoch timestamp (digits only)
+    # Using str.isdigit() is ~3x faster than re.match(r"^\d+$", ...)
+    if value_str.isdigit():
+        # Validate epoch timestamp is reasonable (not before 1970, not too far in future)
+        try:
+            epoch = int(value_str)
+            # Allow dates from 1970 to year 3000 (covers all reasonable use cases)
+            if epoch > 32503680000:  # Year 3000 in seconds
+                return (
+                    False,
+                    f"UNIX epoch timestamp appears unreasonably large: {value_str}. "
+                    "Expected seconds since 1970-01-01.",
+                )
+            return True, None
+        except (ValueError, OverflowError):
+            return (
+                False,
+                f"Invalid UNIX epoch timestamp: {value_str}. Must be a valid integer.",
+            )
+
+    # Try parsing ISO 8601 formats (ordered by most common first for performance)
+    # Using datetime.strptime with try/except is the most efficient approach
+    # as it validates both format AND semantic validity (e.g., month 13 is rejected)
+    for fmt in (
+        "%Y-%m-%dT%H:%M:%SZ",  # Basic UTC format (most common)
+        "%Y-%m-%dT%H:%M:%S.%fZ",  # With milliseconds
+        "%Y-%m-%d",  # Date only
+    ):
+        try:
+            datetime.strptime(value_str, fmt)
+            return True, None
+        except ValueError:
+            continue
+
+    # Fall back to timezone offset parsing (e.g., +00:00, -05:00)
+    # Uses pre-compiled regex pattern for performance
+    match = _TZ_OFFSET_PATTERN.match(value_str)
+    if match:
+        year, month, day, hour, minute, second = (
+            int(match.group(1)),
+            int(match.group(2)),
+            int(match.group(3)),
+            int(match.group(4)),
+            int(match.group(5)),
+            int(match.group(6)),
+        )
+        tz_hour, tz_minute = int(match.group(9)), int(match.group(10))
+
+        # Validate ranges
+        validation_error = _validate_datetime_components(
+            year, month, day, hour, minute, second, tz_hour, tz_minute
+        )
+        if validation_error:
+            return False, validation_error
+
+        return True, None
+
+    # If nothing matched, provide a helpful error
+    return (
+        False,
+        f"Invalid Date value: `{value_str}`. Expected ISO 8601 format "
+        "(e.g., `2019-07-16T12:00:00Z`, `2019-07-16T12:00:00+00:00`) "
+        "or UNIX epoch timestamp (e.g., `1563278400`).",
+    )
+
+
+def _validate_datetime_components(
+    year: int,
+    month: int,
+    day: int,
+    hour: int,
+    minute: int,
+    second: int,
+    tz_hour: int = 0,
+    tz_minute: int = 0,
+) -> str | None:
+    """
+    Validate individual datetime components for semantic correctness.
+
+    Args:
+        year: Year (1-9999)
+        month: Month (1-12)
+        day: Day (1-31, depends on month)
+        hour: Hour (0-23)
+        minute: Minute (0-59)
+        second: Second (0-59)
+        tz_hour: Timezone hour offset (0-14)
+        tz_minute: Timezone minute offset (0-59)
+
+    Returns:
+        Error message string if invalid, None if valid
+    """
+    # Validate month
+    if not 1 <= month <= 12:
+        return f"Invalid month: {month}. Must be between 1 and 12."
+
+    # Validate day based on month
+    days_in_month = [0, 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31]
+
+    # Handle leap year for February
+    is_leap_year = (year % 4 == 0 and year % 100 != 0) or (year % 400 == 0)
+    if is_leap_year and month == 2:
+        max_day = 29
+    else:
+        max_day = days_in_month[month]
+
+    if not 1 <= day <= max_day:
+        return f"Invalid day: {day}. For month {month}, day must be between 1 and {max_day}."
+
+    # Validate hour
+    if not 0 <= hour <= 23:
+        return f"Invalid hour: {hour}. Must be between 0 and 23."
+
+    # Validate minute
+    if not 0 <= minute <= 59:
+        return f"Invalid minute: {minute}. Must be between 0 and 59."
+
+    # Validate second (allow 59 for leap seconds)
+    if not 0 <= second <= 59:
+        return f"Invalid second: {second}. Must be between 0 and 59."
+
+    # Validate timezone offset (max +/- 14:00 per ISO 8601)
+    if not 0 <= tz_hour <= 14:
+        return f"Invalid timezone hour offset: {tz_hour}. Must be between 0 and 14."
+
+    if not 0 <= tz_minute <= 59:
+        return f"Invalid timezone minute offset: {tz_minute}. Must be between 0 and 59."
+
+    # Validate that tz offset doesn't exceed 14:00
+    if tz_hour == 14 and tz_minute > 0:
+        return "Invalid timezone offset. Maximum is +/-14:00."
+
+    return None
+
+
 def _validate_single_value(value_type: str, value_str: str) -> tuple[bool, str | None]:
     """
     Validate a single value against its expected type.
@@ -256,15 +422,15 @@ def _validate_single_value(value_type: str, value_str: str) -> tuple[bool, str |
             return False, f"Expected Bool value (true/false) but got: {value_str}"
 
     elif value_type == "Date":
-        # Date: W3C ISO 8601 format (YYYY-MM-DDTHH:MM:SSZ) or UNIX epoch timestamp
-        iso_pattern = r"^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$"
-        epoch_pattern = r"^\d+$"
-
-        if not (re.match(iso_pattern, value_str) or re.match(epoch_pattern, value_str)):
-            return (
-                False,
-                f"Expected Date value (2019-07-16T12:00:00Z or UNIX epoch timestamp) but got: {value_str}",
-            )
+        # Date: W3C ISO 8601 format or UNIX epoch timestamp
+        # AWS accepts multiple ISO 8601 variants:
+        # - 2019-07-16T12:00:00Z (UTC with Z suffix)
+        # - 2019-07-16T12:00:00+00:00 (with timezone offset)
+        # - 2019-07-16T12:00:00.000Z (with milliseconds)
+        # - UNIX epoch timestamp (seconds since 1970-01-01)
+        is_valid_date, date_error = _validate_date_value(value_str)
+        if not is_valid_date:
+            return False, date_error
 
     elif value_type == "IPAddress":
         # IP Address: IPv4 or IPv6 with optional CIDR notation

iam_validator/core/config/defaults.py

@@ -238,18 +238,26 @@ DEFAULT_CONFIG = {
     # Applies to: S3 buckets, SNS topics, SQS queues, Lambda functions, etc.
     # Only runs when: --policy-type RESOURCE_POLICY
     #
-    # Three control mechanisms:
-    #   1. blocked_principals - Block specific principals (deny list)
-    #   2. allowed_principals - Allow only specific principals (whitelist mode)
-    #   3. principal_condition_requirements - Require conditions for principals
-    #   4. allowed_service_principals - Always allow AWS service principals
+    # Control mechanisms:
+    #   1. block_wildcard_principal - Simple toggle for wildcard principal handling
+    #   2. blocked_principals - Block specific principals (deny list)
+    #   3. allowed_principals - Allow only specific principals (whitelist mode)
+    #   4. principal_condition_requirements - Require conditions for principals
+    #   5. allowed_service_principals - Always allow AWS service principals
+    #   6. block_service_principal_wildcard - Block {"Service": "*"} patterns
     "principal_validation": {
         "enabled": True,
         "severity": "high",  # Security issue, not IAM validity error
         "description": "Validates Principal elements in resource policies for security best practices",
-        # blocked_principals: Deny list - these principals are never allowed
-        # Default: ["*"] blocks public access
-        "blocked_principals": ["*"],
+        # block_wildcard_principal: Strict mode toggle for Principal: "*"
+        #   false (default): Allow wildcard principal but require conditions
+        #   true: Block wildcard principal entirely - strictest option
+        # When false, principal_condition_requirements for "*" are enforced,
+        # allowing patterns like S3 bucket policies with aws:SourceArn conditions.
+        "block_wildcard_principal": False,
+        # blocked_principals: Deny list - additional principals to block
+        # Note: When block_wildcard_principal is true, "*" is automatically blocked.
+        "blocked_principals": [],
         # allowed_principals: Whitelist mode - when set, ONLY these are allowed
         # Default: [] allows all (except blocked)
         "allowed_principals": [],
@@ -262,6 +270,12 @@ DEFAULT_CONFIG = {
         # Default: ["aws:*"] allows ALL AWS service principals
         # Note: "aws:*" is different from "*" (public access)
         "allowed_service_principals": ["aws:*"],
+        # block_service_principal_wildcard: Block {"Service": "*"} in Principal
+        # This pattern allows ANY AWS service to access the resource, which is
+        # extremely permissive. Without source verification conditions like
+        # aws:SourceArn or aws:SourceAccount, this creates a security risk.
+        # Default: True (always block this dangerous pattern)
+        "block_service_principal_wildcard": True,
     },
     # ========================================================================
     # 10. TRUST POLICY VALIDATION