iam-policy-validator 1.15.1__tar.gz → 1.15.2__tar.gz

{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.2}/CHANGELOG.md

@@ -13,6 +13,52 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [1.15.2] - 2025-01-26
+
+### Added
+
+**Confused Deputy Protection**
+
+- Service principal wildcard detection (`{"Service": "*"}`) - critical severity
+  - Detects dangerous patterns allowing any AWS service to access resources or assume roles
+  - Enabled by default via `block_service_principal_wildcard: true`
+  - Only checks `Principal` field (not `NotPrincipal`, which is an exclusion)
+- New configuration options for `principal_validation`:
+  - `block_wildcard_principal` - strict mode to block `*` entirely (default: false)
+  - `block_service_principal_wildcard` - block `{"Service": "*"}` patterns (default: true)
+- Improved handling of `Principal: "*"` with conditions for confused deputy prevention
+  - Default requires source verification (`aws:SourceArn`, `aws:SourceAccount`, `aws:SourceVpce`, or `aws:SourceIp`)
+
+**Condition Type Validation Improvements**
+
+- Enhanced ISO 8601 date validation with semantic checks:
+  - Validates month range (1-12)
+  - Validates day range based on month (1-28/29/30/31)
+  - Validates hour (0-23), minute (0-59), second (0-59)
+  - Leap year detection for February 29
+  - Timezone offset validation
+
+### Changed
+
+- `principal_validation` default behavior now allows `*` with conditions
+  - Use `block_wildcard_principal: true` to restore strict blocking
+- Duplicate findings avoided when service principal wildcard is detected
+
+---
+
+## [1.15.1] - 2025-01-24
+
+### Fixed
+
+**Condition Key Validation for aws:RequestTag and aws:ResourceTag**
+
+- `aws:RequestTag/${TagKey}` and `aws:ResourceTag/${TagKey}` now correctly validated as action/resource-specific condition keys (not global)
+- These keys are only valid for actions that create/modify tagged resources (e.g., `iam:CreatePolicy`, `iam:CreateRole`)
+- Invalid usage now flagged with descriptive error messages explaining the key is only for tagging operations
+- Example: `iam:SetDefaultPolicyVersion` with `aws:RequestTag/owner` now correctly fails validation
+
+---
+
 ## [1.15.0] - 2025-01-22
 
 ### Added
@@ -353,11 +399,10 @@ This project follows [Semantic Versioning](https://semver.org/):
 
 ### Supported Versions
 
-| Version | Support Status         |
-| ------- | ---------------------- |
-| 1.15.x  | ✅ Active development  |
-| 1.14.x  | ⚠️ Critical fixes only |
-| < 1.14  | ❌ End of life         |
+| Version | Support Status        |
+| ------- | --------------------- |
+| 1.15.x  | ✅ Active development |
+| < 1.15  | ❌ End of life        |
 
 ### Deprecation Policy
 
@@ -404,7 +449,9 @@ iam-validator validate --policy-type RESOURCE_CONTROL_POLICY policies/
 
 ---
 
-[Unreleased]: https://github.com/boogy/iam-policy-validator/compare/v1.15.0...HEAD
+[Unreleased]: https://github.com/boogy/iam-policy-validator/compare/v1.15.2...HEAD
+[1.15.2]: https://github.com/boogy/iam-policy-validator/compare/v1.15.1...v1.15.2
+[1.15.1]: https://github.com/boogy/iam-policy-validator/compare/v1.15.0...v1.15.1
 [1.15.0]: https://github.com/boogy/iam-policy-validator/compare/v1.14.7...v1.15.0
 [1.14.7]: https://github.com/boogy/iam-policy-validator/compare/v1.14.6...v1.14.7
 [1.14.6]: https://github.com/boogy/iam-policy-validator/compare/v1.14.5...v1.14.6

{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.15.1
+Version: 1.15.2
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://boogy.github.io/iam-policy-validator
@@ -99,8 +99,16 @@ iam-validator validate --path examples/quick-start/ --format enhanced
 {
   "Version": "2012-10-17",
   "Statement": [
-    {"Effect": "Allow", "Action": "s3:GetObjekt", "Resource": "arn:aws:s3:::my-bucket/*"},
-    {"Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/lambda-role"}
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObjekt",
+      "Resource": "arn:aws:s3:::my-bucket/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "iam:PassRole",
+      "Resource": "arn:aws:iam::123456789012:role/lambda-role"
+    }
   ]
 }
 ```
@@ -111,7 +119,11 @@ iam-validator validate --path examples/quick-start/ --format enhanced
 {
   "Version": "2012-10-17",
   "Statement": [
-    {"Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::my-bucket/*"
+    }
   ]
 }
 ```
@@ -122,7 +134,11 @@ iam-validator validate --path examples/quick-start/ --format enhanced
 {
   "Version": "2012-10-17",
   "Statement": [
-    {"Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"}
+    {
+      "Effect": "Allow",
+      "Action": "lambda:InvokeFunction",
+      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"
+    }
   ]
 }
 ```
@@ -228,7 +244,8 @@ action_condition_enforcement:
           description: "Restrict which services can use passed roles"
 
     # Enforce IP restrictions for privileged actions (automation from CI/CD)
-    - actions: ["iam:AttachUserPolicy", "iam:PutUserPolicy", "iam:CreateAccessKey"]
+    - actions:
+        ["iam:AttachUserPolicy", "iam:PutUserPolicy", "iam:CreateAccessKey"]
       required_conditions:
         - condition_key: "aws:SourceIp"
           expected_value: ["10.0.0.0/8", "172.16.0.0/12"]
@@ -270,9 +287,17 @@ Privilege escalation often occurs when multiple actions are scattered across dif
 ```json
 {
   "Statement": [
-    {"Sid": "AllowUserManagement", "Action": "iam:CreateUser", "Resource": "*"},
-    {"Sid": "AllowS3Read", "Action": "s3:GetObject", "Resource": "*"},
-    {"Sid": "AllowPolicyAttachment", "Action": "iam:AttachUserPolicy", "Resource": "*"}
+    {
+      "Sid": "AllowUserManagement",
+      "Action": "iam:CreateUser",
+      "Resource": "*"
+    },
+    { "Sid": "AllowS3Read", "Action": "s3:GetObject", "Resource": "*" },
+    {
+      "Sid": "AllowPolicyAttachment",
+      "Action": "iam:AttachUserPolicy",
+      "Resource": "*"
+    }
   ]
 }
 ```
@@ -408,9 +433,9 @@ iam-validator validate --path policies/ --aws-services-dir ./aws-services
 - uses: boogy/iam-policy-validator@v1
   with:
     path: policies/
-    github-review: true        # Inline PR comments
-    github-summary: true       # Actions summary tab
-    fail-on-severity: high     # Block merge on high/critical
+    github-review: true # Inline PR comments
+    github-summary: true # Actions summary tab
+    fail-on-severity: high # Block merge on high/critical
 ```
 
 ---
@@ -440,14 +465,14 @@ Validates against official AWS IAM requirements:
 
 Identifies overly permissive configurations:
 
-| Check                     | What It Catches                                        |
-| ------------------------- | ------------------------------------------------------ |
-| **Wildcard Action**       | `Action: "*"` grants all AWS permissions               |
-| **Wildcard Resource**     | `Resource: "*"` applies to all resources               |
-| **Full Wildcard**         | Both `Action: "*"` AND `Resource: "*"` (admin access)  |
-| **Service Wildcards**     | `s3:*`, `iam:*`, `ec2:*` (overly broad)                |
+| Check                     | What It Catches                                          |
+| ------------------------- | -------------------------------------------------------- |
+| **Wildcard Action**       | `Action: "*"` grants all AWS permissions                 |
+| **Wildcard Resource**     | `Resource: "*"` applies to all resources                 |
+| **Full Wildcard**         | Both `Action: "*"` AND `Resource: "*"` (admin access)    |
+| **Service Wildcards**     | `s3:*`, `iam:*`, `ec2:*` (overly broad)                  |
 | **Sensitive Actions**     | 490+ privilege escalation patterns and dangerous actions |
-| **Condition Enforcement** | Organization-specific condition requirements           |
+| **Condition Enforcement** | Organization-specific condition requirements             |
 
 **Note on Sensitive Actions:** This check has two modes:
 
@@ -540,7 +565,7 @@ action_condition_enforcement:
     - actions: ["iam:CreateUser", "iam:DeleteUser", "iam:CreateAccessKey"]
       required_conditions:
         - condition_key: "aws:SourceIp"
-          expected_value: ["10.0.0.0/8", "52.94.76.0/24"]  # Corporate + GitHub Actions
+          expected_value: ["10.0.0.0/8", "52.94.76.0/24"] # Corporate + GitHub Actions
 
 # Ignore patterns
 ignore_patterns:
@@ -677,19 +702,19 @@ iam-validator analyze --path new-policy.json \
 
 ## Comparison Matrix
 
-| Feature                        | IAM Policy Validator             | IAM Lens                      | IAMSpy                 | Policy Sentry              |
-| ------------------------------ | -------------------------------- | ----------------------------- | ---------------------- | -------------------------- |
-| **Primary Purpose**            | Pre-deployment validation        | Runtime permission analysis   | Permission enumeration | Least-privilege generation |
-| **Use Case**                   | CI/CD policy scanning            | "What can this principal do?" | Pentesting/audit       | Policy creation            |
-| **Custom Security Rules**      | ✅ Full support                   | ❌ No                          | ❌ No                   | ❌ No                       |
+| Feature                        | IAM Policy Validator              | IAM Lens                      | IAMSpy                 | Policy Sentry              |
+| ------------------------------ | --------------------------------- | ----------------------------- | ---------------------- | -------------------------- |
+| **Primary Purpose**            | Pre-deployment validation         | Runtime permission analysis   | Permission enumeration | Least-privilege generation |
+| **Use Case**                   | CI/CD policy scanning             | "What can this principal do?" | Pentesting/audit       | Policy creation            |
+| **Custom Security Rules**      | ✅ Full support                   | ❌ No                         | ❌ No                  | ❌ No                      |
 | **Cross-Statement Patterns**   | ✅ Privilege escalation detection | N/A (different purpose)       | N/A                    | N/A                        |
-| **Action-Resource Validation** | ✅ Catches incompatible pairs     | N/A                           | ❌ No                   | ✅ Generates correct        |
-| **Organization Conditions**    | ✅ IP, tags, encryption, etc.     | ❌ No                          | ❌ No                   | ❌ No                       |
-| **CI/CD Ready**                | ✅ GitHub Actions native          | ⚠️ Manual setup                | ⚠️ Manual               | ⚠️ Manual                   |
-| **PR Line Comments**           | ✅ Diff-aware                     | ❌ No                          | ❌ No                   | ❌ No                       |
-| **AWS Service Data**           | ✅ Official API (auto-update)     | ✅ Real AWS account data       | ⚠️ Static               | ✅ Official API             |
-| **Offline Mode**               | ✅ Yes                            | ❌ Needs AWS account           | ✅ Yes                  | ❌ Needs internet           |
-| **Query Permissions**          | ✅ Yes                            | ✅ Yes (different approach)    | ⚠️ Enumerate only       | ✅ Excellent                |
+| **Action-Resource Validation** | ✅ Catches incompatible pairs     | N/A                           | ❌ No                  | ✅ Generates correct       |
+| **Organization Conditions**    | ✅ IP, tags, encryption, etc.     | ❌ No                         | ❌ No                  | ❌ No                      |
+| **CI/CD Ready**                | ✅ GitHub Actions native          | ⚠️ Manual setup               | ⚠️ Manual              | ⚠️ Manual                  |
+| **PR Line Comments**           | ✅ Diff-aware                     | ❌ No                         | ❌ No                  | ❌ No                      |
+| **AWS Service Data**           | ✅ Official API (auto-update)     | ✅ Real AWS account data      | ⚠️ Static              | ✅ Official API            |
+| **Offline Mode**               | ✅ Yes                            | ❌ Needs AWS account          | ✅ Yes                 | ❌ Needs internet          |
+| **Query Permissions**          | ✅ Yes                            | ✅ Yes (different approach)   | ⚠️ Enumerate only      | ✅ Excellent               |
 
 **Choose this tool if you:**
 

{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.2}/README.md

@@ -47,8 +47,16 @@ iam-validator validate --path examples/quick-start/ --format enhanced
 {
   "Version": "2012-10-17",
   "Statement": [
-    {"Effect": "Allow", "Action": "s3:GetObjekt", "Resource": "arn:aws:s3:::my-bucket/*"},
-    {"Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/lambda-role"}
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObjekt",
+      "Resource": "arn:aws:s3:::my-bucket/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "iam:PassRole",
+      "Resource": "arn:aws:iam::123456789012:role/lambda-role"
+    }
   ]
 }
 ```
@@ -59,7 +67,11 @@ iam-validator validate --path examples/quick-start/ --format enhanced
 {
   "Version": "2012-10-17",
   "Statement": [
-    {"Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}
+    {
+      "Effect": "Allow",
+      "Action": "s3:GetObject",
+      "Resource": "arn:aws:s3:::my-bucket/*"
+    }
   ]
 }
 ```
@@ -70,7 +82,11 @@ iam-validator validate --path examples/quick-start/ --format enhanced
 {
   "Version": "2012-10-17",
   "Statement": [
-    {"Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"}
+    {
+      "Effect": "Allow",
+      "Action": "lambda:InvokeFunction",
+      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"
+    }
   ]
 }
 ```
@@ -176,7 +192,8 @@ action_condition_enforcement:
           description: "Restrict which services can use passed roles"
 
     # Enforce IP restrictions for privileged actions (automation from CI/CD)
-    - actions: ["iam:AttachUserPolicy", "iam:PutUserPolicy", "iam:CreateAccessKey"]
+    - actions:
+        ["iam:AttachUserPolicy", "iam:PutUserPolicy", "iam:CreateAccessKey"]
       required_conditions:
         - condition_key: "aws:SourceIp"
           expected_value: ["10.0.0.0/8", "172.16.0.0/12"]
@@ -218,9 +235,17 @@ Privilege escalation often occurs when multiple actions are scattered across dif
 ```json
 {
   "Statement": [
-    {"Sid": "AllowUserManagement", "Action": "iam:CreateUser", "Resource": "*"},
-    {"Sid": "AllowS3Read", "Action": "s3:GetObject", "Resource": "*"},
-    {"Sid": "AllowPolicyAttachment", "Action": "iam:AttachUserPolicy", "Resource": "*"}
+    {
+      "Sid": "AllowUserManagement",
+      "Action": "iam:CreateUser",
+      "Resource": "*"
+    },
+    { "Sid": "AllowS3Read", "Action": "s3:GetObject", "Resource": "*" },
+    {
+      "Sid": "AllowPolicyAttachment",
+      "Action": "iam:AttachUserPolicy",
+      "Resource": "*"
+    }
   ]
 }
 ```
@@ -356,9 +381,9 @@ iam-validator validate --path policies/ --aws-services-dir ./aws-services
 - uses: boogy/iam-policy-validator@v1
   with:
     path: policies/
-    github-review: true        # Inline PR comments
-    github-summary: true       # Actions summary tab
-    fail-on-severity: high     # Block merge on high/critical
+    github-review: true # Inline PR comments
+    github-summary: true # Actions summary tab
+    fail-on-severity: high # Block merge on high/critical
 ```
 
 ---
@@ -388,14 +413,14 @@ Validates against official AWS IAM requirements:
 
 Identifies overly permissive configurations:
 
-| Check                     | What It Catches                                        |
-| ------------------------- | ------------------------------------------------------ |
-| **Wildcard Action**       | `Action: "*"` grants all AWS permissions               |
-| **Wildcard Resource**     | `Resource: "*"` applies to all resources               |
-| **Full Wildcard**         | Both `Action: "*"` AND `Resource: "*"` (admin access)  |
-| **Service Wildcards**     | `s3:*`, `iam:*`, `ec2:*` (overly broad)                |
+| Check                     | What It Catches                                          |
+| ------------------------- | -------------------------------------------------------- |
+| **Wildcard Action**       | `Action: "*"` grants all AWS permissions                 |
+| **Wildcard Resource**     | `Resource: "*"` applies to all resources                 |
+| **Full Wildcard**         | Both `Action: "*"` AND `Resource: "*"` (admin access)    |
+| **Service Wildcards**     | `s3:*`, `iam:*`, `ec2:*` (overly broad)                  |
 | **Sensitive Actions**     | 490+ privilege escalation patterns and dangerous actions |
-| **Condition Enforcement** | Organization-specific condition requirements           |
+| **Condition Enforcement** | Organization-specific condition requirements             |
 
 **Note on Sensitive Actions:** This check has two modes:
 
@@ -488,7 +513,7 @@ action_condition_enforcement:
     - actions: ["iam:CreateUser", "iam:DeleteUser", "iam:CreateAccessKey"]
       required_conditions:
         - condition_key: "aws:SourceIp"
-          expected_value: ["10.0.0.0/8", "52.94.76.0/24"]  # Corporate + GitHub Actions
+          expected_value: ["10.0.0.0/8", "52.94.76.0/24"] # Corporate + GitHub Actions
 
 # Ignore patterns
 ignore_patterns:
@@ -625,19 +650,19 @@ iam-validator analyze --path new-policy.json \
 
 ## Comparison Matrix
 
-| Feature                        | IAM Policy Validator             | IAM Lens                      | IAMSpy                 | Policy Sentry              |
-| ------------------------------ | -------------------------------- | ----------------------------- | ---------------------- | -------------------------- |
-| **Primary Purpose**            | Pre-deployment validation        | Runtime permission analysis   | Permission enumeration | Least-privilege generation |
-| **Use Case**                   | CI/CD policy scanning            | "What can this principal do?" | Pentesting/audit       | Policy creation            |
-| **Custom Security Rules**      | ✅ Full support                   | ❌ No                          | ❌ No                   | ❌ No                       |
+| Feature                        | IAM Policy Validator              | IAM Lens                      | IAMSpy                 | Policy Sentry              |
+| ------------------------------ | --------------------------------- | ----------------------------- | ---------------------- | -------------------------- |
+| **Primary Purpose**            | Pre-deployment validation         | Runtime permission analysis   | Permission enumeration | Least-privilege generation |
+| **Use Case**                   | CI/CD policy scanning             | "What can this principal do?" | Pentesting/audit       | Policy creation            |
+| **Custom Security Rules**      | ✅ Full support                   | ❌ No                         | ❌ No                  | ❌ No                      |
 | **Cross-Statement Patterns**   | ✅ Privilege escalation detection | N/A (different purpose)       | N/A                    | N/A                        |
-| **Action-Resource Validation** | ✅ Catches incompatible pairs     | N/A                           | ❌ No                   | ✅ Generates correct        |
-| **Organization Conditions**    | ✅ IP, tags, encryption, etc.     | ❌ No                          | ❌ No                   | ❌ No                       |
-| **CI/CD Ready**                | ✅ GitHub Actions native          | ⚠️ Manual setup                | ⚠️ Manual               | ⚠️ Manual                   |
-| **PR Line Comments**           | ✅ Diff-aware                     | ❌ No                          | ❌ No                   | ❌ No                       |
-| **AWS Service Data**           | ✅ Official API (auto-update)     | ✅ Real AWS account data       | ⚠️ Static               | ✅ Official API             |
-| **Offline Mode**               | ✅ Yes                            | ❌ Needs AWS account           | ✅ Yes                  | ❌ Needs internet           |
-| **Query Permissions**          | ✅ Yes                            | ✅ Yes (different approach)    | ⚠️ Enumerate only       | ✅ Excellent                |
+| **Action-Resource Validation** | ✅ Catches incompatible pairs     | N/A                           | ❌ No                  | ✅ Generates correct       |
+| **Organization Conditions**    | ✅ IP, tags, encryption, etc.     | ❌ No                         | ❌ No                  | ❌ No                      |
+| **CI/CD Ready**                | ✅ GitHub Actions native          | ⚠️ Manual setup               | ⚠️ Manual              | ⚠️ Manual                  |
+| **PR Line Comments**           | ✅ Diff-aware                     | ❌ No                         | ❌ No                  | ❌ No                      |
+| **AWS Service Data**           | ✅ Official API (auto-update)     | ✅ Real AWS account data      | ⚠️ Static              | ✅ Official API            |
+| **Offline Mode**               | ✅ Yes                            | ❌ Needs AWS account          | ✅ Yes                 | ❌ Needs internet          |
+| **Query Permissions**          | ✅ Yes                            | ✅ Yes (different approach)   | ⚠️ Enumerate only      | ✅ Excellent               |
 
 **Choose this tool if you:**
 

{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.2}/SECURITY.md

@@ -15,6 +15,7 @@ We appreciate responsible disclosure of security vulnerabilities. If you discove
 Instead, please report security issues via one of these methods:
 
 1. **GitHub Security Advisories** (Preferred)
+
    - Go to the [Security Advisories page](https://github.com/boogy/iam-policy-validator/security/advisories)
    - Click "Report a vulnerability"
    - Provide detailed information about the vulnerability
@@ -205,9 +206,9 @@ Configure minimal permissions for GitHub Actions:
 
 ```yaml
 permissions:
-  contents: read           # Required: Read repository content
-  pull-requests: write     # Required: Post PR comments
-  id-token: write         # Required only for AWS OIDC authentication
+  contents: read # Required: Read repository content
+  pull-requests: write # Required: Post PR comments
+  id-token: write # Required only for AWS OIDC authentication
 ```
 
 ## Contact

{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.2}/docs/user-guide/checks/index.md

@@ -51,7 +51,7 @@ IAM Policy Validator includes 19 built-in checks across three categories.
 | `policy_size`               | error    | Character size limits                |
 | `sid_uniqueness`            | warning  | Unique SIDs                          |
 | `set_operator_validation`   | error    | ForAllValues/ForAnyValue usage       |
-| `principal_validation`      | high     | Principal format (resource policies) |
+| `principal_validation`      | high     | Principal validation & confused deputy protection |
 | `mfa_condition_antipattern` | warning  | MFA anti-patterns                    |
 
 ### Security Checks

{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.2}/docs/user-guide/checks/security-checks.md

@@ -34,10 +34,7 @@ Replace with specific actions and resources:
 ```json
 {
   "Effect": "Allow",
-  "Action": [
-    "s3:GetObject",
-    "s3:PutObject"
-  ],
+  "Action": ["s3:GetObject", "s3:PutObject"],
   "Resource": "arn:aws:s3:::my-bucket/*"
 }
 ```
@@ -205,10 +202,7 @@ Use specific actions or action patterns:
 ```json
 {
   "Effect": "Allow",
-  "Action": [
-    "s3:Get*",
-    "s3:List*"
-  ],
+  "Action": ["s3:Get*", "s3:List*"],
   "Resource": "*"
 }
 ```
@@ -258,17 +252,120 @@ Add conditions to restrict usage:
 
 ## principal_validation
 
-Validates Principal elements in resource policies.
+Validates Principal elements in resource policies and trust policies.
 
-**Severity:** `high`
+**Severity:** `high` (varies by issue type)
 
 ### What It Checks
 
-- Blocks dangerous principals (`*`, anonymous access)
-- Validates AWS account IDs
-- Checks service principal format
+- **Service Principal Wildcards** (`critical`): Detects dangerous `{"Service": "*"}` patterns
+- **Wildcard Principals** (configurable): Detects `Principal: "*"` or `{"AWS": "*"}`
+- **Blocked Principals**: Validates against configurable blocked list
+- **Allowed Principals**: Enforces whitelist when configured
+- **Principal Condition Requirements**: Requires specific conditions for certain principals
+- **Service Principal Format**: Validates AWS service principal format
 
-### Fail Example
+### Service Principal Wildcards (Critical)
+
+The most dangerous pattern is `{"Service": "*"}` in trust policies, which allows **any AWS service** to assume a role.
+
+```json
+{
+  "Effect": "Allow",
+  "Principal": { "Service": "*" },
+  "Action": "sts:AssumeRole"
+}
+```
+
+This is flagged as **critical** because it creates an extremely permissive trust relationship. Any AWS service - including services you don't control - could potentially assume this role.
+
+**Note:** `NotPrincipal: {"Service": "*"}` is NOT flagged because it means "everyone EXCEPT all services", which is an exclusion, not an overly permissive grant.
+
+### Wildcard Principal Handling
+
+The check supports two modes for handling `Principal: "*"`:
+
+1. **Default mode** (`block_wildcard_principal: false`): Allows `*` if appropriate conditions are present (configured via `principal_condition_requirements`)
+2. **Strict mode** (`block_wildcard_principal: true`): Blocks `*` entirely, regardless of conditions
+
+#### When Wildcard with Conditions is Valid
+
+Some use cases legitimately require `Principal: "*"` with conditions:
+
+- **S3 bucket policies** with `aws:SourceArn` and `aws:SourceAccount`
+- **SNS topic policies** for cross-account subscriptions
+- **Trust policies** with `sts:ExternalId` for confused deputy protection
+
+```json
+{
+  "Effect": "Allow",
+  "Principal": "*",
+  "Action": "s3:GetObject",
+  "Resource": "arn:aws:s3:::bucket/*",
+  "Condition": {
+    "StringEquals": {
+      "aws:SourceAccount": "123456789012"
+    },
+    "ArnLike": {
+      "aws:SourceArn": "arn:aws:s3:::source-bucket"
+    }
+  }
+}
+```
+
+### Configuration Options
+
+```yaml
+principal_validation:
+  enabled: true
+
+  # Strict mode: block * entirely (default: false)
+  block_wildcard_principal: false
+
+  # Block {"Service": "*"} patterns (default: true)
+  block_service_principal_wildcard: true
+
+  # Explicit block list
+  blocked_principals:
+    - "arn:aws:iam::*:root"
+
+  # Whitelist mode (when set, only these are allowed)
+  allowed_principals:
+    - "arn:aws:iam::123456789012:*"
+
+  # Condition requirements for specific principals
+  principal_condition_requirements:
+    - principals: ["*"]
+      required_conditions:
+        any_of:
+          - condition_key: "aws:SourceArn"
+          - condition_key: "aws:SourceAccount"
+```
+
+### Fail Examples
+
+**Critical - Service Principal Wildcard:**
+
+```json
+{
+  "Effect": "Allow",
+  "Principal": { "Service": "*" },
+  "Action": "sts:AssumeRole"
+}
+```
+
+**High - Wildcard without conditions (strict mode):**
+
+```json
+{
+  "Effect": "Allow",
+  "Principal": "*",
+  "Action": "s3:GetObject",
+  "Resource": "arn:aws:s3:::bucket/*"
+}
+```
+
+**Medium - Missing required conditions (default mode):**
 
 ```json
 {
@@ -281,7 +378,17 @@ Validates Principal elements in resource policies.
 
 ### How to Fix
 
-Restrict to specific principals:
+**For service principal wildcards - specify the service:**
+
+```json
+{
+  "Effect": "Allow",
+  "Principal": { "Service": "lambda.amazonaws.com" },
+  "Action": "sts:AssumeRole"
+}
+```
+
+**For wildcard principals - add conditions or specify principal:**
 
 ```json
 {
@@ -354,11 +461,7 @@ Replace NotAction with explicit Action lists:
 ```json
 {
   "Effect": "Allow",
-  "Action": [
-    "s3:GetObject",
-    "s3:PutObject",
-    "dynamodb:Query"
-  ],
+  "Action": ["s3:GetObject", "s3:PutObject", "dynamodb:Query"],
   "Resource": [
     "arn:aws:s3:::my-bucket/*",
     "arn:aws:dynamodb:us-east-1:123456789012:table/my-table"
@@ -374,7 +477,8 @@ If NotAction is truly required, add strict conditions:
   "NotAction": ["iam:*", "sts:*"],
   "Resource": "*",
   "Condition": {
-    "Bool": {"aws:MultiFactorAuthPresent": "true"},
-    "IpAddress": {"aws:SourceIp": "10.0.0.0/8"}
+    "Bool": { "aws:MultiFactorAuthPresent": "true" },
+    "IpAddress": { "aws:SourceIp": "10.0.0.0/8" }
   }
 }
+```