iam-policy-validator 1.15.1__tar.gz → 1.15.3__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (369) hide show
  1. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/.github/workflows/ci.yml +4 -4
  2. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/.github/workflows/cleanup-prereleases.yml +1 -1
  3. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/.github/workflows/codeql.yml +4 -4
  4. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/.github/workflows/docs.yml +1 -1
  5. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/.github/workflows/pre-release.yml +1 -1
  6. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/.github/workflows/release.yml +2 -2
  7. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/.github/workflows/scorecard.yml +2 -2
  8. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/CHANGELOG.md +53 -6
  9. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/PKG-INFO +57 -32
  10. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/README.md +56 -31
  11. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/SECURITY.md +4 -3
  12. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/integrations/mcp-server.md +392 -157
  13. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/user-guide/checks/index.md +1 -1
  14. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/user-guide/checks/security-checks.md +126 -22
  15. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/user-guide/configuration.md +73 -3
  16. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/configs/full-reference-config.yaml +140 -41
  17. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/__version__.py +1 -1
  18. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/mfa_condition_check.py +50 -1
  19. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/not_action_not_resource.py +54 -24
  20. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/principal_validation.py +149 -10
  21. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/condition_validators.py +175 -9
  22. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/config/defaults.py +22 -8
  23. iam_policy_validator-1.15.3/tests/checks/test_condition_type_mismatch.py +326 -0
  24. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_mfa_condition_check.py +20 -3
  25. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_not_action_not_resource.py +7 -1
  26. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_principal_validation_check.py +212 -6
  27. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/uv.lock +167 -156
  28. iam_policy_validator-1.15.1/tests/checks/test_condition_type_mismatch.py +0 -125
  29. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/.github/dependabot.yml +0 -0
  30. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/.gitignore +0 -0
  31. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/CONTRIBUTING.md +0 -0
  32. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/LICENSE +0 -0
  33. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/Makefile +0 -0
  34. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/action.yaml +0 -0
  35. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/api-reference/checks.md +0 -0
  36. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/api-reference/exceptions.md +0 -0
  37. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/api-reference/index.md +0 -0
  38. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/api-reference/models.md +0 -0
  39. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/api-reference/sdk.md +0 -0
  40. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/changelog.md +0 -0
  41. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/contributing/development-setup.md +0 -0
  42. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/contributing/index.md +0 -0
  43. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/contributing/releasing.md +0 -0
  44. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/contributing/testing.md +0 -0
  45. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/developer-guide/architecture.md +0 -0
  46. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/developer-guide/custom-checks/best-practices.md +0 -0
  47. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/developer-guide/custom-checks/examples.md +0 -0
  48. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/developer-guide/custom-checks/index.md +0 -0
  49. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/developer-guide/custom-checks/tutorial.md +0 -0
  50. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/developer-guide/index.md +0 -0
  51. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/developer-guide/sdk/advanced.md +0 -0
  52. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/developer-guide/sdk/index.md +0 -0
  53. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/developer-guide/sdk/policy-utilities.md +0 -0
  54. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/developer-guide/sdk/quickstart.md +0 -0
  55. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/developer-guide/sdk/validation.md +0 -0
  56. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/getting-started/first-validation.md +0 -0
  57. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/getting-started/index.md +0 -0
  58. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/getting-started/installation.md +0 -0
  59. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/getting-started/quickstart.md +0 -0
  60. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/includes/abbreviations.md +0 -0
  61. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/index.md +0 -0
  62. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/integrations/github-actions.md +0 -0
  63. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/integrations/gitlab-ci.md +0 -0
  64. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/integrations/index.md +0 -0
  65. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/integrations/pre-commit.md +0 -0
  66. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/stylesheets/extra.css +0 -0
  67. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/user-guide/checks/advanced-checks.md +0 -0
  68. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/user-guide/checks/aws-validation.md +0 -0
  69. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/user-guide/cli-reference.md +0 -0
  70. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/user-guide/index.md +0 -0
  71. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/user-guide/output-formats.md +0 -0
  72. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/docs/user-guide/troubleshooting.md +0 -0
  73. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/README.md +0 -0
  74. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/access-analyzer/example1.json +0 -0
  75. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/access-analyzer/example2.json +0 -0
  76. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/aws-service-definitions/iam.json +0 -0
  77. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/aws-service-definitions/s3.json +0 -0
  78. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/configs/github-labels-config.yaml +0 -0
  79. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/configs/minimal-validation-config.yaml +0 -0
  80. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/configs/offline-validation.yaml +0 -0
  81. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/configs/policy-level-condition-enforcement-config.yaml +0 -0
  82. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/configs/strict-security.yaml +0 -0
  83. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/custom_checks/cross_account_external_id_check.py +0 -0
  84. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/custom_checks/domain_restriction_check.py +0 -0
  85. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/github-actions/access-analyzer-only.yaml +0 -0
  86. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/github-actions/basic-validation.yaml +0 -0
  87. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/github-actions/custom-policy-checks.yaml +0 -0
  88. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/github-actions/multi-region-validation.yaml +0 -0
  89. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/github-actions/resource-policy-validation.yaml +0 -0
  90. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/github-actions/sarif-code-scanning.yaml +0 -0
  91. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/github-actions/sequential-validation.yaml +0 -0
  92. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/github-actions/two-step-validation.yaml +0 -0
  93. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/github-actions/validate-changed-files.yaml +0 -0
  94. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/allowed-wildcard-resource.json +0 -0
  95. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/api_gateway_management.json +0 -0
  96. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/athena_query_access.json +0 -0
  97. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/backup_vault_access.json +0 -0
  98. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/cloudformation_deployer.json +0 -0
  99. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/cloudwatch_monitoring.json +0 -0
  100. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/cognito_user_pool.json +0 -0
  101. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/dynamodb_table_access.json +0 -0
  102. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/ecs_task_execution.json +0 -0
  103. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/eventbridge_rules.json +0 -0
  104. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/glue_etl_jobs.json +0 -0
  105. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/insecure_policy.json +0 -0
  106. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/insecure_policy.yaml +0 -0
  107. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/invalid-resource-constraint.json +0 -0
  108. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/invalid-sid-special-chars.json +0 -0
  109. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/invalid-sid-with-spaces.json +0 -0
  110. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/invalid_policy.json +0 -0
  111. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/kms_encryption_keys.json +0 -0
  112. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/lambda_developer.json +0 -0
  113. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/lambda_developer.yaml +0 -0
  114. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/maximum_size_policy.json +0 -0
  115. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/policy_missing_required_tags.json +0 -0
  116. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/policy_tag_enforcement_example.json +0 -0
  117. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/policy_with_wildcard_resources.json +0 -0
  118. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/privilege_escalation_scattered.json +0 -0
  119. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/rds_database_admin.json +0 -0
  120. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/s3_bucket_access.yaml +0 -0
  121. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/sample_policy.json +0 -0
  122. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/sample_policy.yaml +0 -0
  123. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/secrets_manager_access.json +0 -0
  124. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/sensitive-action-wildcards.json +0 -0
  125. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/sns_sqs_messaging.json +0 -0
  126. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/step_functions_workflow.json +0 -0
  127. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/terraform-template-policy.json +0 -0
  128. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/test_none_of_valid.json +0 -0
  129. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/test_none_of_violations.json +0 -0
  130. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/valid-sid-formats.json +0 -0
  131. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/wildcard_examples.json +0 -0
  132. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/wildcard_examples.yaml +0 -0
  133. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/wrong-condition-key.json +0 -0
  134. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/identity-policies/wrong-s3-condition.json +0 -0
  135. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-control-policies/rcp-invalid-allow-effect.json +0 -0
  136. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-control-policies/rcp-invalid-not-action.json +0 -0
  137. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-control-policies/rcp-invalid-specific-principal.json +0 -0
  138. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-control-policies/rcp-invalid-unsupported-service.json +0 -0
  139. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-control-policies/rcp-invalid-wildcard-action.json +0 -0
  140. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-control-policies/rcp-valid-enforce-encryption.json +0 -0
  141. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/backup-vault-policy-org-access.json +0 -0
  142. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/ecr-repository-policy-org-restricted.json +0 -0
  143. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/ecr-repository-policy-public.json +0 -0
  144. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/efs-filesystem-policy-vpc-only.json +0 -0
  145. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/glacier-vault-policy-cross-account.json +0 -0
  146. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/kms-key-policy-cross-account.json +0 -0
  147. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/kms-key-policy-insecure.json +0 -0
  148. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/kms-key-policy-org-restricted.json +0 -0
  149. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/kms-key-policy-service-specific.json +0 -0
  150. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/lambda-permission-api-gateway.json +0 -0
  151. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/lambda-permission-cross-account-invoke.json +0 -0
  152. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/lambda-permission-eventbridge-multiple.json +0 -0
  153. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/lambda-permission-public-url.json +0 -0
  154. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/lambda-permission-s3-trigger.json +0 -0
  155. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/opensearch-domain-policy-ip-restricted.json +0 -0
  156. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/s3-bucket-policy-cloudfront.json +0 -0
  157. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/s3-bucket-policy-cross-account-org.json +0 -0
  158. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/s3-bucket-policy-insecure-transport.json +0 -0
  159. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/s3-bucket-policy-ip-restriction.json +0 -0
  160. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/s3-bucket-policy-public-with-conditions.json +0 -0
  161. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/s3-bucket-policy-public.json +0 -0
  162. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/s3-bucket-policy-specific-account.json +0 -0
  163. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/s3-bucket-policy-vpc-endpoint.json +0 -0
  164. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/s3-bucket-policy-wildcard-actions.json +0 -0
  165. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/secrets-manager-policy-cross-account.json +0 -0
  166. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/sns-topic-policy-cross-account-mfa.json +0 -0
  167. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/sns-topic-policy-cross-account.json +0 -0
  168. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/sns-topic-policy-eventbridge.json +0 -0
  169. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/sns-topic-policy-org-wide.json +0 -0
  170. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/sns-topic-policy-public-no-conditions.json +0 -0
  171. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/sqs-queue-policy-cross-account-role.json +0 -0
  172. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/sqs-queue-policy-iam-users-mfa.json +0 -0
  173. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/sqs-queue-policy-public.json +0 -0
  174. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/resource-policies/sqs-queue-policy-sns-subscription.json +0 -0
  175. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/service-control-policies/deny-root-account-usage.json +0 -0
  176. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/service-control-policies/require-mfa.json +0 -0
  177. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/service-control-policies/restrict-regions.json +0 -0
  178. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/wrong_actions_mismatch/correct-condition-wrong-key.json +0 -0
  179. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/wrong_actions_mismatch/dynamodb-wrong-resources.json +0 -0
  180. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/wrong_actions_mismatch/ec2-wrong-resources.json +0 -0
  181. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/wrong_actions_mismatch/iam-wrong-resources.json +0 -0
  182. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/wrong_actions_mismatch/lambda-wrong-resources.json +0 -0
  183. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/wrong_actions_mismatch/s3-wrong-resources.json +0 -0
  184. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/wrong_actions_mismatch/sqs-sns-wrong-resources.json +0 -0
  185. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/iam-test-policies/wrong_actions_mismatch/typo-condition-field.json +0 -0
  186. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/mcp-llm-instructions/README.md +0 -0
  187. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/mcp-llm-instructions/SYSTEM_PROMPT.md +0 -0
  188. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/mcp-llm-instructions/example_conversation.md +0 -0
  189. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/mcp-llm-instructions/organization_config.yaml +0 -0
  190. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/quick-start/lambda-policy.json +0 -0
  191. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/quick-start/s3-policy.json +0 -0
  192. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/quick-start/user-policy.json +0 -0
  193. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/trust-policies/INVALID-wrong-principal-type.json +0 -0
  194. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/trust-policies/cross-account-trust-policy.json +0 -0
  195. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/trust-policies/github-actions-oidc-trust-policy.json +0 -0
  196. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/trust-policies/lambda-service-role-trust-policy.json +0 -0
  197. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/examples/trust-policies/saml-federated-trust-policy.json +0 -0
  198. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/__init__.py +0 -0
  199. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/__main__.py +0 -0
  200. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/__init__.py +0 -0
  201. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/action_condition_enforcement.py +0 -0
  202. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/action_resource_matching.py +0 -0
  203. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/action_validation.py +0 -0
  204. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/condition_key_validation.py +0 -0
  205. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/condition_type_mismatch.py +0 -0
  206. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/full_wildcard.py +0 -0
  207. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/policy_size.py +0 -0
  208. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/policy_structure.py +0 -0
  209. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/policy_type_validation.py +0 -0
  210. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/resource_validation.py +0 -0
  211. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/sensitive_action.py +0 -0
  212. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/service_wildcard.py +0 -0
  213. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/set_operator_validation.py +0 -0
  214. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/sid_uniqueness.py +0 -0
  215. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/trust_policy_validation.py +0 -0
  216. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/utils/__init__.py +0 -0
  217. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/utils/action_parser.py +0 -0
  218. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/utils/policy_level_checks.py +0 -0
  219. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/utils/sensitive_action_matcher.py +0 -0
  220. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/utils/wildcard_expansion.py +0 -0
  221. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/wildcard_action.py +0 -0
  222. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/checks/wildcard_resource.py +0 -0
  223. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/commands/__init__.py +0 -0
  224. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/commands/analyze.py +0 -0
  225. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/commands/base.py +0 -0
  226. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/commands/cache.py +0 -0
  227. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/commands/completion.py +0 -0
  228. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/commands/download_services.py +0 -0
  229. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/commands/mcp.py +0 -0
  230. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/commands/post_to_pr.py +0 -0
  231. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/commands/query.py +0 -0
  232. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/commands/validate.py +0 -0
  233. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/__init__.py +0 -0
  234. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/access_analyzer.py +0 -0
  235. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/access_analyzer_report.py +0 -0
  236. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/aws_fetcher.py +0 -0
  237. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/aws_service/__init__.py +0 -0
  238. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/aws_service/cache.py +0 -0
  239. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/aws_service/client.py +0 -0
  240. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/aws_service/fetcher.py +0 -0
  241. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/aws_service/parsers.py +0 -0
  242. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/aws_service/patterns.py +0 -0
  243. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/aws_service/storage.py +0 -0
  244. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/aws_service/validators.py +0 -0
  245. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/check_registry.py +0 -0
  246. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/cli.py +0 -0
  247. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/codeowners.py +0 -0
  248. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/config/__init__.py +0 -0
  249. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/config/aws_api.py +0 -0
  250. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/config/aws_global_conditions.py +0 -0
  251. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/config/category_suggestions.py +0 -0
  252. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/config/check_documentation.py +0 -0
  253. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/config/condition_requirements.py +0 -0
  254. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/config/config_loader.py +0 -0
  255. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/config/principal_requirements.py +0 -0
  256. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/config/sensitive_actions.py +0 -0
  257. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/config/service_principals.py +0 -0
  258. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/config/wildcards.py +0 -0
  259. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/constants.py +0 -0
  260. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/diff_parser.py +0 -0
  261. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/finding_fingerprint.py +0 -0
  262. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/formatters/__init__.py +0 -0
  263. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/formatters/base.py +0 -0
  264. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/formatters/console.py +0 -0
  265. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/formatters/csv.py +0 -0
  266. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/formatters/enhanced.py +0 -0
  267. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/formatters/html.py +0 -0
  268. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/formatters/json.py +0 -0
  269. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/formatters/markdown.py +0 -0
  270. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/formatters/sarif.py +0 -0
  271. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/ignore_patterns.py +0 -0
  272. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/ignore_processor.py +0 -0
  273. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/ignored_findings.py +0 -0
  274. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/label_manager.py +0 -0
  275. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/models.py +0 -0
  276. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/policy_checks.py +0 -0
  277. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/policy_loader.py +0 -0
  278. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/pr_commenter.py +0 -0
  279. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/core/report.py +0 -0
  280. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/integrations/__init__.py +0 -0
  281. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/integrations/github_integration.py +0 -0
  282. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/integrations/ms_teams.py +0 -0
  283. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/mcp/__init__.py +0 -0
  284. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/mcp/models.py +0 -0
  285. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/mcp/server.py +0 -0
  286. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/mcp/session_config.py +0 -0
  287. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/mcp/templates/__init__.py +0 -0
  288. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/mcp/templates/builtin.py +0 -0
  289. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/mcp/tools/__init__.py +0 -0
  290. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/mcp/tools/generation.py +0 -0
  291. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/mcp/tools/org_config_tools.py +0 -0
  292. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/mcp/tools/query.py +0 -0
  293. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/mcp/tools/validation.py +0 -0
  294. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/sdk/__init__.py +0 -0
  295. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/sdk/arn_matching.py +0 -0
  296. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/sdk/context.py +0 -0
  297. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/sdk/exceptions.py +0 -0
  298. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/sdk/helpers.py +0 -0
  299. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/sdk/policy_utils.py +0 -0
  300. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/sdk/query_utils.py +0 -0
  301. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/sdk/shortcuts.py +0 -0
  302. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/utils/__init__.py +0 -0
  303. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/utils/cache.py +0 -0
  304. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/utils/regex.py +0 -0
  305. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/iam_validator/utils/terminal.py +0 -0
  306. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/mkdocs.yml +0 -0
  307. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/pyproject.toml +0 -0
  308. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/README.md +0 -0
  309. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/__init__.py +0 -0
  310. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/__init__.py +0 -0
  311. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_action_validation_check.py +0 -0
  312. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_aws_global_conditions.py +0 -0
  313. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_condition_key_validation_check.py +0 -0
  314. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_custom_policy_checks.py +0 -0
  315. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_full_wildcard_check.py +0 -0
  316. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_policy_size_check.py +0 -0
  317. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_resource_validation_check.py +0 -0
  318. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_sensitive_action_filtering.py +0 -0
  319. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_sensitive_action_suggestions.py +0 -0
  320. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_sensitive_action_wildcard_expansion.py +0 -0
  321. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_service_principal_wildcard.py +0 -0
  322. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_service_wildcard_check.py +0 -0
  323. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_sid_uniqueness_check.py +0 -0
  324. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_wildcard_action_check.py +0 -0
  325. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/checks/test_wildcard_resource_check.py +0 -0
  326. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/commands/__init__.py +0 -0
  327. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/commands/test_completion_command.py +0 -0
  328. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/commands/test_query_command.py +0 -0
  329. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/config/__init__.py +0 -0
  330. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/config/test_config_loader.py +0 -0
  331. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/__init__.py +0 -0
  332. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_action_condition_enforcement.py +0 -0
  333. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_action_condition_enforcement_policy_level.py +0 -0
  334. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_action_resource_matching.py +0 -0
  335. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_aws_api_config.py +0 -0
  336. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_aws_fetcher_wildcards.py +0 -0
  337. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_check_id_in_comments.py +0 -0
  338. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_check_id_injection.py +0 -0
  339. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_check_registry.py +0 -0
  340. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_codeowners.py +0 -0
  341. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_comment_truncation.py +0 -0
  342. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_diff_parser.py +0 -0
  343. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_finding_fingerprint.py +0 -0
  344. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_ignore_patterns.py +0 -0
  345. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_ignored_findings.py +0 -0
  346. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_models.py +0 -0
  347. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_multipart_comments.py +0 -0
  348. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_policy_loader.py +0 -0
  349. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_policy_type_validation.py +0 -0
  350. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_pr_commenter_diff_filtering.py +0 -0
  351. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_regex_utils.py +0 -0
  352. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_set_operator_validation.py +0 -0
  353. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_trust_policy_detection.py +0 -0
  354. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_trust_policy_multiple_statements.py +0 -0
  355. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_trust_policy_oidc_aud_required.py +0 -0
  356. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/core/test_trust_policy_validation.py +0 -0
  357. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/integrations/__init__.py +0 -0
  358. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/integrations/test_comment_deduplication.py +0 -0
  359. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/integrations/test_github_pagination.py +0 -0
  360. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/integrations/test_label_manager.py +0 -0
  361. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/mcp/__init__.py +0 -0
  362. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/mcp/conftest.py +0 -0
  363. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/mcp/test_custom_instructions.py +0 -0
  364. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/mcp/test_generation_tools.py +0 -0
  365. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/mcp/test_org_config.py +0 -0
  366. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/mcp/test_query_tools.py +0 -0
  367. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/mcp/test_server_integration.py +0 -0
  368. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/mcp/test_templates.py +0 -0
  369. {iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/tests/mcp/test_validation_tools.py +0 -0
{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/.github/workflows/ci.yml RENAMED
@@ -18,7 +18,7 @@ jobs:
18
18
  runs-on: ubuntu-latest
19
19
  steps:
20
20
  - name: Checkout code
21
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
21
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
22
22
 
23
23
  - name: Set up Python
24
24
  uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
@@ -48,7 +48,7 @@ jobs:
48
48
  python-version: ["3.10", "3.11", "3.12", "3.13", "3.14"]
49
49
  steps:
50
50
  - name: Checkout code
51
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
51
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
52
52
 
53
53
  - name: Set up Python ${{ matrix.python-version }}
54
54
  uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
@@ -72,7 +72,7 @@ jobs:
72
72
  needs: [lint, test]
73
73
  steps:
74
74
  - name: Checkout code
75
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
75
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
76
76
 
77
77
  - name: Set up Python
78
78
  uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
@@ -96,7 +96,7 @@ jobs:
96
96
  needs: [lint, test]
97
97
  steps:
98
98
  - name: Checkout code
99
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
99
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
100
100
 
101
101
  - name: Set up Python
102
102
  uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/.github/workflows/cleanup-prereleases.yml RENAMED
@@ -28,7 +28,7 @@ jobs:
28
28
 
29
29
  steps:
30
30
  - name: Checkout code
31
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
31
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
32
32
 
33
33
  - name: Cleanup old pre-releases
34
34
  env:
{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/.github/workflows/codeql.yml RENAMED
@@ -26,18 +26,18 @@ jobs:
26
26
 
27
27
  steps:
28
28
  - name: Checkout repository
29
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
29
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
30
30
 
31
31
  - name: Initialize CodeQL
32
- uses: github/codeql-action/init@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
32
+ uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
33
33
  with:
34
34
  languages: ${{ matrix.language }}
35
35
  queries: security-extended,security-and-quality
36
36
 
37
37
  - name: Autobuild
38
- uses: github/codeql-action/autobuild@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
38
+ uses: github/codeql-action/autobuild@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
39
39
 
40
40
  - name: Perform CodeQL Analysis
41
- uses: github/codeql-action/analyze@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
41
+ uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
42
42
  with:
43
43
  category: "/language:${{matrix.language}}"
{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/.github/workflows/docs.yml RENAMED
@@ -36,7 +36,7 @@ jobs:
36
36
  steps:
37
37
  # actions/checkout v6.0.1
38
38
  - name: Checkout repository
39
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
39
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
40
40
  with:
41
41
  fetch-depth: 0 # Fetch all history for git info
42
42
 
{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/.github/workflows/pre-release.yml RENAMED
@@ -69,7 +69,7 @@ jobs:
69
69
  echo "✅ PR #${{ inputs.pr_number }}: $TITLE (branch: $BRANCH)"
70
70
 
71
71
  - name: Checkout PR branch
72
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
72
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
73
73
  with:
74
74
  ref: ${{ steps.pr_info.outputs.branch }}
75
75
  fetch-depth: 0
{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/.github/workflows/release.yml RENAMED
@@ -21,7 +21,7 @@ jobs:
21
21
 
22
22
  steps:
23
23
  - name: Checkout code
24
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
24
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
25
25
  with:
26
26
  fetch-depth: 0 # Full history for changelog generation
27
27
 
@@ -147,7 +147,7 @@ jobs:
147
147
 
148
148
  # steps:
149
149
  # - name: Checkout code
150
- # uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v5
150
+ # uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
151
151
 
152
152
  # - name: Configure Git
153
153
  # run: |
{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/.github/workflows/scorecard.yml RENAMED
@@ -34,7 +34,7 @@ jobs:
34
34
 
35
35
  steps:
36
36
  - name: "Checkout code"
37
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
37
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
38
38
  with:
39
39
  persist-credentials: false
40
40
 
@@ -57,6 +57,6 @@ jobs:
57
57
  # Upload the results to GitHub's code scanning dashboard (optional).
58
58
  # Commenting out will disable upload of results to your repo's Code Scanning dashboard
59
59
  - name: "Upload to code-scanning"
60
- uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v4.31.10
60
+ uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
61
61
  with:
62
62
  sarif_file: results.sarif
{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/CHANGELOG.md RENAMED
@@ -13,6 +13,52 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
13
13
 
14
14
  ---
15
15
 
16
+ ## [1.15.2] - 2025-01-26
17
+
18
+ ### Added
19
+
20
+ **Confused Deputy Protection**
21
+
22
+ - Service principal wildcard detection (`{"Service": "*"}`) - critical severity
23
+ - Detects dangerous patterns allowing any AWS service to access resources or assume roles
24
+ - Enabled by default via `block_service_principal_wildcard: true`
25
+ - Only checks `Principal` field (not `NotPrincipal`, which is an exclusion)
26
+ - New configuration options for `principal_validation`:
27
+ - `block_wildcard_principal` - strict mode to block `*` entirely (default: false)
28
+ - `block_service_principal_wildcard` - block `{"Service": "*"}` patterns (default: true)
29
+ - Improved handling of `Principal: "*"` with conditions for confused deputy prevention
30
+ - Default requires source verification (`aws:SourceArn`, `aws:SourceAccount`, `aws:SourceVpce`, or `aws:SourceIp`)
31
+
32
+ **Condition Type Validation Improvements**
33
+
34
+ - Enhanced ISO 8601 date validation with semantic checks:
35
+ - Validates month range (1-12)
36
+ - Validates day range based on month (1-28/29/30/31)
37
+ - Validates hour (0-23), minute (0-59), second (0-59)
38
+ - Leap year detection for February 29
39
+ - Timezone offset validation
40
+
41
+ ### Changed
42
+
43
+ - `principal_validation` default behavior now allows `*` with conditions
44
+ - Use `block_wildcard_principal: true` to restore strict blocking
45
+ - Duplicate findings avoided when service principal wildcard is detected
46
+
47
+ ---
48
+
49
+ ## [1.15.1] - 2025-01-24
50
+
51
+ ### Fixed
52
+
53
+ **Condition Key Validation for aws:RequestTag and aws:ResourceTag**
54
+
55
+ - `aws:RequestTag/${TagKey}` and `aws:ResourceTag/${TagKey}` now correctly validated as action/resource-specific condition keys (not global)
56
+ - These keys are only valid for actions that create/modify tagged resources (e.g., `iam:CreatePolicy`, `iam:CreateRole`)
57
+ - Invalid usage now flagged with descriptive error messages explaining the key is only for tagging operations
58
+ - Example: `iam:SetDefaultPolicyVersion` with `aws:RequestTag/owner` now correctly fails validation
59
+
60
+ ---
61
+
16
62
  ## [1.15.0] - 2025-01-22
17
63
 
18
64
  ### Added
@@ -353,11 +399,10 @@ This project follows [Semantic Versioning](https://semver.org/):
353
399
 
354
400
  ### Supported Versions
355
401
 
356
- | Version | Support Status |
357
- | ------- | ---------------------- |
358
- | 1.15.x | ✅ Active development |
359
- | 1.14.x | ⚠️ Critical fixes only |
360
- | < 1.14 | ❌ End of life |
402
+ | Version | Support Status |
403
+ | ------- | --------------------- |
404
+ | 1.15.x | ✅ Active development |
405
+ | < 1.15 | End of life |
361
406
 
362
407
  ### Deprecation Policy
363
408
 
@@ -404,7 +449,9 @@ iam-validator validate --policy-type RESOURCE_CONTROL_POLICY policies/
404
449
 
405
450
  ---
406
451
 
407
- [Unreleased]: https://github.com/boogy/iam-policy-validator/compare/v1.15.0...HEAD
452
+ [Unreleased]: https://github.com/boogy/iam-policy-validator/compare/v1.15.2...HEAD
453
+ [1.15.2]: https://github.com/boogy/iam-policy-validator/compare/v1.15.1...v1.15.2
454
+ [1.15.1]: https://github.com/boogy/iam-policy-validator/compare/v1.15.0...v1.15.1
408
455
  [1.15.0]: https://github.com/boogy/iam-policy-validator/compare/v1.14.7...v1.15.0
409
456
  [1.14.7]: https://github.com/boogy/iam-policy-validator/compare/v1.14.6...v1.14.7
410
457
  [1.14.6]: https://github.com/boogy/iam-policy-validator/compare/v1.14.5...v1.14.6
{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/PKG-INFO RENAMED
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: iam-policy-validator
3
- Version: 1.15.1
3
+ Version: 1.15.3
4
4
  Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
5
5
  Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
6
6
  Project-URL: Documentation, https://boogy.github.io/iam-policy-validator
@@ -99,8 +99,16 @@ iam-validator validate --path examples/quick-start/ --format enhanced
99
99
  {
100
100
  "Version": "2012-10-17",
101
101
  "Statement": [
102
- {"Effect": "Allow", "Action": "s3:GetObjekt", "Resource": "arn:aws:s3:::my-bucket/*"},
103
- {"Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/lambda-role"}
102
+ {
103
+ "Effect": "Allow",
104
+ "Action": "s3:GetObjekt",
105
+ "Resource": "arn:aws:s3:::my-bucket/*"
106
+ },
107
+ {
108
+ "Effect": "Allow",
109
+ "Action": "iam:PassRole",
110
+ "Resource": "arn:aws:iam::123456789012:role/lambda-role"
111
+ }
104
112
  ]
105
113
  }
106
114
  ```
@@ -111,7 +119,11 @@ iam-validator validate --path examples/quick-start/ --format enhanced
111
119
  {
112
120
  "Version": "2012-10-17",
113
121
  "Statement": [
114
- {"Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}
122
+ {
123
+ "Effect": "Allow",
124
+ "Action": "s3:GetObject",
125
+ "Resource": "arn:aws:s3:::my-bucket/*"
126
+ }
115
127
  ]
116
128
  }
117
129
  ```
@@ -122,7 +134,11 @@ iam-validator validate --path examples/quick-start/ --format enhanced
122
134
  {
123
135
  "Version": "2012-10-17",
124
136
  "Statement": [
125
- {"Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"}
137
+ {
138
+ "Effect": "Allow",
139
+ "Action": "lambda:InvokeFunction",
140
+ "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"
141
+ }
126
142
  ]
127
143
  }
128
144
  ```
@@ -228,7 +244,8 @@ action_condition_enforcement:
228
244
  description: "Restrict which services can use passed roles"
229
245
 
230
246
  # Enforce IP restrictions for privileged actions (automation from CI/CD)
231
- - actions: ["iam:AttachUserPolicy", "iam:PutUserPolicy", "iam:CreateAccessKey"]
247
+ - actions:
248
+ ["iam:AttachUserPolicy", "iam:PutUserPolicy", "iam:CreateAccessKey"]
232
249
  required_conditions:
233
250
  - condition_key: "aws:SourceIp"
234
251
  expected_value: ["10.0.0.0/8", "172.16.0.0/12"]
@@ -270,9 +287,17 @@ Privilege escalation often occurs when multiple actions are scattered across dif
270
287
  ```json
271
288
  {
272
289
  "Statement": [
273
- {"Sid": "AllowUserManagement", "Action": "iam:CreateUser", "Resource": "*"},
274
- {"Sid": "AllowS3Read", "Action": "s3:GetObject", "Resource": "*"},
275
- {"Sid": "AllowPolicyAttachment", "Action": "iam:AttachUserPolicy", "Resource": "*"}
290
+ {
291
+ "Sid": "AllowUserManagement",
292
+ "Action": "iam:CreateUser",
293
+ "Resource": "*"
294
+ },
295
+ { "Sid": "AllowS3Read", "Action": "s3:GetObject", "Resource": "*" },
296
+ {
297
+ "Sid": "AllowPolicyAttachment",
298
+ "Action": "iam:AttachUserPolicy",
299
+ "Resource": "*"
300
+ }
276
301
  ]
277
302
  }
278
303
  ```
@@ -408,9 +433,9 @@ iam-validator validate --path policies/ --aws-services-dir ./aws-services
408
433
  - uses: boogy/iam-policy-validator@v1
409
434
  with:
410
435
  path: policies/
411
- github-review: true # Inline PR comments
412
- github-summary: true # Actions summary tab
413
- fail-on-severity: high # Block merge on high/critical
436
+ github-review: true # Inline PR comments
437
+ github-summary: true # Actions summary tab
438
+ fail-on-severity: high # Block merge on high/critical
414
439
  ```
415
440
 
416
441
  ---
@@ -440,14 +465,14 @@ Validates against official AWS IAM requirements:
440
465
 
441
466
  Identifies overly permissive configurations:
442
467
 
443
- | Check | What It Catches |
444
- | ------------------------- | ------------------------------------------------------ |
445
- | **Wildcard Action** | `Action: "*"` grants all AWS permissions |
446
- | **Wildcard Resource** | `Resource: "*"` applies to all resources |
447
- | **Full Wildcard** | Both `Action: "*"` AND `Resource: "*"` (admin access) |
448
- | **Service Wildcards** | `s3:*`, `iam:*`, `ec2:*` (overly broad) |
468
+ | Check | What It Catches |
469
+ | ------------------------- | -------------------------------------------------------- |
470
+ | **Wildcard Action** | `Action: "*"` grants all AWS permissions |
471
+ | **Wildcard Resource** | `Resource: "*"` applies to all resources |
472
+ | **Full Wildcard** | Both `Action: "*"` AND `Resource: "*"` (admin access) |
473
+ | **Service Wildcards** | `s3:*`, `iam:*`, `ec2:*` (overly broad) |
449
474
  | **Sensitive Actions** | 490+ privilege escalation patterns and dangerous actions |
450
- | **Condition Enforcement** | Organization-specific condition requirements |
475
+ | **Condition Enforcement** | Organization-specific condition requirements |
451
476
 
452
477
  **Note on Sensitive Actions:** This check has two modes:
453
478
 
@@ -540,7 +565,7 @@ action_condition_enforcement:
540
565
  - actions: ["iam:CreateUser", "iam:DeleteUser", "iam:CreateAccessKey"]
541
566
  required_conditions:
542
567
  - condition_key: "aws:SourceIp"
543
- expected_value: ["10.0.0.0/8", "52.94.76.0/24"] # Corporate + GitHub Actions
568
+ expected_value: ["10.0.0.0/8", "52.94.76.0/24"] # Corporate + GitHub Actions
544
569
 
545
570
  # Ignore patterns
546
571
  ignore_patterns:
@@ -677,19 +702,19 @@ iam-validator analyze --path new-policy.json \
677
702
 
678
703
  ## Comparison Matrix
679
704
 
680
- | Feature | IAM Policy Validator | IAM Lens | IAMSpy | Policy Sentry |
681
- | ------------------------------ | -------------------------------- | ----------------------------- | ---------------------- | -------------------------- |
682
- | **Primary Purpose** | Pre-deployment validation | Runtime permission analysis | Permission enumeration | Least-privilege generation |
683
- | **Use Case** | CI/CD policy scanning | "What can this principal do?" | Pentesting/audit | Policy creation |
684
- | **Custom Security Rules** | ✅ Full support | ❌ No | ❌ No | ❌ No |
705
+ | Feature | IAM Policy Validator | IAM Lens | IAMSpy | Policy Sentry |
706
+ | ------------------------------ | --------------------------------- | ----------------------------- | ---------------------- | -------------------------- |
707
+ | **Primary Purpose** | Pre-deployment validation | Runtime permission analysis | Permission enumeration | Least-privilege generation |
708
+ | **Use Case** | CI/CD policy scanning | "What can this principal do?" | Pentesting/audit | Policy creation |
709
+ | **Custom Security Rules** | ✅ Full support | ❌ No | ❌ No | ❌ No |
685
710
  | **Cross-Statement Patterns** | ✅ Privilege escalation detection | N/A (different purpose) | N/A | N/A |
686
- | **Action-Resource Validation** | ✅ Catches incompatible pairs | N/A | ❌ No | ✅ Generates correct |
687
- | **Organization Conditions** | ✅ IP, tags, encryption, etc. | ❌ No | ❌ No | ❌ No |
688
- | **CI/CD Ready** | ✅ GitHub Actions native | ⚠️ Manual setup | ⚠️ Manual | ⚠️ Manual |
689
- | **PR Line Comments** | ✅ Diff-aware | ❌ No | ❌ No | ❌ No |
690
- | **AWS Service Data** | ✅ Official API (auto-update) | ✅ Real AWS account data | ⚠️ Static | ✅ Official API |
691
- | **Offline Mode** | ✅ Yes | ❌ Needs AWS account | ✅ Yes | ❌ Needs internet |
692
- | **Query Permissions** | ✅ Yes | ✅ Yes (different approach) | ⚠️ Enumerate only | ✅ Excellent |
711
+ | **Action-Resource Validation** | ✅ Catches incompatible pairs | N/A | ❌ No | ✅ Generates correct |
712
+ | **Organization Conditions** | ✅ IP, tags, encryption, etc. | ❌ No | ❌ No | ❌ No |
713
+ | **CI/CD Ready** | ✅ GitHub Actions native | ⚠️ Manual setup | ⚠️ Manual | ⚠️ Manual |
714
+ | **PR Line Comments** | ✅ Diff-aware | ❌ No | ❌ No | ❌ No |
715
+ | **AWS Service Data** | ✅ Official API (auto-update) | ✅ Real AWS account data | ⚠️ Static | ✅ Official API |
716
+ | **Offline Mode** | ✅ Yes | ❌ Needs AWS account | ✅ Yes | ❌ Needs internet |
717
+ | **Query Permissions** | ✅ Yes | ✅ Yes (different approach) | ⚠️ Enumerate only | ✅ Excellent |
693
718
 
694
719
  **Choose this tool if you:**
695
720
 
{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/README.md RENAMED
@@ -47,8 +47,16 @@ iam-validator validate --path examples/quick-start/ --format enhanced
47
47
  {
48
48
  "Version": "2012-10-17",
49
49
  "Statement": [
50
- {"Effect": "Allow", "Action": "s3:GetObjekt", "Resource": "arn:aws:s3:::my-bucket/*"},
51
- {"Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::123456789012:role/lambda-role"}
50
+ {
51
+ "Effect": "Allow",
52
+ "Action": "s3:GetObjekt",
53
+ "Resource": "arn:aws:s3:::my-bucket/*"
54
+ },
55
+ {
56
+ "Effect": "Allow",
57
+ "Action": "iam:PassRole",
58
+ "Resource": "arn:aws:iam::123456789012:role/lambda-role"
59
+ }
52
60
  ]
53
61
  }
54
62
  ```
@@ -59,7 +67,11 @@ iam-validator validate --path examples/quick-start/ --format enhanced
59
67
  {
60
68
  "Version": "2012-10-17",
61
69
  "Statement": [
62
- {"Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}
70
+ {
71
+ "Effect": "Allow",
72
+ "Action": "s3:GetObject",
73
+ "Resource": "arn:aws:s3:::my-bucket/*"
74
+ }
63
75
  ]
64
76
  }
65
77
  ```
@@ -70,7 +82,11 @@ iam-validator validate --path examples/quick-start/ --format enhanced
70
82
  {
71
83
  "Version": "2012-10-17",
72
84
  "Statement": [
73
- {"Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"}
85
+ {
86
+ "Effect": "Allow",
87
+ "Action": "lambda:InvokeFunction",
88
+ "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-function"
89
+ }
74
90
  ]
75
91
  }
76
92
  ```
@@ -176,7 +192,8 @@ action_condition_enforcement:
176
192
  description: "Restrict which services can use passed roles"
177
193
 
178
194
  # Enforce IP restrictions for privileged actions (automation from CI/CD)
179
- - actions: ["iam:AttachUserPolicy", "iam:PutUserPolicy", "iam:CreateAccessKey"]
195
+ - actions:
196
+ ["iam:AttachUserPolicy", "iam:PutUserPolicy", "iam:CreateAccessKey"]
180
197
  required_conditions:
181
198
  - condition_key: "aws:SourceIp"
182
199
  expected_value: ["10.0.0.0/8", "172.16.0.0/12"]
@@ -218,9 +235,17 @@ Privilege escalation often occurs when multiple actions are scattered across dif
218
235
  ```json
219
236
  {
220
237
  "Statement": [
221
- {"Sid": "AllowUserManagement", "Action": "iam:CreateUser", "Resource": "*"},
222
- {"Sid": "AllowS3Read", "Action": "s3:GetObject", "Resource": "*"},
223
- {"Sid": "AllowPolicyAttachment", "Action": "iam:AttachUserPolicy", "Resource": "*"}
238
+ {
239
+ "Sid": "AllowUserManagement",
240
+ "Action": "iam:CreateUser",
241
+ "Resource": "*"
242
+ },
243
+ { "Sid": "AllowS3Read", "Action": "s3:GetObject", "Resource": "*" },
244
+ {
245
+ "Sid": "AllowPolicyAttachment",
246
+ "Action": "iam:AttachUserPolicy",
247
+ "Resource": "*"
248
+ }
224
249
  ]
225
250
  }
226
251
  ```
@@ -356,9 +381,9 @@ iam-validator validate --path policies/ --aws-services-dir ./aws-services
356
381
  - uses: boogy/iam-policy-validator@v1
357
382
  with:
358
383
  path: policies/
359
- github-review: true # Inline PR comments
360
- github-summary: true # Actions summary tab
361
- fail-on-severity: high # Block merge on high/critical
384
+ github-review: true # Inline PR comments
385
+ github-summary: true # Actions summary tab
386
+ fail-on-severity: high # Block merge on high/critical
362
387
  ```
363
388
 
364
389
  ---
@@ -388,14 +413,14 @@ Validates against official AWS IAM requirements:
388
413
 
389
414
  Identifies overly permissive configurations:
390
415
 
391
- | Check | What It Catches |
392
- | ------------------------- | ------------------------------------------------------ |
393
- | **Wildcard Action** | `Action: "*"` grants all AWS permissions |
394
- | **Wildcard Resource** | `Resource: "*"` applies to all resources |
395
- | **Full Wildcard** | Both `Action: "*"` AND `Resource: "*"` (admin access) |
396
- | **Service Wildcards** | `s3:*`, `iam:*`, `ec2:*` (overly broad) |
416
+ | Check | What It Catches |
417
+ | ------------------------- | -------------------------------------------------------- |
418
+ | **Wildcard Action** | `Action: "*"` grants all AWS permissions |
419
+ | **Wildcard Resource** | `Resource: "*"` applies to all resources |
420
+ | **Full Wildcard** | Both `Action: "*"` AND `Resource: "*"` (admin access) |
421
+ | **Service Wildcards** | `s3:*`, `iam:*`, `ec2:*` (overly broad) |
397
422
  | **Sensitive Actions** | 490+ privilege escalation patterns and dangerous actions |
398
- | **Condition Enforcement** | Organization-specific condition requirements |
423
+ | **Condition Enforcement** | Organization-specific condition requirements |
399
424
 
400
425
  **Note on Sensitive Actions:** This check has two modes:
401
426
 
@@ -488,7 +513,7 @@ action_condition_enforcement:
488
513
  - actions: ["iam:CreateUser", "iam:DeleteUser", "iam:CreateAccessKey"]
489
514
  required_conditions:
490
515
  - condition_key: "aws:SourceIp"
491
- expected_value: ["10.0.0.0/8", "52.94.76.0/24"] # Corporate + GitHub Actions
516
+ expected_value: ["10.0.0.0/8", "52.94.76.0/24"] # Corporate + GitHub Actions
492
517
 
493
518
  # Ignore patterns
494
519
  ignore_patterns:
@@ -625,19 +650,19 @@ iam-validator analyze --path new-policy.json \
625
650
 
626
651
  ## Comparison Matrix
627
652
 
628
- | Feature | IAM Policy Validator | IAM Lens | IAMSpy | Policy Sentry |
629
- | ------------------------------ | -------------------------------- | ----------------------------- | ---------------------- | -------------------------- |
630
- | **Primary Purpose** | Pre-deployment validation | Runtime permission analysis | Permission enumeration | Least-privilege generation |
631
- | **Use Case** | CI/CD policy scanning | "What can this principal do?" | Pentesting/audit | Policy creation |
632
- | **Custom Security Rules** | ✅ Full support | ❌ No | ❌ No | ❌ No |
653
+ | Feature | IAM Policy Validator | IAM Lens | IAMSpy | Policy Sentry |
654
+ | ------------------------------ | --------------------------------- | ----------------------------- | ---------------------- | -------------------------- |
655
+ | **Primary Purpose** | Pre-deployment validation | Runtime permission analysis | Permission enumeration | Least-privilege generation |
656
+ | **Use Case** | CI/CD policy scanning | "What can this principal do?" | Pentesting/audit | Policy creation |
657
+ | **Custom Security Rules** | ✅ Full support | ❌ No | ❌ No | ❌ No |
633
658
  | **Cross-Statement Patterns** | ✅ Privilege escalation detection | N/A (different purpose) | N/A | N/A |
634
- | **Action-Resource Validation** | ✅ Catches incompatible pairs | N/A | ❌ No | ✅ Generates correct |
635
- | **Organization Conditions** | ✅ IP, tags, encryption, etc. | ❌ No | ❌ No | ❌ No |
636
- | **CI/CD Ready** | ✅ GitHub Actions native | ⚠️ Manual setup | ⚠️ Manual | ⚠️ Manual |
637
- | **PR Line Comments** | ✅ Diff-aware | ❌ No | ❌ No | ❌ No |
638
- | **AWS Service Data** | ✅ Official API (auto-update) | ✅ Real AWS account data | ⚠️ Static | ✅ Official API |
639
- | **Offline Mode** | ✅ Yes | ❌ Needs AWS account | ✅ Yes | ❌ Needs internet |
640
- | **Query Permissions** | ✅ Yes | ✅ Yes (different approach) | ⚠️ Enumerate only | ✅ Excellent |
659
+ | **Action-Resource Validation** | ✅ Catches incompatible pairs | N/A | ❌ No | ✅ Generates correct |
660
+ | **Organization Conditions** | ✅ IP, tags, encryption, etc. | ❌ No | ❌ No | ❌ No |
661
+ | **CI/CD Ready** | ✅ GitHub Actions native | ⚠️ Manual setup | ⚠️ Manual | ⚠️ Manual |
662
+ | **PR Line Comments** | ✅ Diff-aware | ❌ No | ❌ No | ❌ No |
663
+ | **AWS Service Data** | ✅ Official API (auto-update) | ✅ Real AWS account data | ⚠️ Static | ✅ Official API |
664
+ | **Offline Mode** | ✅ Yes | ❌ Needs AWS account | ✅ Yes | ❌ Needs internet |
665
+ | **Query Permissions** | ✅ Yes | ✅ Yes (different approach) | ⚠️ Enumerate only | ✅ Excellent |
641
666
 
642
667
  **Choose this tool if you:**
643
668
 
{iam_policy_validator-1.15.1 → iam_policy_validator-1.15.3}/SECURITY.md RENAMED
@@ -15,6 +15,7 @@ We appreciate responsible disclosure of security vulnerabilities. If you discove
15
15
  Instead, please report security issues via one of these methods:
16
16
 
17
17
  1. **GitHub Security Advisories** (Preferred)
18
+
18
19
  - Go to the [Security Advisories page](https://github.com/boogy/iam-policy-validator/security/advisories)
19
20
  - Click "Report a vulnerability"
20
21
  - Provide detailed information about the vulnerability
@@ -205,9 +206,9 @@ Configure minimal permissions for GitHub Actions:
205
206
 
206
207
  ```yaml
207
208
  permissions:
208
- contents: read # Required: Read repository content
209
- pull-requests: write # Required: Post PR comments
210
- id-token: write # Required only for AWS OIDC authentication
209
+ contents: read # Required: Read repository content
210
+ pull-requests: write # Required: Post PR comments
211
+ id-token: write # Required only for AWS OIDC authentication
211
212
  ```
212
213
 
213
214
  ## Contact