iam-policy-validator 1.15.6__py3-none-any.whl → 1.16.0__py3-none-any.whl

{iam_policy_validator-1.15.6.dist-info → iam_policy_validator-1.16.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.15.6
+Version: 1.16.0
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://boogy.github.io/iam-policy-validator

{iam_policy_validator-1.15.6.dist-info → iam_policy_validator-1.16.0.dist-info}/RECORD

@@ -1,13 +1,14 @@
 iam_validator/__init__.py,sha256=xHdUASOxFHwEXfT_GSr_KrkLlnxZ-pAAr1wW1PwAGko,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=_zbpv8wihIbUczA9xAQt_-gaNhrentJoXTwb82r2Muk,374
-iam_validator/checks/__init__.py,sha256=wFU5Lz-ZIQBcn2y1u0Kl88B--vEO3btOOaTGPPSjJ74,2106
+iam_validator/__version__.py,sha256=SNgWrnwHrJ7-BbIPlpeXBPHcfB0-l1X47rnMf2CYA6I,374
+iam_validator/checks/__init__.py,sha256=ybmPohOLXWUpPULY1b_DY0ZfazA4YzB9xRJGjUvsK3c,2217
 iam_validator/checks/action_condition_enforcement.py,sha256=2-XUMbof9tQ7SHZNmAHMkR1DgbOIzY2eFWlp9S9dwLk,60625
 iam_validator/checks/action_resource_matching.py,sha256=qND0hfDgNoxFEdLWwrxOPVDfdj3k50nzedT2qF7nK7o,19428
 iam_validator/checks/action_validation.py,sha256=gy9_mujYbojBboLk0WwuJYJjggrY2sRwHAFvJnoLTYE,4823
-iam_validator/checks/condition_key_validation.py,sha256=5i8LqqV78SjWK6pLrbttWmeMAD4pDC12_FjTjx5dFSU,4024
-iam_validator/checks/condition_type_mismatch.py,sha256=KJp7zQHDd8VeTcfjcD-ur3S4070cXEDTWkFtxfp7CuE,10652
+iam_validator/checks/condition_key_validation.py,sha256=X0fVQ_6ZZgyUmaT87m0aMusk-gb98rnh3UFeVhfKXH8,5714
+iam_validator/checks/condition_type_mismatch.py,sha256=KmlFHOHenmFAPacJjxq4jd-H8kibvkw_Wh_aoNPUNuI,11635
 iam_validator/checks/full_wildcard.py,sha256=0TkkHtV0MZ6nZtJRtGdn3wwOMM96TRyGO7l7mmdHNUo,2325
+iam_validator/checks/ifexists_condition_check.py,sha256=9Q32bA0sy2sQxMZQee4l_DMLzQ5zjyJWjOb7Fm60K-E,11166
 iam_validator/checks/mfa_condition_check.py,sha256=EYOzESzsZVlxW9Pp6hSqPZkH0UT1h21SoZibBX7k_OU,7705
 iam_validator/checks/not_action_not_resource.py,sha256=18wB1NKaCj4X7o8xcTLmtFjsXFJLXTukzp1FhZzvMa8,9779
 iam_validator/checks/policy_size.py,sha256=eJd36Nj4gqWLIkQ5imhHR1hGtQ6T-iJsC22Wd1VSUf0,4681
@@ -17,7 +18,7 @@ iam_validator/checks/principal_validation.py,sha256=oXSooVQIgUfbTRulgpiLACSJ2LZX
 iam_validator/checks/resource_validation.py,sha256=k7qHIwX7IDf4MCWIvl9G17aINzTuZLOHDHRWrujbCaM,7787
 iam_validator/checks/sensitive_action.py,sha256=LHicl6dd5E1JV19cLKvFAMGzLzYr5h_Y7QvS8s57kvA,18952
 iam_validator/checks/service_wildcard.py,sha256=1epcET5oDclAmzxhtmQfKBg3Q5Rl4VXBMoZouxCJLpM,4114
-iam_validator/checks/set_operator_validation.py,sha256=GMZ1OWqySptYWV7565-K4R5ODs1eYgWXDozwtU-3sgY,7422
+iam_validator/checks/set_operator_validation.py,sha256=lV6y4PZ_qaRePfIezEoSf21oHAAPLsEdJD3aD8f6T6o,8285
 iam_validator/checks/sid_uniqueness.py,sha256=MPQwALBjcvbY4Q55mpxDrGMqmVCMb13YSg621YbQYF8,6048
 iam_validator/checks/trust_policy_validation.py,sha256=r3fM2hU7W0yCFS6hbd4ZSlD8y2tm0zk99mUVlIt0LsI,17956
 iam_validator/checks/wildcard_action.py,sha256=VhWezb1JXmFnwV9WKgVu-48ythScGfZasg8fFd6tAG4,2001
@@ -41,10 +42,10 @@ iam_validator/core/__init__.py,sha256=hYXkSbxplKzhM6dqrVzV4M3k7GKLsZbgExypxKq74g
 iam_validator/core/access_analyzer.py,sha256=mtMaY-FnKjKEVITky_9ywZe1FaCAm61ElRv5Z_ZeC7E,24562
 iam_validator/core/access_analyzer_report.py,sha256=UMm2RNGj2rAKav1zsCw_htQZZRwRC0jjayd2zvKma1A,24896
 iam_validator/core/aws_fetcher.py,sha256=op93QvtGmeLF9dHobl2IuoPDeunn33pBLb8h7XjtmoQ,920
-iam_validator/core/check_registry.py,sha256=cRvFko_cTrip94VgVqwkxgrjR6oz3JfSiwertESicRc,28567
+iam_validator/core/check_registry.py,sha256=iSFly0rloQ71NW-2dbmTx1gaAXwsmKwkZ_3GNdnwTfA,28655
 iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
 iam_validator/core/codeowners.py,sha256=dfRjYTpcTVmc-h95i4EoPXCXlcblD8yryeJBaTKQfjM,7530
-iam_validator/core/condition_validators.py,sha256=5IdCZG0w8qQL37_wYv8TPQD3rIsmrB-845Ff4N-WXDU,27357
+iam_validator/core/condition_validators.py,sha256=E7TJ46LJ1NDCDG061mtEiJJZF23_E3GdnhBdIjK1Gt0,30631
 iam_validator/core/constants.py,sha256=O80dQ6AtgsCJPempRtNlKaSIVE61rg6YDPV5vgaSnAY,7771
 iam_validator/core/diff_parser.py,sha256=5Jxa6WvQZtG5grblZeUH2OQ2R46tFLK-h8tvkHOSfLk,12110
 iam_validator/core/finding_fingerprint.py,sha256=NJIlu8NhdenWbLS7ww8LyWFasJgpKWN63-DprrNW7Zs,4353
@@ -112,8 +113,8 @@ iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYu
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
 iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
 iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
-iam_policy_validator-1.15.6.dist-info/METADATA,sha256=ZsiFbCsDyA49o1Xxj1Bsn2dxd-wGqYI5t6QBAkT49HA,34939
-iam_policy_validator-1.15.6.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-iam_policy_validator-1.15.6.dist-info/entry_points.txt,sha256=VXAcx1evo9fuxX0Gtj3J2HnzWcBHSXugiZwBtQ1BXE0,162
-iam_policy_validator-1.15.6.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.15.6.dist-info/RECORD,,
+iam_policy_validator-1.16.0.dist-info/METADATA,sha256=AgKsjkJqDBzL6zzDJeetMwSQIowHGPAYgCHHhJqVA9s,34939
+iam_policy_validator-1.16.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+iam_policy_validator-1.16.0.dist-info/entry_points.txt,sha256=VXAcx1evo9fuxX0Gtj3J2HnzWcBHSXugiZwBtQ1BXE0,162
+iam_policy_validator-1.16.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.16.0.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.15.6"
+__version__ = "1.16.0"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-", maxsplit=1)[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/checks/__init__.py

@@ -10,6 +10,7 @@ from iam_validator.checks.action_validation import ActionValidationCheck
 from iam_validator.checks.condition_key_validation import ConditionKeyValidationCheck
 from iam_validator.checks.condition_type_mismatch import ConditionTypeMismatchCheck
 from iam_validator.checks.full_wildcard import FullWildcardCheck
+from iam_validator.checks.ifexists_condition_check import IfExistsConditionCheck
 from iam_validator.checks.mfa_condition_check import MFAConditionCheck
 from iam_validator.checks.not_action_not_resource import NotActionNotResourceCheck
 from iam_validator.checks.policy_size import PolicySizeCheck
@@ -31,6 +32,7 @@ __all__ = [
     "ConditionKeyValidationCheck",
     "ConditionTypeMismatchCheck",
     "FullWildcardCheck",
+    "IfExistsConditionCheck",
     "MFAConditionCheck",
     "NotActionNotResourceCheck",
     "PolicySizeCheck",

iam_validator/checks/condition_key_validation.py

@@ -4,6 +4,7 @@ from typing import ClassVar
 
 from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.condition_validators import has_if_exists_suffix
 from iam_validator.core.models import Statement, ValidationIssue
 
 
@@ -37,8 +38,14 @@ class ConditionKeyValidationCheck(PolicyCheck):
         resources = statement.get_resources()
 
         # Extract all condition keys from all condition operators
-        for _, conditions in statement.condition.items():
+        for operator, conditions in statement.condition.items():
+            operator_has_ifexists = has_if_exists_suffix(operator)
+
             for condition_key in conditions.keys():
+                key_valid_for_any_action = False
+                key_invalid_actions: list[tuple] = []
+                first_warning_result = None
+
                 # Validate this condition key against each action in the statement
                 for action in actions:
                     # Skip wildcard actions
@@ -48,41 +55,71 @@ class ConditionKeyValidationCheck(PolicyCheck):
                     # Validate against action and resource types
                     result = await fetcher.validate_condition_key(action, condition_key, resources)
 
-                    if not result.is_valid:
-                        issues.append(
-                            ValidationIssue(
-                                severity=self.get_severity(config),
-                                statement_sid=statement_sid,
-                                statement_index=statement_idx,
-                                issue_type="invalid_condition_key",
-                                message=result.error_message
-                                or f"Invalid condition key: `{condition_key}`",
-                                action=action,
-                                condition_key=condition_key,
-                                line_number=line_number,
-                                suggestion=result.suggestion,
-                                field_name="condition",
-                            )
-                        )
-                        # Only report once per condition key (not per action)
-                        break
-                    elif result.warning_message and warn_on_global_keys:
-                        # Add warning for global condition keys with action-specific keys
-                        # Only if warn_on_global_condition_keys is enabled
+                    if result.is_valid:
+                        key_valid_for_any_action = True
+                        if result.warning_message and first_warning_result is None:
+                            first_warning_result = (action, result)
+                    else:
+                        key_invalid_actions.append((action, result))
+
+                # If IfExists is used and the key is valid for at least one action,
+                # suppress errors for actions that don't support it.
+                # Warnings (global key usage) are still reported.
+                if operator_has_ifexists and key_valid_for_any_action:
+                    if first_warning_result and warn_on_global_keys:
+                        action, result = first_warning_result
+                        warning_msg = result.warning_message or ""
                         issues.append(
                             ValidationIssue(
                                 severity="warning",
                                 statement_sid=statement_sid,
                                 statement_index=statement_idx,
                                 issue_type="global_condition_key_with_action_specific",
-                                message=result.warning_message,
+                                message=warning_msg,
                                 action=action,
                                 condition_key=condition_key,
                                 line_number=line_number,
                                 field_name="condition",
                             )
                         )
-                        # Only report once per condition key (not per action)
-                        break
+                    continue  # Skip error reporting
+
+                # Report errors (first invalid action)
+                if key_invalid_actions:
+                    action, result = key_invalid_actions[0]
+                    issues.append(
+                        ValidationIssue(
+                            severity=self.get_severity(config),
+                            statement_sid=statement_sid,
+                            statement_index=statement_idx,
+                            issue_type="invalid_condition_key",
+                            message=result.error_message
+                            or f"Invalid condition key: `{condition_key}`",
+                            action=action,
+                            condition_key=condition_key,
+                            line_number=line_number,
+                            suggestion=result.suggestion,
+                            field_name="condition",
+                        )
+                    )
+                    continue
+
+                # Report warnings for valid keys (no IfExists suppression path)
+                if first_warning_result and warn_on_global_keys:
+                    action, result = first_warning_result
+                    warning_msg = result.warning_message or ""
+                    issues.append(
+                        ValidationIssue(
+                            severity="warning",
+                            statement_sid=statement_sid,
+                            statement_index=statement_idx,
+                            issue_type="global_condition_key_with_action_specific",
+                            message=warning_msg,
+                            action=action,
+                            condition_key=condition_key,
+                            line_number=line_number,
+                            field_name="condition",
+                        )
+                    )
 
         return issues

iam_validator/checks/condition_type_mismatch.py

@@ -8,6 +8,7 @@ from typing import ClassVar
 from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.condition_validators import (
+    has_if_exists_suffix,
     normalize_operator,
     translate_type,
     validate_value_for_type,
@@ -71,6 +72,25 @@ class ConditionTypeMismatchCheck(PolicyCheck):
                 # Unknown operator - this will be caught by another check
                 continue
 
+            # Detect NullIfExists as invalid syntax (must be BEFORE skip_operators guard)
+            if base_operator == "Null" and has_if_exists_suffix(operator):
+                issues.append(
+                    ValidationIssue(
+                        severity=self.get_severity(config),
+                        message=(
+                            f"Invalid operator `{operator}`. The `Null` condition operator "
+                            f"does not support the `IfExists` suffix. The `Null` operator "
+                            f"already checks for key existence \u2014 use `Null` directly."
+                        ),
+                        statement_sid=statement_sid,
+                        statement_index=statement_idx,
+                        issue_type="invalid_operator",
+                        line_number=line_number,
+                        field_name="condition",
+                    )
+                )
+                continue
+
             if base_operator in skip_operators:
                 continue
 

iam_validator/checks/ifexists_condition_check.py

@@ -0,0 +1,210 @@
+"""IfExists Condition Usage Check.
+
+Validates proper usage of the IfExists suffix on IAM condition operators.
+
+Detects:
+- IfExists on security-sensitive keys in Allow statements (may bypass controls)
+- Non-negated IfExists in Deny statements (weakens the Deny)
+- IfExists on always-present keys (redundant)
+- Suggests IfExists for negated operators in Deny without it
+"""
+
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.condition_validators import (
+    ALWAYS_PRESENT_CONDITION_KEYS,
+    SECURITY_SENSITIVE_CONDITION_KEYS,
+    has_if_exists_suffix,
+    is_negated_operator,
+    normalize_operator,
+)
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class IfExistsConditionCheck(PolicyCheck):
+    """Check for improper or risky usage of IfExists condition operators."""
+
+    check_id: ClassVar[str] = "ifexists_condition_usage"
+    description: ClassVar[str] = "Validates proper usage of IfExists suffix on condition operators"
+    default_severity: ClassVar[str] = "warning"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute IfExists condition usage checks."""
+        issues: list[ValidationIssue] = []
+
+        if not statement.condition:
+            return issues
+
+        statement_sid = statement.sid
+        line_number = statement.line_number
+        effect = statement.effect
+
+        # Config options
+        warn_security_sensitive_allow = config.config.get("warn_security_sensitive_allow", True)
+        suggest_deny_ifexists = config.config.get("suggest_deny_ifexists", False)
+        warn_always_present_keys = config.config.get("warn_always_present_keys", True)
+        additional_security_keys = config.config.get("additional_security_sensitive_keys", [])
+
+        # Build the full set of security-sensitive keys
+        security_keys = SECURITY_SENSITIVE_CONDITION_KEYS | frozenset(additional_security_keys)
+
+        # Collect Null-checked keys for suppression
+        null_checked_keys: set[str] = set()
+        for op, conds in statement.condition.items():
+            base_op, _, _ = normalize_operator(op)
+            if base_op == "Null":
+                for key, value in conds.items():
+                    # Only suppress if Null checks for key presence (value = "false")
+                    values = value if isinstance(value, list) else [value]
+                    if any(str(v).lower() == "false" for v in values):
+                        null_checked_keys.add(key)
+
+        for operator, conditions in statement.condition.items():
+            has_ifexists = has_if_exists_suffix(operator)
+            is_negated = is_negated_operator(operator)
+            base_op, _, _ = normalize_operator(operator)
+
+            for condition_key in conditions:
+                # Normalize condition key for case-insensitive comparison
+                key_lower = condition_key.lower()
+
+                # Skip MFA key - handled by mfa_condition_antipattern check
+                if key_lower == "aws:multifactorauthpresent":
+                    continue
+
+                if has_ifexists:
+                    # IfExists on always-present keys is redundant
+                    if warn_always_present_keys:
+                        always_present_match = any(
+                            k.lower() == key_lower for k in ALWAYS_PRESENT_CONDITION_KEYS
+                        )
+                        if always_present_match:
+                            # Reconstruct the operator without IfExists for the message
+                            raw_base = operator
+                            if ":" in operator:
+                                parts = operator.split(":", 1)
+                                if parts[0] in ("ForAllValues", "ForAnyValue"):
+                                    raw_base = parts[1]
+                            base_without_ifexists = (
+                                raw_base[:-8] if raw_base.endswith("IfExists") else raw_base
+                            )
+                            if ":" in operator:
+                                parts = operator.split(":", 1)
+                                if parts[0] in ("ForAllValues", "ForAnyValue"):
+                                    base_without_ifexists = f"{parts[0]}:{base_without_ifexists}"
+
+                            issues.append(
+                                ValidationIssue(
+                                    severity="info",
+                                    message=(
+                                        f"Redundant `IfExists`: The condition key "
+                                        f"`{condition_key}` is always present in the "
+                                        f"request context. Using `{operator}` has the "
+                                        f"same effect as `{base_without_ifexists}` for "
+                                        f"this key."
+                                    ),
+                                    statement_sid=statement_sid,
+                                    statement_index=statement_idx,
+                                    issue_type="ifexists_on_always_present_key",
+                                    condition_key=condition_key,
+                                    line_number=line_number,
+                                    field_name="condition",
+                                )
+                            )
+
+                    # Check if key is security-sensitive (case-insensitive)
+                    is_security_key = any(k.lower() == key_lower for k in security_keys)
+
+                    if effect == "Allow" and warn_security_sensitive_allow:
+                        # IfExists on security-sensitive keys in Allow may bypass controls
+                        if is_security_key:
+                            # Check for complementary Null check
+                            if condition_key not in null_checked_keys:
+                                issues.append(
+                                    ValidationIssue(
+                                        severity=self.get_severity(config),
+                                        message=(
+                                            f"Security control may be bypassed: "
+                                            f"`{operator}` with `{condition_key}` in "
+                                            f"an Allow statement means the restriction "
+                                            f"is not enforced when the key is missing "
+                                            f"from the request context. Not all API "
+                                            f"calls include `{condition_key}` (e.g., "
+                                            f"calls made by AWS services on your "
+                                            f"behalf). Consider using the operator "
+                                            f"without `IfExists` or adding a `Null` "
+                                            f"condition check."
+                                        ),
+                                        statement_sid=statement_sid,
+                                        statement_index=statement_idx,
+                                        issue_type="ifexists_weakens_security_condition",
+                                        condition_key=condition_key,
+                                        line_number=line_number,
+                                        field_name="condition",
+                                    )
+                                )
+
+                    elif effect == "Deny":
+                        # Non-negated IfExists in Deny weakens the restriction
+                        if not is_negated and is_security_key:
+                            if condition_key not in null_checked_keys:
+                                issues.append(
+                                    ValidationIssue(
+                                        severity=self.get_severity(config),
+                                        message=(
+                                            f"Weakened Deny: `{operator}` with "
+                                            f"`{condition_key}` in a Deny statement "
+                                            f"means the Deny does not apply when "
+                                            f"`{condition_key}` is missing from the "
+                                            f"request context. Consider removing "
+                                            f"`IfExists` or adding a `Null` condition "
+                                            f"check."
+                                        ),
+                                        statement_sid=statement_sid,
+                                        statement_index=statement_idx,
+                                        issue_type="ifexists_weakens_deny",
+                                        condition_key=condition_key,
+                                        line_number=line_number,
+                                        field_name="condition",
+                                    )
+                                )
+
+                elif not has_ifexists and effect == "Deny" and suggest_deny_ifexists:
+                    # Suggest IfExists for negated operator in Deny without it
+                    if is_negated:
+                        # Only suggest for keys that may be absent
+                        is_always_present = any(
+                            k.lower() == key_lower for k in ALWAYS_PRESENT_CONDITION_KEYS
+                        )
+                        is_security_key = any(k.lower() == key_lower for k in security_keys)
+                        if not is_always_present and is_security_key:
+                            issues.append(
+                                ValidationIssue(
+                                    severity="info",
+                                    message=(
+                                        f"Consider using `{base_op}IfExists` instead "
+                                        f"of `{base_op}` in this Deny statement. "
+                                        f"Without `IfExists`, the Deny does not apply "
+                                        f"when `{condition_key}` is missing from the "
+                                        f"request context. With `{base_op}IfExists`, "
+                                        f"the Deny still applies even when the key is "
+                                        f"absent."
+                                    ),
+                                    statement_sid=statement_sid,
+                                    statement_index=statement_idx,
+                                    issue_type="ifexists_deny_suggestion",
+                                    condition_key=condition_key,
+                                    line_number=line_number,
+                                    field_name="condition",
+                                )
+                            )
+
+        return issues

iam_validator/checks/set_operator_validation.py

@@ -11,6 +11,7 @@ from typing import ClassVar
 from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.condition_validators import (
+    has_if_exists_suffix,
     is_multivalued_context_key,
     normalize_operator,
 )
@@ -81,6 +82,7 @@ class SetOperatorValidationCheck(PolicyCheck):
         # Second pass: Validate set operator usage
         for operator, conditions in statement.condition.items():
             base_operator, _operator_type, set_prefix = normalize_operator(operator)
+            has_ifexists = has_if_exists_suffix(operator)
 
             if not set_prefix:
                 continue
@@ -110,15 +112,27 @@ class SetOperatorValidationCheck(PolicyCheck):
                 # Issue 2: ForAllValues with Allow effect without Null check (security risk)
                 if set_prefix == "ForAllValues" and effect == "Allow":
                     if condition_key not in null_checked_keys:
+                        if has_ifexists:
+                            message = (
+                                f"Compounded security risk: `{operator}` with `Allow` effect "
+                                f"on `{condition_key}` is doubly permissive. `ForAllValues` "
+                                f"passes when the value set is empty, and `IfExists` passes "
+                                f"when the key is missing entirely. Both mechanisms "
+                                f"independently allow access without matching any values. "
+                                f'Add: `"Null": {{"{condition_key}": "false"}}` and consider '
+                                f"removing `IfExists`."
+                            )
+                        else:
+                            message = (
+                                f"Security risk: `ForAllValues` with `Allow` effect on `{condition_key}` "
+                                f"should include a `Null` condition check. Without it, requests with missing "
+                                f'`{condition_key}` will be granted access. Add: `"Null": {{"{condition_key}": "false"}}`. '
+                                f"See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html"
+                            )
                         issues.append(
                             ValidationIssue(
                                 severity="warning",
-                                message=(
-                                    f"Security risk: `ForAllValues` with `Allow` effect on `{condition_key}` "
-                                    f"should include a `Null` condition check. Without it, requests with missing "
-                                    f'`{condition_key}` will be granted access. Add: `"Null": {{"{condition_key}": "false"}}`. '
-                                    f"See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html"
-                                ),
+                                message=message,
                                 statement_sid=statement_sid,
                                 statement_index=statement_idx,
                                 issue_type="forallvalues_allow_without_null_check",

iam_validator/core/check_registry.py

@@ -706,6 +706,7 @@ def create_default_registry(
         # 3. TYPE VALIDATION (Condition operator type checking)
         registry.register(checks.ConditionTypeMismatchCheck())  # Operator-value type compatibility
         registry.register(checks.SetOperatorValidationCheck())  # ForAllValues/ForAnyValue usage
+        registry.register(checks.IfExistsConditionCheck())  # IfExists usage validation
 
         # 4. RESOURCE MATCHING (Action-resource relationship validation)
         registry.register(

iam_validator/core/condition_validators.py

@@ -3,7 +3,8 @@ Condition Key and Value Validators.
 
 This module provides validators for IAM policy condition operators, keys, and values.
 Based on AWS IAM Policy Elements Reference:
-https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
+- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html
+- https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
 
 Supports:
 - All standard IAM condition operators (String, Numeric, Date, Bool, Binary, IP, ARN)
@@ -69,6 +70,49 @@ CONDITION_OPERATORS = {
 # Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html
 SET_OPERATOR_PREFIXES = ["ForAllValues", "ForAnyValue"]
 
+# Condition keys that are sometimes absent from the request context AND are
+# security-sensitive. Using IfExists with these keys in Allow statements can
+# bypass security controls when the key is missing.
+# Note: aws:MultiFactorAuthPresent is excluded — handled by mfa_condition_antipattern check.
+# Note: Always-present keys are in ALWAYS_PRESENT_CONDITION_KEYS.
+# Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
+SECURITY_SENSITIVE_CONDITION_KEYS = frozenset(
+    {
+        "aws:SourceIp",  # Absent when requester uses VPC endpoint
+        "aws:VpcSourceIp",  # Related to VPC context
+        "aws:SourceVpc",  # Only present with VPC endpoint
+        "aws:SourceVpce",  # Only present with VPC endpoint
+        "aws:SourceArn",  # Only for direct service principal calls
+        "aws:SourceAccount",  # Only for direct service principal calls
+        "aws:SourceOrgID",  # Only for service principal calls + org membership
+        "aws:SourceOrgPaths",  # Only for service principal calls + org membership
+        "aws:PrincipalOrgID",  # Only if principal is a member of an organization
+        "aws:PrincipalOrgPaths",  # Only if principal is a member of an organization
+        "aws:PrincipalArn",  # All signed requests only; absent for anonymous requests
+        "aws:ResourceAccount",  # Always included for most actions (has documented exceptions)
+        "aws:ResourceOrgID",  # Only if resource account is in an organization
+        "aws:ResourceOrgPaths",  # Only if resource account is in an organization
+    }
+)
+
+# Condition keys that are always present in every AWS request context.
+# Using IfExists with these keys is redundant since the key is never absent.
+# Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
+ALWAYS_PRESENT_CONDITION_KEYS = frozenset(
+    {
+        # "always included in the request context" per AWS docs
+        "aws:CurrentTime",
+        "aws:EpochTime",
+        "aws:SecureTransport",
+        "aws:ViaAWSService",
+        "aws:RequestedRegion",
+        # "included in the request context for all requests, including anonymous requests"
+        "aws:PrincipalAccount",
+        "aws:PrincipalType",
+        "aws:userid",
+    }
+)
+
 
 def normalize_operator(operator: str) -> tuple[str, str | None, str | None]:
     """
@@ -122,6 +166,37 @@ def normalize_operator(operator: str) -> tuple[str, str | None, str | None]:
     return operator, None, set_prefix
 
 
+def has_if_exists_suffix(operator: str) -> bool:
+    """
+    Check if a condition operator has the IfExists suffix.
+
+    Handles set operator prefixes (ForAllValues/ForAnyValue).
+    Case-sensitive for the IfExists suffix, matching AWS IAM behavior.
+
+    Args:
+        operator: Raw operator string (e.g., "StringEqualsIfExists", "ForAllValues:StringLikeIfExists")
+
+    Returns:
+        True if the operator has the IfExists suffix
+
+    Examples:
+        >>> has_if_exists_suffix("StringEqualsIfExists")
+        True
+        >>> has_if_exists_suffix("StringEquals")
+        False
+        >>> has_if_exists_suffix("ForAllValues:StringLikeIfExists")
+        True
+        >>> has_if_exists_suffix("BoolIfExists")
+        True
+    """
+    cleaned = operator
+    if ":" in operator:
+        parts = operator.split(":", 1)
+        if parts[0] in SET_OPERATOR_PREFIXES:
+            cleaned = parts[1]
+    return cleaned.endswith("IfExists")
+
+
 def translate_type(doc_type: str) -> str:
     """
     Translate documentation type names to normalized types.
@@ -264,8 +339,7 @@ def _validate_date_value(value_str: str) -> tuple[bool, str | None]:
             if epoch > 32503680000:  # Year 3000 in seconds
                 return (
                     False,
-                    f"UNIX epoch timestamp appears unreasonably large: {value_str}. "
-                    "Expected seconds since 1970-01-01.",
+                    f"UNIX epoch timestamp appears unreasonably large: {value_str}. Expected seconds since 1970-01-01.",
                 )
             return True, None
         except (ValueError, OverflowError):