iam-policy-validator 1.3.1__py3-none-any.whl → 1.5.0__py3-none-any.whl

{iam_policy_validator-1.3.1.dist-info → iam_policy_validator-1.5.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.3.1
+Version: 1.5.0
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs
@@ -448,13 +448,11 @@ settings:
   enable_builtin_checks: true
 
 # Custom check configurations
-security_best_practices_check:
+wildcard_action:
   enabled: true
-  wildcard_action_check:
-    enabled: true
-    severity: high
+  severity: high
 
-action_condition_enforcement_check:
+action_condition_enforcement:
   enabled: true
   severity: critical
   action_condition_requirements:
@@ -465,7 +463,7 @@ action_condition_enforcement_check:
         - condition_key: "iam:PassedToService"
 ```
 
-See [default-config.yaml](default-config.yaml) for a complete configuration example.
+See [examples/configs/full-reference-config.yaml](examples/configs/full-reference-config.yaml) for a complete configuration reference with all available options.
 
 ### GitHub Action Inputs
 
@@ -478,10 +476,11 @@ See [default-config.yaml](default-config.yaml) for a complete configuration exam
 | `recursive`        | Recursively search directories for policy files             | No       | `true`  |
 
 #### GitHub Integration
-| Input           | Description                                | Required | Default |
-| --------------- | ------------------------------------------ | -------- | ------- |
-| `post-comment`  | Post validation results as PR comment      | No       | `true`  |
-| `create-review` | Create line-specific review comments on PR | No       | `true`  |
+| Input            | Description                                               | Required | Default |
+| ---------------- | --------------------------------------------------------- | -------- | ------- |
+| `post-comment`   | Post validation summary as PR conversation comment        | No       | `true`  |
+| `create-review`  | Create line-specific review comments on PR files          | No       | `true`  |
+| `github-summary` | Write summary to GitHub Actions job summary (Actions tab) | No       | `false` |
 
 #### Output Options
 | Input         | Description                                                                      | Required | Default   |
@@ -490,12 +489,12 @@ See [default-config.yaml](default-config.yaml) for a complete configuration exam
 | `output-file` | Path to save output file (for non-console formats)                               | No       | `""`      |
 
 #### AWS Access Analyzer
-| Input                    | Description                                                                 | Required | Default           |
-| ------------------------ | --------------------------------------------------------------------------- | -------- | ----------------- |
-| `use-access-analyzer`    | Use AWS IAM Access Analyzer for validation                                  | No       | `false`           |
-| `access-analyzer-region` | AWS region for Access Analyzer                                              | No       | `us-east-1`       |
-| `policy-type`            | Policy type: `IDENTITY_POLICY`, `RESOURCE_POLICY`, `SERVICE_CONTROL_POLICY` | No       | `IDENTITY_POLICY` |
-| `run-all-checks`         | Run custom checks after Access Analyzer (sequential mode)                   | No       | `false`           |
+| Input                    | Description                                                                                            | Required | Default           |
+| ------------------------ | ------------------------------------------------------------------------------------------------------ | -------- | ----------------- |
+| `use-access-analyzer`    | Use AWS IAM Access Analyzer for validation                                                             | No       | `false`           |
+| `access-analyzer-region` | AWS region for Access Analyzer                                                                         | No       | `us-east-1`       |
+| `policy-type`            | Policy type: `IDENTITY_POLICY`, `RESOURCE_POLICY`, `SERVICE_CONTROL_POLICY`, `RESOURCE_CONTROL_POLICY` | No       | `IDENTITY_POLICY` |
+| `run-all-checks`         | Run custom checks after Access Analyzer (sequential mode)                                              | No       | `false`           |
 
 #### Custom Policy Checks (Access Analyzer)
 | Input                         | Description                                                                 | Required | Default           |
@@ -518,7 +517,7 @@ See [default-config.yaml](default-config.yaml) for a complete configuration exam
 - Configure `aws-services-dir` in your config file for offline validation
 - The action automatically filters IAM policies from mixed JSON/YAML files
 
-See [examples/github-actions/](examples/github-actions/) for 8 ready-to-use workflow examples.
+See [examples/github-actions/](examples/github-actions/) for 9 ready-to-use workflow examples.
 
 ### As a CLI Tool
 
@@ -540,6 +539,12 @@ iam-validator validate --path ./policies/
 # Validate multiple paths
 iam-validator validate --path policy1.json --path ./policies/ --path ./more-policies/
 
+# Validate resource policies (S3 bucket policies, SNS topics, etc.)
+iam-validator validate --path ./bucket-policies/ --policy-type RESOURCE_POLICY
+
+# Validate AWS Organizations Resource Control Policies (RCPs)
+iam-validator validate --path ./rcps/ --policy-type RESOURCE_CONTROL_POLICY
+
 # Generate JSON output
 iam-validator validate --path ./policies/ --format json --output report.json
 
@@ -557,6 +562,106 @@ iam-validator analyze \
   --github-review
 ```
 
+### Policy Type Validation
+
+The validator supports four AWS policy types, each with specific validation rules:
+
+#### 🔷 IDENTITY_POLICY (Default)
+Standard IAM policies attached to users, groups, or roles.
+
+**Requirements:**
+- Should NOT have `Principal` element (implicit - the attached entity)
+- Must have `Action` and `Resource` elements
+
+**Example:**
+```bash
+iam-validator validate --path ./user-policies/ --policy-type IDENTITY_POLICY
+```
+
+#### 🔶 RESOURCE_POLICY
+Policies attached to AWS resources (S3 buckets, SNS topics, KMS keys, etc.).
+
+**Requirements:**
+- MUST have `Principal` element (who can access)
+- Must have `Action`, `Effect`, and `Resource` elements
+- Can use configurable security checks for principal validation
+
+**Example:**
+```bash
+iam-validator validate --path ./bucket-policies/ --policy-type RESOURCE_POLICY
+```
+
+**Advanced Principal Validation:**
+```yaml
+# config.yaml
+principal_validation:
+  enabled: true
+  severity: high
+  # Block public access
+  blocked_principals: ["*"]
+  # Or require specific conditions for public access
+  require_conditions_for:
+    "*":
+      - "aws:SourceArn"
+      - "aws:SourceAccount"
+```
+
+#### 🔷 SERVICE_CONTROL_POLICY
+AWS Organizations SCPs that set permission guardrails.
+
+**Requirements:**
+- Must NOT have `Principal` element (applies to all principals in OU)
+- Typically uses `Deny` effect for guardrails
+- Must have `Action` and `Resource` elements
+
+**Example:**
+```bash
+iam-validator validate --path ./scps/ --policy-type SERVICE_CONTROL_POLICY
+```
+
+#### 🆕 RESOURCE_CONTROL_POLICY
+AWS Organizations RCPs for resource-level access control (released 2024).
+
+**Strict Requirements:**
+- `Effect` MUST be `Deny` (only AWS-managed `RCPFullAWSAccess` can use `Allow`)
+- `Principal` MUST be exactly `"*"` (use `Condition` to restrict)
+- `Action` cannot use `"*"` alone (must be service-specific like `"s3:*"`)
+- Only **5 supported services**: `s3`, `sts`, `sqs`, `secretsmanager`, `kms`
+- `NotAction` and `NotPrincipal` are NOT supported
+- Must have `Resource` or `NotResource` element
+
+**Example:**
+```bash
+iam-validator validate --path ./rcps/ --policy-type RESOURCE_CONTROL_POLICY
+```
+
+**Valid RCP:**
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [{
+    "Sid": "EnforceEncryptionInTransit",
+    "Effect": "Deny",
+    "Principal": "*",
+    "Action": ["s3:*", "sqs:*"],
+    "Resource": "*",
+    "Condition": {
+      "BoolIfExists": {
+        "aws:SecureTransport": "false"
+      }
+    }
+  }]
+}
+```
+
+**What the validator catches:**
+```
+✓ Effect is "Deny" (required for RCPs)
+✓ Principal is "*" (required - restrictions via Condition)
+✓ Actions from supported services (s3, sqs)
+✓ Uses Condition to scope the deny
+```
+
 ### Custom Policy Checks
 
 AWS IAM Access Analyzer provides specialized checks to validate policies against specific security requirements:
@@ -744,6 +849,44 @@ Identifies potential security risks:
 
 ## GitHub Integration Features
 
+### Flexible Comment Options
+
+The validator provides **three independent ways** to display validation results in GitHub:
+
+#### 1. **PR Summary Comment** (`--github-comment`)
+Posts a high-level summary to the PR conversation with:
+- Overall metrics (total policies, issues, severities)
+- Grouped findings by file
+- Detailed issue descriptions with suggestions
+
+#### 2. **Line-Specific Review Comments** (`--github-review`)
+Creates inline review comments on the "Files changed" tab:
+- Comments appear directly on problematic lines
+- Includes rich context (examples, suggestions)
+- Automatically cleaned up on subsequent runs
+- Review status (REQUEST_CHANGES or COMMENT) based on `fail_on_severity` config
+
+#### 3. **GitHub Actions Job Summary** (`--github-summary`)
+Writes a high-level overview to the Actions tab:
+- Visible in workflow run summary
+- Shows key metrics and severity breakdown
+- Clean dashboard view without overwhelming details
+
+**Mix and Match:** Use any combination of these options:
+```bash
+# All three for maximum visibility
+--github-comment --github-review --github-summary
+
+# Only line-specific review comments (clean, minimal)
+--github-review
+
+# Only PR summary comment
+--github-comment
+
+# Only Actions job summary
+--github-summary
+```
+
 ### Smart PR Comment Management
 
 The validator intelligently manages PR comments to keep your PRs clean:
@@ -757,8 +900,9 @@ The validator intelligently manages PR comments to keep your PRs clean:
 **Behavior:**
 - ✅ **No Duplicates**: Summary comments are updated, not duplicated
 - ✅ **Clean PR**: Old review comments automatically deleted before new validation
-- ✅ **Identifiable**: All bot comments tagged with `🤖 IAM Policy Validator`
+- ✅ **Identifiable**: All bot comments use HTML identifiers (invisible to users)
 - ✅ **Progressive**: In streaming mode, comments appear file-by-file
+- ✅ **Smart Review Status**: Uses `fail_on_severity` config to determine REQUEST_CHANGES vs COMMENT
 
 **Example:**
 ```
@@ -830,6 +974,7 @@ The comprehensive [DOCS.md](DOCS.md) file contains everything you need:
   - [Custom Checks](examples/custom_checks/)
   - [Configuration Files](examples/configs/)
   - [Test IAM Policies](examples/iam-test-policies/)
+- **[Roadmap](docs/ROADMAP.md)** - Planned features and improvements
 - **[AWS Services Backup Guide](docs/aws-services-backup.md)** - Offline validation
 - **[Contributing Guide](CONTRIBUTING.md)** - Contribution guidelines
 - **[Publishing Guide](docs/development/PUBLISHING.md)** - Release process

iam_policy_validator-1.5.0.dist-info/RECORD

@@ -0,0 +1,67 @@
+iam_validator/__init__.py,sha256=APnMR3Fu4fHhxfsHBvUM2dJIwazgvLKQbfOsSgFPidg,693
+iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
+iam_validator/__version__.py,sha256=aNFKvgY68bb-MhUFw2OC-8_0VmwOTwY6_J5GPtri6os,206
+iam_validator/checks/__init__.py,sha256=OSgwk2WO_lLYOgSrTAycUNgRHw0NSU33Rse39thvVSk,1456
+iam_validator/checks/action_condition_enforcement.py,sha256=bKQEkD7PJYA0g9CwfrgfQSAKcVJkQgqfSnpXKE3Rz_0,29588
+iam_validator/checks/action_resource_constraint.py,sha256=p-gP7S9QYR6M7vffrnJY6LOlMUTn0kpEbrxQ8pTY5rs,6031
+iam_validator/checks/action_validation.py,sha256=IpxtTsk58f2zEZ-xzAoyHw4QK8BCRV43OffP-8ydf9E,2578
+iam_validator/checks/condition_key_validation.py,sha256=XmlwSDHq7p48dEDxjUJiRtaqtfAiFgpBJnj2jY_25LU,3796
+iam_validator/checks/full_wildcard.py,sha256=8zkmkQo2TkflgNgbclThH73mIBRHbuiob0YO2HwQhuE,2371
+iam_validator/checks/policy_size.py,sha256=gJD8rFHa1CstKaZ2Dj9B5XEI3o0wsGv7ksqjqZXoSXI,5771
+iam_validator/checks/policy_type_validation.py,sha256=w85W4zdZ6ZrDy0DmHxxnAXbJGfN8peRDjLfJ4Bp1dWc,15009
+iam_validator/checks/principal_validation.py,sha256=DLmqX_QbfuV8O5XtcuocBeR_Vwa50_3RBx35XuLQob8,29837
+iam_validator/checks/resource_validation.py,sha256=AEIoiR6AKYLuVaA8ne3QE5qy6NCMDe98_2JAiwE9-JU,4261
+iam_validator/checks/sensitive_action.py,sha256=mGxUELAuzsY_zK382WgJeeRGJDl8lumIsWgGIm_tmPs,6852
+iam_validator/checks/service_wildcard.py,sha256=1O3NF8_T1LsCzpm8SFViv1KTh9NYQSqXN8-D3xx6Erw,4156
+iam_validator/checks/sid_uniqueness.py,sha256=1Ux9W1hPPhzgdCzfxwxvD-nSBRo1SyrxFWlnTXDcOys,6887
+iam_validator/checks/wildcard_action.py,sha256=KsAej_GP6qL2XpmvGnS56SIJw3Z-5xyvZ7VDfsERFrU,2045
+iam_validator/checks/wildcard_resource.py,sha256=V5aBmb1pr8KhbVv2G4nzjBlZWz0kCOCgW6jKnb2_U60,5504
+iam_validator/checks/utils/__init__.py,sha256=j0X4ibUB6RGx2a-kNoJnlVZwHfoEvzZsIeTmJIAoFzA,45
+iam_validator/checks/utils/policy_level_checks.py,sha256=2V60C0zhKfsFPjQ-NMlD3EemtwA9S6-4no8nETgXdQE,5274
+iam_validator/checks/utils/sensitive_action_matcher.py,sha256=Wl_YHktQR1LthkePaLMVF5iCeBpax2QgNRN0_azgfD8,9295
+iam_validator/checks/utils/wildcard_expansion.py,sha256=V3V_KRpapOzPBhpUObJjGHoMhvCH90QvDxppeEHIG_U,3152
+iam_validator/commands/__init__.py,sha256=M-5bo8w0TCWydK0cXgJyPD2fmk8bpQs-3b26YbgLzlc,565
+iam_validator/commands/analyze.py,sha256=TWlDaZ8gVOdNv6__KQQfzeLVW36qLiL5IzlhGYfvq_g,16501
+iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gzs,1074
+iam_validator/commands/cache.py,sha256=NHfbIDWI8tj-3o-4fIZJQS-Vvd9bxIH3Lk6kBtNuiUU,14212
+iam_validator/commands/download_services.py,sha256=KKz3ybMLT8DQUf9aFZ0tilJ-o1b6PE8Pf1pC4K6cT8I,9175
+iam_validator/commands/post_to_pr.py,sha256=CvUXs2xvO-UhluxdfNM6F0TCWD8hDBEOiYw60fm1Dms,2363
+iam_validator/commands/validate.py,sha256=Nz6nC8UoRSLjnxTjv5n1qc5SOC88vK1ZwV04nH4oPDI,22333
+iam_validator/core/__init__.py,sha256=1FvJPMrbzJfS9YbRUJCshJLd5gzWwR9Fd_slS0Aq9c8,416
+iam_validator/core/access_analyzer.py,sha256=poeT1i74jXpKr1B3UmvqiTvCTbq82zffWgZHwiFUwoo,24337
+iam_validator/core/access_analyzer_report.py,sha256=IrQVszlhFfQ6WykYLpig7TU3hf8dnQTegPDsOvHjR5Q,24873
+iam_validator/core/aws_fetcher.py,sha256=raEnvUi3rFaE1Bf9h6Am0bKeDSUN0WI6MPuVt4LSQzg,34169
+iam_validator/core/aws_global_conditions.py,sha256=ADVcMEWhgvDZWdBmRUQN3HB7a9OycbTLecXFAy3LPbo,5837
+iam_validator/core/check_registry.py,sha256=-3MDcJvzN07cyMbi9UTzw_JcPJCcB-tXGl5hKX-Y2ZY,16067
+iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
+iam_validator/core/config_loader.py,sha256=qPdRokl8Hdc1t1vX--JQjOC_colgnnq1MrKsGtcW56s,17609
+iam_validator/core/models.py,sha256=8v-b8Z8PFqpbdEpkZZ33kuZ_5D81Z2lIHzlFLu3i5mE,11094
+iam_validator/core/policy_checks.py,sha256=zmA1GupD5jE1avCdaYLdZ7WA7CVG0CWjmgkd_2F-p7A,26429
+iam_validator/core/policy_loader.py,sha256=TR7SpzlRG3TwH4HBGEFUuhNOmxIR8Cud2SQ-AmHWBpM,14040
+iam_validator/core/pr_commenter.py,sha256=7wt1q1rQE3bozNfrynWaE2RVkyRxu4CUNKX7u1_Ii1c,11593
+iam_validator/core/report.py,sha256=Yeh_u9jQvTyDV3ignyPcWEQVfFcxNZNrxf4T0fjeWb4,33283
+iam_validator/core/config/__init__.py,sha256=e9Dh-NtUtW6-Kk_RwLiOzLn8X09E4_VqgNp0Cuva7y0,2655
+iam_validator/core/config/aws_api.py,sha256=HLIzOItQ0A37wxHcgWck6ZFO0wmNY8JNTiWMMK6JKYU,1248
+iam_validator/core/config/condition_requirements.py,sha256=45HITvpClti453CgrMLlV1AwoZVUbSTVVhflaxapJTM,17021
+iam_validator/core/config/defaults.py,sha256=_GcVnGkMMqqG1OCxQy4lsS5pM7rDD3phXHTq1w3ECJU,19334
+iam_validator/core/config/principal_requirements.py,sha256=VCX7fBDgeDTJQyoz7_x7GI7Kf9O1Eu-sbihoHOrKv6o,15105
+iam_validator/core/config/sensitive_actions.py,sha256=J03x_Y3z2gqU4QmeQF2iDWEZfeWKoNls1qL2VgtwtOU,4464
+iam_validator/core/config/service_principals.py,sha256=gQSROsxUWBD6P2F9qP320UZV4lHGlsyvHSkMyy0njrU,2685
+iam_validator/core/config/wildcards.py,sha256=H_v6hb-rZ0UUz4cul9lxkVI39e6knaK4Y-MbWz2Ebpw,3228
+iam_validator/core/formatters/__init__.py,sha256=fnCKAEBXItnOf2m4rhVs7zwMaTxbG6ESh3CF8V5j5ec,868
+iam_validator/core/formatters/base.py,sha256=SShDeDiy5mYQnS6BpA8xYg91N-KX1EObkOtlrVHqx1Q,4451
+iam_validator/core/formatters/console.py,sha256=lX4Yp4bTW61fxe0fCiHuO6bCZtC_6cjCwqDNQ55nT_8,1937
+iam_validator/core/formatters/csv.py,sha256=2FaN6Y_0TPMFOb3A3tNtj0-9bkEc5P-6eZ7eLROIqFE,5899
+iam_validator/core/formatters/enhanced.py,sha256=S0UgYKFOgILfOqwnBC8-WFab3F1CiEko33g0nbaswtk,17085
+iam_validator/core/formatters/html.py,sha256=j4sQi-wXiD9kCHldW5JCzbJe0frhiP5uQI9KlH3Sj_g,22994
+iam_validator/core/formatters/json.py,sha256=A7gZ8P32GEdbDvrSn6v56yQ4fOP_kyMaoFVXG2bgnew,939
+iam_validator/core/formatters/markdown.py,sha256=aPAY6FpZBHsVBDag3FAsB_X9CZzznFjX9dQr0ysDrTE,2251
+iam_validator/core/formatters/sarif.py,sha256=O3pn7whqFq5xxk-tuoqSb2k4Fk5ai_A2SKX_ph8GLV4,10469
+iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
+iam_validator/integrations/github_integration.py,sha256=bKs94vNT4PmcmUPUeuY2WJFhCYpUY2SWiBP1vj-andA,25673
+iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
+iam_policy_validator-1.5.0.dist-info/METADATA,sha256=D5TTVNQDeankIcLYRBT_UzysyZgWTZtaHzby0CHH_Vc,34222
+iam_policy_validator-1.5.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.5.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.5.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.5.0.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,5 +3,5 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.3.1"
+__version__ = "1.5.0"
 __version_info__ = tuple(int(part) for part in __version__.split("."))

iam_validator/checks/__init__.py

@@ -5,21 +5,33 @@ Built-in policy checks for IAM Policy Validator.
 from iam_validator.checks.action_condition_enforcement import (
     ActionConditionEnforcementCheck,
 )
-from iam_validator.checks.action_resource_constraint import ActionResourceConstraintCheck
+from iam_validator.checks.action_resource_constraint import (
+    ActionResourceConstraintCheck,
+)
 from iam_validator.checks.action_validation import ActionValidationCheck
 from iam_validator.checks.condition_key_validation import ConditionKeyValidationCheck
+from iam_validator.checks.full_wildcard import FullWildcardCheck
 from iam_validator.checks.policy_size import PolicySizeCheck
+from iam_validator.checks.principal_validation import PrincipalValidationCheck
 from iam_validator.checks.resource_validation import ResourceValidationCheck
-from iam_validator.checks.security_best_practices import SecurityBestPracticesCheck
+from iam_validator.checks.sensitive_action import SensitiveActionCheck
+from iam_validator.checks.service_wildcard import ServiceWildcardCheck
 from iam_validator.checks.sid_uniqueness import SidUniquenessCheck
+from iam_validator.checks.wildcard_action import WildcardActionCheck
+from iam_validator.checks.wildcard_resource import WildcardResourceCheck
 
 __all__ = [
     "ActionConditionEnforcementCheck",
     "ActionResourceConstraintCheck",
     "ActionValidationCheck",
     "ConditionKeyValidationCheck",
+    "FullWildcardCheck",
     "PolicySizeCheck",
+    "PrincipalValidationCheck",
     "ResourceValidationCheck",
-    "SecurityBestPracticesCheck",
+    "SensitiveActionCheck",
+    "ServiceWildcardCheck",
     "SidUniquenessCheck",
+    "WildcardActionCheck",
+    "WildcardResourceCheck",
 ]

iam_validator/checks/action_condition_enforcement.py

@@ -607,10 +607,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             statement_sid=statement.sid,
             statement_index=statement_idx,
             issue_type="missing_required_condition",
-            message=(
-                f"{message_prefix} Action(s) {matching_actions} require condition '{condition_key}'. "
-                f"{description}"
-            ),
+            message=f"{message_prefix} Action(s) {matching_actions} require condition '{condition_key}'",
             action=", ".join(matching_actions),
             condition_key=condition_key,
             suggestion=self._build_suggestion(
@@ -707,8 +704,6 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         )
         if expected_value is not None:
             message += f" with value '{expected_value}'"
-        if description:
-            message += f". {description}"
 
         suggestion = f"Remove the '{condition_key}' condition from the statement"
         if description:

iam_validator/checks/condition_key_validation.py

@@ -34,6 +34,9 @@ class ConditionKeyValidationCheck(PolicyCheck):
         if not statement.condition:
             return issues
 
+        # Check if global condition key warnings are enabled (default: True)
+        warn_on_global_keys = config.config.get("warn_on_global_condition_keys", True)
+
         statement_sid = statement.sid
         line_number = statement.line_number
         actions = statement.get_actions()
@@ -47,7 +50,7 @@ class ConditionKeyValidationCheck(PolicyCheck):
                     if action == "*":
                         continue
 
-                    is_valid, error_msg = await fetcher.validate_condition_key(
+                    is_valid, error_msg, warning_msg = await fetcher.validate_condition_key(
                         action, condition_key
                     )
 
@@ -66,5 +69,22 @@ class ConditionKeyValidationCheck(PolicyCheck):
                         )
                         # Only report once per condition key (not per action)
                         break
+                    elif warning_msg and warn_on_global_keys:
+                        # Add warning for global condition keys with action-specific keys
+                        # Only if warn_on_global_condition_keys is enabled
+                        issues.append(
+                            ValidationIssue(
+                                severity="warning",
+                                statement_sid=statement_sid,
+                                statement_index=statement_idx,
+                                issue_type="global_condition_key_with_action_specific",
+                                message=warning_msg,
+                                action=action,
+                                condition_key=condition_key,
+                                line_number=line_number,
+                            )
+                        )
+                        # Only report once per condition key (not per action)
+                        break
 
         return issues

iam_validator/checks/full_wildcard.py

@@ -0,0 +1,67 @@
+"""Full wildcard check - detects Action: '*' AND Resource: '*' together (critical security risk)."""
+
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class FullWildcardCheck(PolicyCheck):
+    """Checks for both Action: '*' AND Resource: '*' which grants full administrative access."""
+
+    @property
+    def check_id(self) -> str:
+        return "full_wildcard"
+
+    @property
+    def description(self) -> str:
+        return "Checks for both action and resource wildcards together (critical risk)"
+
+    @property
+    def default_severity(self) -> str:
+        return "critical"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute full wildcard check on a statement."""
+        issues = []
+
+        # Only check Allow statements
+        if statement.effect != "Allow":
+            return issues
+
+        actions = statement.get_actions()
+        resources = statement.get_resources()
+
+        # Check for both wildcards together (CRITICAL)
+        if "*" in actions and "*" in resources:
+            message = config.config.get(
+                "message",
+                "Statement allows all actions on all resources - CRITICAL SECURITY RISK",
+            )
+            suggestion_text = config.config.get(
+                "suggestion",
+                "This grants full administrative access. Replace both wildcards with specific actions and resources to follow least-privilege principle",
+            )
+            example = config.config.get("example", "")
+
+            # Combine suggestion + example
+            suggestion = f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+
+            issues.append(
+                ValidationIssue(
+                    severity=self.get_severity(config),
+                    statement_sid=statement.sid,
+                    statement_index=statement_idx,
+                    issue_type="security_risk",
+                    message=message,
+                    suggestion=suggestion,
+                    line_number=statement.line_number,
+                )
+            )
+
+        return issues

iam_validator/checks/policy_size.py

@@ -76,6 +76,7 @@ class PolicySizeCheck(PolicyCheck):
         policy_file: str,
         fetcher: AWSServiceFetcher,
         config: CheckConfig,
+        **kwargs,
     ) -> list[ValidationIssue]:
         """Execute the policy size check on the entire policy.