iam-policy-validator 1.3.1__py3-none-any.whl → 1.5.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. {iam_policy_validator-1.3.1.dist-info → iam_policy_validator-1.5.0.dist-info}/METADATA +164 -19
  2. iam_policy_validator-1.5.0.dist-info/RECORD +67 -0
  3. iam_validator/__version__.py +1 -1
  4. iam_validator/checks/__init__.py +15 -3
  5. iam_validator/checks/action_condition_enforcement.py +1 -6
  6. iam_validator/checks/condition_key_validation.py +21 -1
  7. iam_validator/checks/full_wildcard.py +67 -0
  8. iam_validator/checks/policy_size.py +1 -0
  9. iam_validator/checks/policy_type_validation.py +299 -0
  10. iam_validator/checks/principal_validation.py +776 -0
  11. iam_validator/checks/sensitive_action.py +178 -0
  12. iam_validator/checks/service_wildcard.py +105 -0
  13. iam_validator/checks/sid_uniqueness.py +45 -7
  14. iam_validator/checks/utils/sensitive_action_matcher.py +39 -31
  15. iam_validator/checks/wildcard_action.py +62 -0
  16. iam_validator/checks/wildcard_resource.py +131 -0
  17. iam_validator/commands/download_services.py +3 -8
  18. iam_validator/commands/post_to_pr.py +7 -0
  19. iam_validator/commands/validate.py +204 -16
  20. iam_validator/core/aws_fetcher.py +25 -12
  21. iam_validator/core/check_registry.py +25 -21
  22. iam_validator/core/config/__init__.py +83 -0
  23. iam_validator/core/config/aws_api.py +35 -0
  24. iam_validator/core/config/condition_requirements.py +535 -0
  25. iam_validator/core/config/defaults.py +390 -0
  26. iam_validator/core/config/principal_requirements.py +421 -0
  27. iam_validator/core/config/sensitive_actions.py +133 -0
  28. iam_validator/core/config/service_principals.py +95 -0
  29. iam_validator/core/config/wildcards.py +124 -0
  30. iam_validator/core/config_loader.py +29 -9
  31. iam_validator/core/formatters/enhanced.py +11 -5
  32. iam_validator/core/formatters/sarif.py +78 -14
  33. iam_validator/core/models.py +13 -3
  34. iam_validator/core/policy_checks.py +39 -6
  35. iam_validator/core/pr_commenter.py +30 -9
  36. iam_policy_validator-1.3.1.dist-info/RECORD +0 -54
  37. iam_validator/checks/security_best_practices.py +0 -535
  38. iam_validator/core/defaults.py +0 -366
  39. {iam_policy_validator-1.3.1.dist-info → iam_policy_validator-1.5.0.dist-info}/WHEEL +0 -0
  40. {iam_policy_validator-1.3.1.dist-info → iam_policy_validator-1.5.0.dist-info}/entry_points.txt +0 -0
  41. {iam_policy_validator-1.3.1.dist-info → iam_policy_validator-1.5.0.dist-info}/licenses/LICENSE +0 -0
iam_validator/core/defaults.py DELETED
@@ -1,366 +0,0 @@
1
- """
2
- Default configuration for IAM Policy Validator.
3
-
4
- This module contains the default configuration that is used when no user
5
- configuration file is provided. User configuration files will override
6
- these defaults.
7
-
8
- This configuration is synced with the default-config.yaml file.
9
- """
10
-
11
- # ============================================================================
12
- # SEVERITY LEVELS
13
- # ============================================================================
14
- # The validator uses two types of severity levels:
15
- #
16
- # 1. IAM VALIDITY SEVERITIES (for AWS IAM policy correctness):
17
- # - error: Policy violates AWS IAM rules (invalid actions, ARNs, etc.)
18
- # - warning: Policy may have IAM-related issues but is technically valid
19
- # - info: Informational messages about the policy structure
20
- #
21
- # 2. SECURITY SEVERITIES (for security best practices):
22
- # - critical: Critical security risk (e.g., wildcard action + resource)
23
- # - high: High security risk (e.g., missing required conditions)
24
- # - medium: Medium security risk (e.g., overly permissive wildcards)
25
- # - low: Low security risk (e.g., minor best practice violations)
26
- #
27
- # Use 'error' for policy validity issues, and 'critical/high/medium/low' for
28
- # security best practices. This distinction helps separate "broken policies"
29
- # from "insecure but valid policies".
30
- # ============================================================================
31
-
32
- # Default configuration dictionary
33
- DEFAULT_CONFIG = {
34
- "settings": {
35
- "fail_fast": False,
36
- "max_concurrent": 10,
37
- "enable_builtin_checks": True,
38
- "parallel_execution": True,
39
- "aws_services_dir": None,
40
- "cache_enabled": True,
41
- "cache_ttl_hours": 168,
42
- "fail_on_severity": ["error", "critical"],
43
- },
44
- "sid_uniqueness_check": {
45
- "enabled": True,
46
- "severity": "error",
47
- "description": "Validates that Statement IDs (Sids) are unique within the policy",
48
- },
49
- "policy_size_check": {
50
- "enabled": True,
51
- "severity": "error",
52
- "description": "Validates that IAM policies don't exceed AWS size limits",
53
- "policy_type": "managed",
54
- },
55
- "action_validation_check": {
56
- "enabled": True,
57
- "severity": "error",
58
- "description": "Validates that actions exist in AWS services",
59
- },
60
- "condition_key_validation_check": {
61
- "enabled": True,
62
- "severity": "error",
63
- "description": "Validates condition keys against AWS service definitions for specified actions",
64
- "validate_aws_global_keys": True,
65
- },
66
- "resource_validation_check": {
67
- "enabled": True,
68
- "severity": "error",
69
- "description": "Validates ARN format for resources",
70
- "arn_pattern": "^arn:(aws|aws-cn|aws-us-gov|aws-eusc|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):[a-z0-9\\-]+:[a-z0-9\\-*]*:[0-9*]*:.+$",
71
- },
72
- "action_resource_constraint_check": {
73
- "enabled": True,
74
- "severity": "error",
75
- "description": "Validates that actions without required resource types use Resource: '*'",
76
- },
77
- "security_best_practices_check": {
78
- "enabled": True,
79
- "description": "Checks for common security anti-patterns",
80
- "allowed_wildcards": [
81
- "autoscaling:Describe*",
82
- "cloudwatch:Describe*",
83
- "cloudwatch:Get*",
84
- "cloudwatch:List*",
85
- "dynamodb:Describe*",
86
- "ec2:Describe*",
87
- "elasticloadbalancing:Describe*",
88
- "iam:Get*",
89
- "iam:List*",
90
- "kms:Describe*",
91
- "lambda:Get*",
92
- "lambda:List*",
93
- "logs:Describe*",
94
- "logs:Filter*",
95
- "logs:Get*",
96
- "rds:Describe*",
97
- "route53:Get*",
98
- "route53:List*",
99
- "s3:Describe*",
100
- "s3:GetBucket*",
101
- "s3:GetM*",
102
- "s3:List*",
103
- "sqs:Get*",
104
- "sqs:List*",
105
- "apigateway:GET",
106
- ],
107
- "wildcard_action_check": {
108
- "enabled": True,
109
- "severity": "medium",
110
- "message": "Statement allows all actions (*)",
111
- "suggestion": "Replace wildcard with specific actions needed for your use case",
112
- "example": """Replace:
113
- "Action": ["*"]
114
-
115
- With specific actions:
116
- "Action": [
117
- "s3:GetObject",
118
- "s3:PutObject",
119
- "s3:ListBucket"
120
- ]
121
- """,
122
- },
123
- "wildcard_resource_check": {
124
- "enabled": True,
125
- "severity": "medium",
126
- "message": "Statement applies to all resources (*)",
127
- "suggestion": "Replace wildcard with specific resource ARNs",
128
- "example": """Replace:
129
- "Resource": "*"
130
-
131
- With specific ARNs:
132
- "Resource": [
133
- "arn:aws:service:region:account-id:resource-type/resource-id",
134
- "arn:aws:service:region:account-id:resource-type/*"
135
- ]
136
- """,
137
- },
138
- "full_wildcard_check": {
139
- "enabled": True,
140
- "severity": "critical",
141
- "message": "Statement allows all actions on all resources - CRITICAL SECURITY RISK",
142
- "suggestion": "This grants full administrative access. Replace both wildcards with specific actions and resources to follow least-privilege principle",
143
- "example": """Replace:
144
- "Action": "*",
145
- "Resource": "*"
146
-
147
- With specific values:
148
- "Action": [
149
- "s3:GetObject",
150
- "s3:PutObject"
151
- ],
152
- "Resource": [
153
- "arn:aws:s3:::my-bucket/*"
154
- ]
155
- """,
156
- },
157
- "service_wildcard_check": {
158
- "enabled": True,
159
- "severity": "high",
160
- "allowed_services": ["logs", "cloudwatch", "xray"],
161
- },
162
- "sensitive_action_check": {
163
- "enabled": True,
164
- "severity": "medium",
165
- "message_single": "Sensitive action '{action}' should have conditions to limit when it can be used",
166
- "message_multiple": "Sensitive actions '{actions}' should have conditions to limit when they can be used",
167
- "suggestion": "Add IAM conditions to limit when this action can be used. Consider: ABAC (ResourceTag OR RequestTag must match PrincipalTag), IP restrictions (aws:SourceIp), MFA requirements (aws:MultiFactorAuthPresent), or time-based restrictions (aws:CurrentTime)",
168
- "example": """"Condition": {
169
- "StringEquals": {
170
- "aws:ResourceTag/owner": "${aws:PrincipalTag/owner}"
171
- }
172
- }
173
- """,
174
- "sensitive_actions": [
175
- "iam:AddClientIDToOpenIDConnectProvider",
176
- "iam:AttachRolePolicy",
177
- "iam:AttachUserPolicy",
178
- "iam:CreateAccessKey",
179
- "iam:CreateOpenIDConnectProvider",
180
- "iam:CreatePolicyVersion",
181
- "iam:CreateRole",
182
- "iam:CreateSAMLProvider",
183
- "iam:CreateUser",
184
- "iam:DeleteAccessKey",
185
- "iam:DeleteLoginProfile",
186
- "iam:DeleteOpenIDConnectProvider",
187
- "iam:DeleteRole",
188
- "iam:DeleteRolePolicy",
189
- "iam:DeleteSAMLProvider",
190
- "iam:DeleteUser",
191
- "iam:DeleteUserPolicy",
192
- "iam:DetachRolePolicy",
193
- "iam:DetachUserPolicy",
194
- "iam:PutRolePolicy",
195
- "iam:PutUserPolicy",
196
- "iam:SetDefaultPolicyVersion",
197
- "iam:UpdateAccessKey",
198
- "iam:UpdateAssumeRolePolicy",
199
- "kms:DisableKey",
200
- "kms:PutKeyPolicy",
201
- "kms:ScheduleKeyDeletion",
202
- "secretsmanager:DeleteSecret",
203
- "secretsmanager:GetSecretValue",
204
- "secretsmanager:PutSecretValue",
205
- "ssm:DeleteParameter",
206
- "ssm:PutParameter",
207
- "ec2:DeleteSnapshot",
208
- "ec2:DeleteVolume",
209
- "ec2:DeleteVpc",
210
- "ec2:ModifyInstanceAttribute",
211
- "ec2:TerminateInstances",
212
- "ecr:DeleteRepository",
213
- "ecs:DeleteCluster",
214
- "ecs:DeleteService",
215
- "eks:DeleteCluster",
216
- "lambda:DeleteFunction",
217
- "lambda:DeleteFunctionConcurrency",
218
- "lambda:PutFunctionConcurrency",
219
- "dynamodb:DeleteTable",
220
- "efs:DeleteFileSystem",
221
- "elasticache:DeleteCacheCluster",
222
- "fsx:DeleteFileSystem",
223
- "rds:DeleteDBCluster",
224
- "rds:DeleteDBInstance",
225
- "redshift:DeleteCluster",
226
- "backup:DeleteBackupVault",
227
- "glacier:DeleteArchive",
228
- "s3:DeleteBucket",
229
- "s3:DeleteBucketPolicy",
230
- "s3:DeleteObject",
231
- "s3:PutBucketPolicy",
232
- "s3:PutLifecycleConfiguration",
233
- "ec2:AuthorizeSecurityGroupIngress",
234
- "ec2:DeleteSecurityGroup",
235
- "ec2:DisassociateRouteTable",
236
- "ec2:RevokeSecurityGroupEgress",
237
- "cloudtrail:DeleteTrail",
238
- "cloudtrail:StopLogging",
239
- "cloudwatch:DeleteLogGroup",
240
- "config:DeleteConfigurationRecorder",
241
- "guardduty:DeleteDetector",
242
- "account:CloseAccount",
243
- "account:CreateAccount",
244
- "organizations:LeaveOrganization",
245
- "organizations:RemoveAccountFromOrganization",
246
- ],
247
- },
248
- },
249
- "action_condition_enforcement_check": {
250
- "enabled": True,
251
- "severity": "high",
252
- "description": "Enforce specific IAM condition requirements (unified: MFA, IP, tags, etc.)",
253
- "action_condition_requirements": [
254
- {
255
- "actions": ["iam:PassRole"],
256
- "severity": "high",
257
- "required_conditions": [
258
- {
259
- "condition_key": "iam:PassedToService",
260
- "description": "Specify which AWS services are allowed to use the passed role to prevent privilege escalation",
261
- "example": """"Condition": {
262
- "StringEquals": {
263
- "iam:PassedToService": [
264
- "lambda.amazonaws.com",
265
- "ecs-tasks.amazonaws.com",
266
- "ec2.amazonaws.com",
267
- "glue.amazonaws.com",
268
- "lambda.amazonaws.com"
269
- ]
270
- }
271
- }
272
- """,
273
- },
274
- ],
275
- },
276
- {
277
- "actions": [
278
- "iam:CreateRole",
279
- "iam:Put*Policy*",
280
- "iam:PutUserPolicy",
281
- "iam:PutRolePolicy",
282
- "iam:Attach*Policy*",
283
- "iam:AttachUserPolicy",
284
- "iam:AttachRolePolicy",
285
- ],
286
- "severity": "high",
287
- "required_conditions": [
288
- {
289
- "condition_key": "iam:PermissionsBoundary",
290
- "description": "Require permissions boundary for sensitive IAM operations to prevent privilege escalation",
291
- "expected_value": "arn:aws:iam::*:policy/DeveloperBoundary",
292
- "example": """# See: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
293
- "Condition": {
294
- "StringEquals": {
295
- "iam:PermissionsBoundary": "arn:aws:iam::123456789012:policy/XCompanyBoundaries"
296
- }
297
- }
298
- """,
299
- },
300
- ],
301
- },
302
- {
303
- "actions": ["s3:PutObject"],
304
- "severity": "medium",
305
- "required_conditions": [
306
- {
307
- "condition_key": "aws:ResourceOrgId",
308
- "description": "Require aws:ResourceOrgId condition for S3 write actions to enforce organization-level access control",
309
- "example": """"Condition": {
310
- "StringEquals": {
311
- "aws:ResourceOrgId": "${aws:PrincipalOrgID}"
312
- }
313
- }
314
- """,
315
- },
316
- ],
317
- },
318
- {
319
- "action_patterns": ["^s3:.*"],
320
- "required_conditions": [
321
- {
322
- "condition_key": "aws:SecureTransport",
323
- "description": "Require HTTPS for all S3 operations",
324
- "expected_value": True,
325
- },
326
- ],
327
- },
328
- {
329
- "action_patterns": [
330
- "^ssm:StartSession$",
331
- "^ssm:Run.*$",
332
- "^s3:GetObject$",
333
- "^rds-db:Connect$",
334
- ],
335
- "severity": "low",
336
- "required_conditions": [
337
- {
338
- "condition_key": "aws:SourceIp",
339
- "description": "Restrict access to corporate IP ranges",
340
- "example": """"Condition": {
341
- "IpAddress": {
342
- "aws:SourceIp": [
343
- "10.0.0.0/8",
344
- "172.16.0.0/12"
345
- ]
346
- }
347
- }
348
- """,
349
- },
350
- ],
351
- },
352
- ],
353
- },
354
- }
355
-
356
-
357
- def get_default_config() -> dict:
358
- """
359
- Get a deep copy of the default configuration.
360
-
361
- Returns:
362
- A deep copy of the default configuration dictionary
363
- """
364
- import copy
365
-
366
- return copy.deepcopy(DEFAULT_CONFIG)