iam-policy-validator 1.4.0__py3-none-any.whl → 1.5.0__py3-none-any.whl

{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.5.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.4.0
+Version: 1.5.0
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs
@@ -448,13 +448,11 @@ settings:
   enable_builtin_checks: true
 
 # Custom check configurations
-security_best_practices_check:
+wildcard_action:
   enabled: true
-  wildcard_action_check:
-    enabled: true
-    severity: high
+  severity: high
 
-action_condition_enforcement_check:
+action_condition_enforcement:
   enabled: true
   severity: critical
   action_condition_requirements:
@@ -465,7 +463,7 @@ action_condition_enforcement_check:
         - condition_key: "iam:PassedToService"
 ```
 
-See [default-config.yaml](default-config.yaml) for a complete configuration example.
+See [examples/configs/full-reference-config.yaml](examples/configs/full-reference-config.yaml) for a complete configuration reference with all available options.
 
 ### GitHub Action Inputs
 
@@ -478,11 +476,11 @@ See [default-config.yaml](default-config.yaml) for a complete configuration exam
 | `recursive`        | Recursively search directories for policy files             | No       | `true`  |
 
 #### GitHub Integration
-| Input              | Description                                          | Required | Default |
-| ------------------ | ---------------------------------------------------- | -------- | ------- |
-| `post-comment`     | Post validation summary as PR conversation comment   | No       | `true`  |
-| `create-review`    | Create line-specific review comments on PR files     | No       | `true`  |
-| `github-summary`   | Write summary to GitHub Actions job summary (Actions tab) | No       | `false` |
+| Input            | Description                                               | Required | Default |
+| ---------------- | --------------------------------------------------------- | -------- | ------- |
+| `post-comment`   | Post validation summary as PR conversation comment        | No       | `true`  |
+| `create-review`  | Create line-specific review comments on PR files          | No       | `true`  |
+| `github-summary` | Write summary to GitHub Actions job summary (Actions tab) | No       | `false` |
 
 #### Output Options
 | Input         | Description                                                                      | Required | Default   |
@@ -491,12 +489,12 @@ See [default-config.yaml](default-config.yaml) for a complete configuration exam
 | `output-file` | Path to save output file (for non-console formats)                               | No       | `""`      |
 
 #### AWS Access Analyzer
-| Input                    | Description                                                                 | Required | Default           |
-| ------------------------ | --------------------------------------------------------------------------- | -------- | ----------------- |
-| `use-access-analyzer`    | Use AWS IAM Access Analyzer for validation                                  | No       | `false`           |
-| `access-analyzer-region` | AWS region for Access Analyzer                                              | No       | `us-east-1`       |
+| Input                    | Description                                                                                            | Required | Default           |
+| ------------------------ | ------------------------------------------------------------------------------------------------------ | -------- | ----------------- |
+| `use-access-analyzer`    | Use AWS IAM Access Analyzer for validation                                                             | No       | `false`           |
+| `access-analyzer-region` | AWS region for Access Analyzer                                                                         | No       | `us-east-1`       |
 | `policy-type`            | Policy type: `IDENTITY_POLICY`, `RESOURCE_POLICY`, `SERVICE_CONTROL_POLICY`, `RESOURCE_CONTROL_POLICY` | No       | `IDENTITY_POLICY` |
-| `run-all-checks`         | Run custom checks after Access Analyzer (sequential mode)                   | No       | `false`           |
+| `run-all-checks`         | Run custom checks after Access Analyzer (sequential mode)                                              | No       | `false`           |
 
 #### Custom Policy Checks (Access Analyzer)
 | Input                         | Description                                                                 | Required | Default           |
@@ -519,7 +517,7 @@ See [default-config.yaml](default-config.yaml) for a complete configuration exam
 - Configure `aws-services-dir` in your config file for offline validation
 - The action automatically filters IAM policies from mixed JSON/YAML files
 
-See [examples/github-actions/](examples/github-actions/) for 8 ready-to-use workflow examples.
+See [examples/github-actions/](examples/github-actions/) for 9 ready-to-use workflow examples.
 
 ### As a CLI Tool
 
@@ -596,7 +594,7 @@ iam-validator validate --path ./bucket-policies/ --policy-type RESOURCE_POLICY
 **Advanced Principal Validation:**
 ```yaml
 # config.yaml
-principal_validation_check:
+principal_validation:
   enabled: true
   severity: high
   # Block public access
@@ -976,6 +974,7 @@ The comprehensive [DOCS.md](DOCS.md) file contains everything you need:
   - [Custom Checks](examples/custom_checks/)
   - [Configuration Files](examples/configs/)
   - [Test IAM Policies](examples/iam-test-policies/)
+- **[Roadmap](docs/ROADMAP.md)** - Planned features and improvements
 - **[AWS Services Backup Guide](docs/aws-services-backup.md)** - Offline validation
 - **[Contributing Guide](CONTRIBUTING.md)** - Contribution guidelines
 - **[Publishing Guide](docs/development/PUBLISHING.md)** - Release process

{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.5.0.dist-info}/RECORD

@@ -1,56 +1,67 @@
 iam_validator/__init__.py,sha256=APnMR3Fu4fHhxfsHBvUM2dJIwazgvLKQbfOsSgFPidg,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=6gOrZIkxMPVa_nnwLKPMicCPct559IjLb4Htzsxw9QQ,206
-iam_validator/checks/__init__.py,sha256=3d90eCtdHzPMXSOwCTffTYB81EFllHwcfcYk6Kwo_q8,1079
-iam_validator/checks/action_condition_enforcement.py,sha256=3M1Wj89Af6H-ywBTruZbJPzhCBBQVanVb5hwv-fkiDE,29721
+iam_validator/__version__.py,sha256=aNFKvgY68bb-MhUFw2OC-8_0VmwOTwY6_J5GPtri6os,206
+iam_validator/checks/__init__.py,sha256=OSgwk2WO_lLYOgSrTAycUNgRHw0NSU33Rse39thvVSk,1456
+iam_validator/checks/action_condition_enforcement.py,sha256=bKQEkD7PJYA0g9CwfrgfQSAKcVJkQgqfSnpXKE3Rz_0,29588
 iam_validator/checks/action_resource_constraint.py,sha256=p-gP7S9QYR6M7vffrnJY6LOlMUTn0kpEbrxQ8pTY5rs,6031
 iam_validator/checks/action_validation.py,sha256=IpxtTsk58f2zEZ-xzAoyHw4QK8BCRV43OffP-8ydf9E,2578
-iam_validator/checks/condition_key_validation.py,sha256=bc4LQ8IRKyt0RquaQvQvVjmeJnuOUAFRL8xdduLPa_U,2661
+iam_validator/checks/condition_key_validation.py,sha256=XmlwSDHq7p48dEDxjUJiRtaqtfAiFgpBJnj2jY_25LU,3796
+iam_validator/checks/full_wildcard.py,sha256=8zkmkQo2TkflgNgbclThH73mIBRHbuiob0YO2HwQhuE,2371
 iam_validator/checks/policy_size.py,sha256=gJD8rFHa1CstKaZ2Dj9B5XEI3o0wsGv7ksqjqZXoSXI,5771
 iam_validator/checks/policy_type_validation.py,sha256=w85W4zdZ6ZrDy0DmHxxnAXbJGfN8peRDjLfJ4Bp1dWc,15009
-iam_validator/checks/principal_validation.py,sha256=GKwmeot65dy7gx8nCMTNazOuGT_9S8HpUjd36iVyqfc,10980
+iam_validator/checks/principal_validation.py,sha256=DLmqX_QbfuV8O5XtcuocBeR_Vwa50_3RBx35XuLQob8,29837
 iam_validator/checks/resource_validation.py,sha256=AEIoiR6AKYLuVaA8ne3QE5qy6NCMDe98_2JAiwE9-JU,4261
-iam_validator/checks/security_best_practices.py,sha256=jaqCIdxpdPYJUBaP3NfuRnNCBplSn1nko5V43cEGKCI,23111
+iam_validator/checks/sensitive_action.py,sha256=mGxUELAuzsY_zK382WgJeeRGJDl8lumIsWgGIm_tmPs,6852
+iam_validator/checks/service_wildcard.py,sha256=1O3NF8_T1LsCzpm8SFViv1KTh9NYQSqXN8-D3xx6Erw,4156
 iam_validator/checks/sid_uniqueness.py,sha256=1Ux9W1hPPhzgdCzfxwxvD-nSBRo1SyrxFWlnTXDcOys,6887
+iam_validator/checks/wildcard_action.py,sha256=KsAej_GP6qL2XpmvGnS56SIJw3Z-5xyvZ7VDfsERFrU,2045
+iam_validator/checks/wildcard_resource.py,sha256=V5aBmb1pr8KhbVv2G4nzjBlZWz0kCOCgW6jKnb2_U60,5504
 iam_validator/checks/utils/__init__.py,sha256=j0X4ibUB6RGx2a-kNoJnlVZwHfoEvzZsIeTmJIAoFzA,45
 iam_validator/checks/utils/policy_level_checks.py,sha256=2V60C0zhKfsFPjQ-NMlD3EemtwA9S6-4no8nETgXdQE,5274
-iam_validator/checks/utils/sensitive_action_matcher.py,sha256=VlTpgjMnympYa28kOdm6xRIUL2P87rOvm1O2NdnjtVI,8900
+iam_validator/checks/utils/sensitive_action_matcher.py,sha256=Wl_YHktQR1LthkePaLMVF5iCeBpax2QgNRN0_azgfD8,9295
 iam_validator/checks/utils/wildcard_expansion.py,sha256=V3V_KRpapOzPBhpUObJjGHoMhvCH90QvDxppeEHIG_U,3152
 iam_validator/commands/__init__.py,sha256=M-5bo8w0TCWydK0cXgJyPD2fmk8bpQs-3b26YbgLzlc,565
 iam_validator/commands/analyze.py,sha256=TWlDaZ8gVOdNv6__KQQfzeLVW36qLiL5IzlhGYfvq_g,16501
 iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gzs,1074
 iam_validator/commands/cache.py,sha256=NHfbIDWI8tj-3o-4fIZJQS-Vvd9bxIH3Lk6kBtNuiUU,14212
-iam_validator/commands/download_services.py,sha256=anRcobOuhkiEmHpwW_AJb1e2ifgkgYAO2-b9-JBrBcg,9152
+iam_validator/commands/download_services.py,sha256=KKz3ybMLT8DQUf9aFZ0tilJ-o1b6PE8Pf1pC4K6cT8I,9175
 iam_validator/commands/post_to_pr.py,sha256=CvUXs2xvO-UhluxdfNM6F0TCWD8hDBEOiYw60fm1Dms,2363
-iam_validator/commands/validate.py,sha256=UA5QvnPSqy_a8Y0aLl3P1A_UeZv72EPL9C8tmSMvHt4,21209
+iam_validator/commands/validate.py,sha256=Nz6nC8UoRSLjnxTjv5n1qc5SOC88vK1ZwV04nH4oPDI,22333
 iam_validator/core/__init__.py,sha256=1FvJPMrbzJfS9YbRUJCshJLd5gzWwR9Fd_slS0Aq9c8,416
 iam_validator/core/access_analyzer.py,sha256=poeT1i74jXpKr1B3UmvqiTvCTbq82zffWgZHwiFUwoo,24337
 iam_validator/core/access_analyzer_report.py,sha256=IrQVszlhFfQ6WykYLpig7TU3hf8dnQTegPDsOvHjR5Q,24873
-iam_validator/core/aws_fetcher.py,sha256=0rG7qi3Lz6ulU6pDL0nZ6sklgSAS5pwo0ViykDspRt8,33382
+iam_validator/core/aws_fetcher.py,sha256=raEnvUi3rFaE1Bf9h6Am0bKeDSUN0WI6MPuVt4LSQzg,34169
 iam_validator/core/aws_global_conditions.py,sha256=ADVcMEWhgvDZWdBmRUQN3HB7a9OycbTLecXFAy3LPbo,5837
-iam_validator/core/check_registry.py,sha256=ZGR7eComA8CgTk8AaygYVUVfvmkME5cA874zHv31p5E,16137
+iam_validator/core/check_registry.py,sha256=-3MDcJvzN07cyMbi9UTzw_JcPJCcB-tXGl5hKX-Y2ZY,16067
 iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
-iam_validator/core/config_loader.py,sha256=Pq2rd6LJtEZET0ZeW4hEZS2ZRLC5gNRsKbtLyIsT21I,16516
-iam_validator/core/defaults.py,sha256=v78OA3p4j9FKAB3I_dc7oSA2jooS5FZolExKjB8jCs8,14222
+iam_validator/core/config_loader.py,sha256=qPdRokl8Hdc1t1vX--JQjOC_colgnnq1MrKsGtcW56s,17609
 iam_validator/core/models.py,sha256=8v-b8Z8PFqpbdEpkZZ33kuZ_5D81Z2lIHzlFLu3i5mE,11094
 iam_validator/core/policy_checks.py,sha256=zmA1GupD5jE1avCdaYLdZ7WA7CVG0CWjmgkd_2F-p7A,26429
 iam_validator/core/policy_loader.py,sha256=TR7SpzlRG3TwH4HBGEFUuhNOmxIR8Cud2SQ-AmHWBpM,14040
 iam_validator/core/pr_commenter.py,sha256=7wt1q1rQE3bozNfrynWaE2RVkyRxu4CUNKX7u1_Ii1c,11593
 iam_validator/core/report.py,sha256=Yeh_u9jQvTyDV3ignyPcWEQVfFcxNZNrxf4T0fjeWb4,33283
+iam_validator/core/config/__init__.py,sha256=e9Dh-NtUtW6-Kk_RwLiOzLn8X09E4_VqgNp0Cuva7y0,2655
+iam_validator/core/config/aws_api.py,sha256=HLIzOItQ0A37wxHcgWck6ZFO0wmNY8JNTiWMMK6JKYU,1248
+iam_validator/core/config/condition_requirements.py,sha256=45HITvpClti453CgrMLlV1AwoZVUbSTVVhflaxapJTM,17021
+iam_validator/core/config/defaults.py,sha256=_GcVnGkMMqqG1OCxQy4lsS5pM7rDD3phXHTq1w3ECJU,19334
+iam_validator/core/config/principal_requirements.py,sha256=VCX7fBDgeDTJQyoz7_x7GI7Kf9O1Eu-sbihoHOrKv6o,15105
+iam_validator/core/config/sensitive_actions.py,sha256=J03x_Y3z2gqU4QmeQF2iDWEZfeWKoNls1qL2VgtwtOU,4464
+iam_validator/core/config/service_principals.py,sha256=gQSROsxUWBD6P2F9qP320UZV4lHGlsyvHSkMyy0njrU,2685
+iam_validator/core/config/wildcards.py,sha256=H_v6hb-rZ0UUz4cul9lxkVI39e6knaK4Y-MbWz2Ebpw,3228
 iam_validator/core/formatters/__init__.py,sha256=fnCKAEBXItnOf2m4rhVs7zwMaTxbG6ESh3CF8V5j5ec,868
 iam_validator/core/formatters/base.py,sha256=SShDeDiy5mYQnS6BpA8xYg91N-KX1EObkOtlrVHqx1Q,4451
 iam_validator/core/formatters/console.py,sha256=lX4Yp4bTW61fxe0fCiHuO6bCZtC_6cjCwqDNQ55nT_8,1937
 iam_validator/core/formatters/csv.py,sha256=2FaN6Y_0TPMFOb3A3tNtj0-9bkEc5P-6eZ7eLROIqFE,5899
-iam_validator/core/formatters/enhanced.py,sha256=-W9JACV4FNVWoWtfVxXLla4d__Gg96SASbNAijpJnT0,16638
+iam_validator/core/formatters/enhanced.py,sha256=S0UgYKFOgILfOqwnBC8-WFab3F1CiEko33g0nbaswtk,17085
 iam_validator/core/formatters/html.py,sha256=j4sQi-wXiD9kCHldW5JCzbJe0frhiP5uQI9KlH3Sj_g,22994
 iam_validator/core/formatters/json.py,sha256=A7gZ8P32GEdbDvrSn6v56yQ4fOP_kyMaoFVXG2bgnew,939
 iam_validator/core/formatters/markdown.py,sha256=aPAY6FpZBHsVBDag3FAsB_X9CZzznFjX9dQr0ysDrTE,2251
-iam_validator/core/formatters/sarif.py,sha256=tqp8g7RmUh0HRk-kKDaucx4sa-5I9ikgkSpy1MM8Vi4,7200
+iam_validator/core/formatters/sarif.py,sha256=O3pn7whqFq5xxk-tuoqSb2k4Fk5ai_A2SKX_ph8GLV4,10469
 iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
 iam_validator/integrations/github_integration.py,sha256=bKs94vNT4PmcmUPUeuY2WJFhCYpUY2SWiBP1vj-andA,25673
 iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
-iam_policy_validator-1.4.0.dist-info/METADATA,sha256=t6f_kBNQKHBCcCzujENPo0EVJVQbTtO6xM9SxdVOsj4,34002
-iam_policy_validator-1.4.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-iam_policy_validator-1.4.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.4.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.4.0.dist-info/RECORD,,
+iam_policy_validator-1.5.0.dist-info/METADATA,sha256=D5TTVNQDeankIcLYRBT_UzysyZgWTZtaHzby0CHH_Vc,34222
+iam_policy_validator-1.5.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.5.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.5.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.5.0.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,5 +3,5 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.4.0"
+__version__ = "1.5.0"
 __version_info__ = tuple(int(part) for part in __version__.split("."))

iam_validator/checks/__init__.py

@@ -5,23 +5,33 @@ Built-in policy checks for IAM Policy Validator.
 from iam_validator.checks.action_condition_enforcement import (
     ActionConditionEnforcementCheck,
 )
-from iam_validator.checks.action_resource_constraint import ActionResourceConstraintCheck
+from iam_validator.checks.action_resource_constraint import (
+    ActionResourceConstraintCheck,
+)
 from iam_validator.checks.action_validation import ActionValidationCheck
 from iam_validator.checks.condition_key_validation import ConditionKeyValidationCheck
+from iam_validator.checks.full_wildcard import FullWildcardCheck
 from iam_validator.checks.policy_size import PolicySizeCheck
 from iam_validator.checks.principal_validation import PrincipalValidationCheck
 from iam_validator.checks.resource_validation import ResourceValidationCheck
-from iam_validator.checks.security_best_practices import SecurityBestPracticesCheck
+from iam_validator.checks.sensitive_action import SensitiveActionCheck
+from iam_validator.checks.service_wildcard import ServiceWildcardCheck
 from iam_validator.checks.sid_uniqueness import SidUniquenessCheck
+from iam_validator.checks.wildcard_action import WildcardActionCheck
+from iam_validator.checks.wildcard_resource import WildcardResourceCheck
 
 __all__ = [
     "ActionConditionEnforcementCheck",
     "ActionResourceConstraintCheck",
     "ActionValidationCheck",
     "ConditionKeyValidationCheck",
+    "FullWildcardCheck",
     "PolicySizeCheck",
     "PrincipalValidationCheck",
     "ResourceValidationCheck",
-    "SecurityBestPracticesCheck",
+    "SensitiveActionCheck",
+    "ServiceWildcardCheck",
     "SidUniquenessCheck",
+    "WildcardActionCheck",
+    "WildcardResourceCheck",
 ]

iam_validator/checks/action_condition_enforcement.py

@@ -607,10 +607,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             statement_sid=statement.sid,
             statement_index=statement_idx,
             issue_type="missing_required_condition",
-            message=(
-                f"{message_prefix} Action(s) {matching_actions} require condition '{condition_key}'. "
-                f"{description}"
-            ),
+            message=f"{message_prefix} Action(s) {matching_actions} require condition '{condition_key}'",
             action=", ".join(matching_actions),
             condition_key=condition_key,
             suggestion=self._build_suggestion(
@@ -707,8 +704,6 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         )
         if expected_value is not None:
             message += f" with value '{expected_value}'"
-        if description:
-            message += f". {description}"
 
         suggestion = f"Remove the '{condition_key}' condition from the statement"
         if description:

iam_validator/checks/condition_key_validation.py

@@ -34,6 +34,9 @@ class ConditionKeyValidationCheck(PolicyCheck):
         if not statement.condition:
             return issues
 
+        # Check if global condition key warnings are enabled (default: True)
+        warn_on_global_keys = config.config.get("warn_on_global_condition_keys", True)
+
         statement_sid = statement.sid
         line_number = statement.line_number
         actions = statement.get_actions()
@@ -47,7 +50,7 @@ class ConditionKeyValidationCheck(PolicyCheck):
                     if action == "*":
                         continue
 
-                    is_valid, error_msg = await fetcher.validate_condition_key(
+                    is_valid, error_msg, warning_msg = await fetcher.validate_condition_key(
                         action, condition_key
                     )
 
@@ -66,5 +69,22 @@ class ConditionKeyValidationCheck(PolicyCheck):
                         )
                         # Only report once per condition key (not per action)
                         break
+                    elif warning_msg and warn_on_global_keys:
+                        # Add warning for global condition keys with action-specific keys
+                        # Only if warn_on_global_condition_keys is enabled
+                        issues.append(
+                            ValidationIssue(
+                                severity="warning",
+                                statement_sid=statement_sid,
+                                statement_index=statement_idx,
+                                issue_type="global_condition_key_with_action_specific",
+                                message=warning_msg,
+                                action=action,
+                                condition_key=condition_key,
+                                line_number=line_number,
+                            )
+                        )
+                        # Only report once per condition key (not per action)
+                        break
 
         return issues

iam_validator/checks/full_wildcard.py

@@ -0,0 +1,67 @@
+"""Full wildcard check - detects Action: '*' AND Resource: '*' together (critical security risk)."""
+
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class FullWildcardCheck(PolicyCheck):
+    """Checks for both Action: '*' AND Resource: '*' which grants full administrative access."""
+
+    @property
+    def check_id(self) -> str:
+        return "full_wildcard"
+
+    @property
+    def description(self) -> str:
+        return "Checks for both action and resource wildcards together (critical risk)"
+
+    @property
+    def default_severity(self) -> str:
+        return "critical"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute full wildcard check on a statement."""
+        issues = []
+
+        # Only check Allow statements
+        if statement.effect != "Allow":
+            return issues
+
+        actions = statement.get_actions()
+        resources = statement.get_resources()
+
+        # Check for both wildcards together (CRITICAL)
+        if "*" in actions and "*" in resources:
+            message = config.config.get(
+                "message",
+                "Statement allows all actions on all resources - CRITICAL SECURITY RISK",
+            )
+            suggestion_text = config.config.get(
+                "suggestion",
+                "This grants full administrative access. Replace both wildcards with specific actions and resources to follow least-privilege principle",
+            )
+            example = config.config.get("example", "")
+
+            # Combine suggestion + example
+            suggestion = f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+
+            issues.append(
+                ValidationIssue(
+                    severity=self.get_severity(config),
+                    statement_sid=statement.sid,
+                    statement_index=statement_idx,
+                    issue_type="security_risk",
+                    message=message,
+                    suggestion=suggestion,
+                    line_number=statement.line_number,
+                )
+            )
+
+        return issues