PyPI - iam-policy-validator - Versions diffs - 1.4.0__py3-none-any.whl → 1.5.0__py3-none-any.whl - Mend

iam-policy-validator 1.4.0py3-none-any.whl → 1.5.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.5.0.dist-info}/METADATA +18 -19
{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.5.0.dist-info}/RECORD +31 -20
iam_validator/__version__.py +1 -1
iam_validator/checks/__init__.py +13 -3
iam_validator/checks/action_condition_enforcement.py +1 -6
iam_validator/checks/condition_key_validation.py +21 -1
iam_validator/checks/full_wildcard.py +67 -0
iam_validator/checks/principal_validation.py +497 -3
iam_validator/checks/sensitive_action.py +178 -0
iam_validator/checks/service_wildcard.py +105 -0
iam_validator/checks/utils/sensitive_action_matcher.py +39 -31
iam_validator/checks/wildcard_action.py +62 -0
iam_validator/checks/wildcard_resource.py +131 -0
iam_validator/commands/download_services.py +3 -8
iam_validator/commands/validate.py +28 -2
iam_validator/core/aws_fetcher.py +25 -12
iam_validator/core/check_registry.py +15 -21
iam_validator/core/config/__init__.py +83 -0
iam_validator/core/config/aws_api.py +35 -0
iam_validator/core/config/condition_requirements.py +535 -0
iam_validator/core/config/defaults.py +390 -0
iam_validator/core/config/principal_requirements.py +421 -0
iam_validator/core/config/sensitive_actions.py +133 -0
iam_validator/core/config/service_principals.py +95 -0
iam_validator/core/config/wildcards.py +124 -0
iam_validator/core/config_loader.py +29 -9
iam_validator/core/formatters/enhanced.py +11 -5
iam_validator/core/formatters/sarif.py +78 -14
iam_validator/checks/security_best_practices.py +0 -536
iam_validator/core/defaults.py +0 -393
{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.5.0.dist-info}/WHEEL +0 -0
{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.5.0.dist-info}/entry_points.txt +0 -0
{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.5.0.dist-info}/licenses/LICENSE +0 -0

iam_validator/core/defaults.py DELETED Viewed

@@ -1,393 +0,0 @@
-"""
-Default configuration for IAM Policy Validator.
-This module contains the default configuration that is used when no user
-configuration file is provided. User configuration files will override
-these defaults.
-This configuration is synced with the default-config.yaml file.
-"""
-# ============================================================================
-# SEVERITY LEVELS
-# ============================================================================
-# The validator uses two types of severity levels:
-#
-# 1. IAM VALIDITY SEVERITIES (for AWS IAM policy correctness):
-#    - error:   Policy violates AWS IAM rules (invalid actions, ARNs, etc.)
-#    - warning: Policy may have IAM-related issues but is technically valid
-#    - info:    Informational messages about the policy structure
-#
-# 2. SECURITY SEVERITIES (for security best practices):
-#    - critical: Critical security risk (e.g., wildcard action + resource)
-#    - high:     High security risk (e.g., missing required conditions)
-#    - medium:   Medium security risk (e.g., overly permissive wildcards)
-#    - low:      Low security risk (e.g., minor best practice violations)
-#
-# Use 'error' for policy validity issues, and 'critical/high/medium/low' for
-# security best practices. This distinction helps separate "broken policies"
-# from "insecure but valid policies".
-# ============================================================================
-# Default configuration dictionary
-DEFAULT_CONFIG = {
-    "settings": {
-        "fail_fast": False,
-        "max_concurrent": 10,
-        "enable_builtin_checks": True,
-        "parallel_execution": True,
-        "aws_services_dir": None,
-        "cache_enabled": True,
-        "cache_ttl_hours": 168,
-        "fail_on_severity": ["error", "critical", "high"],
-    },
-    "sid_uniqueness_check": {
-        "enabled": True,
-        "severity": "error",
-        "description": "Validates that Statement IDs (Sids) are unique and follow AWS naming requirements",
-    },
-    "policy_size_check": {
-        "enabled": True,
-        "severity": "error",
-        "description": "Validates that IAM policies don't exceed AWS size limits",
-        "policy_type": "managed",
-    },
-    "action_validation_check": {
-        "enabled": True,
-        "severity": "error",
-        "description": "Validates that actions exist in AWS services",
-    },
-    "condition_key_validation_check": {
-        "enabled": True,
-        "severity": "error",
-        "description": "Validates condition keys against AWS service definitions for specified actions",
-        "validate_aws_global_keys": True,
-    },
-    "resource_validation_check": {
-        "enabled": True,
-        "severity": "error",
-        "description": "Validates ARN format for resources",
-        "arn_pattern": "^arn:(aws|aws-cn|aws-us-gov|aws-eusc|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):[a-z0-9\\-]+:[a-z0-9\\-*]*:[0-9*]*:.+$",
-    },
-    "principal_validation_check": {
-        "enabled": True,
-        "severity": "high",
-        "description": "Validates Principal elements in resource policies for security best practices",
-        "blocked_principals": ["*"],
-        "allowed_principals": [],
-        "require_conditions_for": {
-            "*": ["aws:SourceArn", "aws:SourceAccount"],
-        },
-        "allowed_service_principals": [
-            "cloudfront.amazonaws.com",
-            "s3.amazonaws.com",
-            "sns.amazonaws.com",
-            "lambda.amazonaws.com",
-            "logs.amazonaws.com",
-            "events.amazonaws.com",
-        ],
-    },
-    "action_resource_constraint_check": {
-        "enabled": True,
-        "severity": "error",
-        "description": "Validates that actions without required resource types use Resource: '*'",
-    },
-    "security_best_practices_check": {
-        "enabled": True,
-        "description": "Checks for common security anti-patterns",
-        "allowed_wildcards": [
-            "autoscaling:Describe*",
-            "cloudwatch:Describe*",
-            "cloudwatch:Get*",
-            "cloudwatch:List*",
-            "dynamodb:Describe*",
-            "ec2:Describe*",
-            "elasticloadbalancing:Describe*",
-            "iam:Get*",
-            "iam:List*",
-            "kms:Describe*",
-            "lambda:Get*",
-            "lambda:List*",
-            "logs:Describe*",
-            "logs:Filter*",
-            "logs:Get*",
-            "rds:Describe*",
-            "route53:Get*",
-            "route53:List*",
-            "s3:Describe*",
-            "s3:GetBucket*",
-            "s3:GetM*",
-            "s3:List*",
-            "sqs:Get*",
-            "sqs:List*",
-            "apigateway:GET",
-        ],
-        "wildcard_action_check": {
-            "enabled": True,
-            "severity": "medium",
-            "message": "Statement allows all actions (*)",
-            "suggestion": "Replace wildcard with specific actions needed for your use case",
-            "example": """Replace:
-  "Action": ["*"]
-With specific actions:
-  "Action": [
-    "s3:GetObject",
-    "s3:PutObject",
-    "s3:ListBucket"
-  ]
-""",
-        },
-        "wildcard_resource_check": {
-            "enabled": True,
-            "severity": "medium",
-            "message": "Statement applies to all resources (*)",
-            "suggestion": "Replace wildcard with specific resource ARNs",
-            "example": """Replace:
-  "Resource": "*"
-With specific ARNs:
-  "Resource": [
-    "arn:aws:service:region:account-id:resource-type/resource-id",
-    "arn:aws:service:region:account-id:resource-type/*"
-  ]
-""",
-        },
-        "full_wildcard_check": {
-            "enabled": True,
-            "severity": "critical",
-            "message": "Statement allows all actions on all resources - CRITICAL SECURITY RISK",
-            "suggestion": "This grants full administrative access. Replace both wildcards with specific actions and resources to follow least-privilege principle",
-            "example": """Replace:
-  "Action": "*",
-  "Resource": "*"
-With specific values:
-  "Action": [
-    "s3:GetObject",
-    "s3:PutObject"
-  ],
-  "Resource": [
-    "arn:aws:s3:::my-bucket/*"
-  ]
-""",
-        },
-        "service_wildcard_check": {
-            "enabled": True,
-            "severity": "high",
-            "allowed_services": ["logs", "cloudwatch", "xray"],
-        },
-        "sensitive_action_check": {
-            "enabled": True,
-            "severity": "medium",
-            "message_single": "Sensitive action '{action}' should have conditions to limit when it can be used",
-            "message_multiple": "Sensitive actions '{actions}' should have conditions to limit when they can be used",
-            "suggestion": "Add IAM conditions to limit when this action can be used. Consider: ABAC (ResourceTag OR RequestTag must match PrincipalTag), IP restrictions (aws:SourceIp), MFA requirements (aws:MultiFactorAuthPresent), or time-based restrictions (aws:CurrentTime)",
-            "example": """"Condition": {
-  "StringEquals": {
-    "aws:ResourceTag/owner": "${aws:PrincipalTag/owner}"
-  }
-}
-""",
-            "sensitive_actions": [
-                "iam:AddClientIDToOpenIDConnectProvider",
-                "iam:AttachRolePolicy",
-                "iam:AttachUserPolicy",
-                "iam:CreateAccessKey",
-                "iam:CreateOpenIDConnectProvider",
-                "iam:CreatePolicyVersion",
-                "iam:CreateRole",
-                "iam:CreateSAMLProvider",
-                "iam:CreateUser",
-                "iam:DeleteAccessKey",
-                "iam:DeleteLoginProfile",
-                "iam:DeleteOpenIDConnectProvider",
-                "iam:DeleteRole",
-                "iam:DeleteRolePolicy",
-                "iam:DeleteSAMLProvider",
-                "iam:DeleteUser",
-                "iam:DeleteUserPolicy",
-                "iam:DetachRolePolicy",
-                "iam:DetachUserPolicy",
-                "iam:PutRolePolicy",
-                "iam:PutUserPolicy",
-                "iam:SetDefaultPolicyVersion",
-                "iam:UpdateAccessKey",
-                "iam:UpdateAssumeRolePolicy",
-                "kms:DisableKey",
-                "kms:PutKeyPolicy",
-                "kms:ScheduleKeyDeletion",
-                "secretsmanager:DeleteSecret",
-                "secretsmanager:GetSecretValue",
-                "secretsmanager:PutSecretValue",
-                "ssm:DeleteParameter",
-                "ssm:PutParameter",
-                "ec2:DeleteSnapshot",
-                "ec2:DeleteVolume",
-                "ec2:DeleteVpc",
-                "ec2:ModifyInstanceAttribute",
-                "ec2:TerminateInstances",
-                "ecr:DeleteRepository",
-                "ecs:DeleteCluster",
-                "ecs:DeleteService",
-                "eks:DeleteCluster",
-                "lambda:DeleteFunction",
-                "lambda:DeleteFunctionConcurrency",
-                "lambda:PutFunctionConcurrency",
-                "dynamodb:DeleteTable",
-                "efs:DeleteFileSystem",
-                "elasticache:DeleteCacheCluster",
-                "fsx:DeleteFileSystem",
-                "rds:DeleteDBCluster",
-                "rds:DeleteDBInstance",
-                "redshift:DeleteCluster",
-                "backup:DeleteBackupVault",
-                "glacier:DeleteArchive",
-                "s3:DeleteBucket",
-                "s3:DeleteBucketPolicy",
-                "s3:DeleteObject",
-                "s3:PutBucketPolicy",
-                "s3:PutLifecycleConfiguration",
-                "ec2:AuthorizeSecurityGroupIngress",
-                "ec2:DeleteSecurityGroup",
-                "ec2:DisassociateRouteTable",
-                "ec2:RevokeSecurityGroupEgress",
-                "cloudtrail:DeleteTrail",
-                "cloudtrail:StopLogging",
-                "cloudwatch:DeleteLogGroup",
-                "config:DeleteConfigurationRecorder",
-                "guardduty:DeleteDetector",
-                "account:CloseAccount",
-                "account:CreateAccount",
-                "organizations:LeaveOrganization",
-                "organizations:RemoveAccountFromOrganization",
-            ],
-        },
-    },
-    "action_condition_enforcement_check": {
-        "enabled": True,
-        "severity": "high",
-        "description": "Enforce specific IAM condition requirements (unified: MFA, IP, tags, etc.)",
-        "action_condition_requirements": [
-            {
-                "actions": ["iam:PassRole"],
-                "severity": "high",
-                "required_conditions": [
-                    {
-                        "condition_key": "iam:PassedToService",
-                        "description": "Specify which AWS services are allowed to use the passed role to prevent privilege escalation",
-                        "example": """"Condition": {
-  "StringEquals": {
-    "iam:PassedToService": [
-      "lambda.amazonaws.com",
-      "ecs-tasks.amazonaws.com",
-      "ec2.amazonaws.com",
-      "glue.amazonaws.com",
-      "lambda.amazonaws.com"
-    ]
-  }
-}
-""",
-                    },
-                ],
-            },
-            {
-                "actions": [
-                    "iam:CreateRole",
-                    "iam:PutRolePolicy*",
-                    "iam:PutUserPolicy",
-                    "iam:PutRolePolicy",
-                    "iam:Attach*Policy*",
-                    "iam:AttachUserPolicy",
-                    "iam:AttachRolePolicy",
-                ],
-                "severity": "high",
-                "required_conditions": [
-                    {
-                        "condition_key": "iam:PermissionsBoundary",
-                        "description": "Require permissions boundary for sensitive IAM operations to prevent privilege escalation",
-                        "expected_value": "arn:aws:iam::*:policy/DeveloperBoundary",
-                        "example": """# See: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
-"Condition": {
-  "StringEquals": {
-    "iam:PermissionsBoundary": "arn:aws:iam::123456789012:policy/XCompanyBoundaries"
-  }
-}
-""",
-                    },
-                ],
-            },
-            {
-                "actions": ["s3:PutObject"],
-                "severity": "medium",
-                "required_conditions": [
-                    {
-                        "condition_key": "aws:ResourceOrgId",
-                        "description": "Require aws:ResourceOrgId condition for S3 write actions to enforce organization-level access control",
-                        "example": """"Condition": {
-  "StringEquals": {
-    "aws:ResourceOrgId": "${aws:PrincipalOrgID}"
-  }
-}
-""",
-                    },
-                ],
-            },
-            {
-                "action_patterns": [
-                    "^ssm:StartSession$",
-                    "^ssm:Run.*$",
-                    "^s3:GetObject$",
-                    "^rds-db:Connect$",
-                ],
-                "severity": "low",
-                "required_conditions": [
-                    {
-                        "condition_key": "aws:SourceIp",
-                        "description": "Restrict access to corporate IP ranges",
-                        "example": """"Condition": {
-  "IpAddress": {
-    "aws:SourceIp": [
-      "10.0.0.0/8",
-      "172.16.0.0/12"
-    ]
-  }
-}
-""",
-                    },
-                ],
-            },
-            {
-                "actions": ["s3:GetObject", "s3:PutObject"],
-                "required_conditions": {
-                    "none_of": [
-                        {
-                            "condition_key": "aws:SecureTransport",
-                            "expected_value": False,
-                            "description": "Never allow insecure transport to be explicitly permitted",
-                            "example": """# Set this condition to true to enforce secure transport or remove it entirely
-"Condition": {
-  "Bool": {
-    "aws:SecureTransport": "true"
-  }
-}
-""",
-                        },
-                    ],
-                },
-            },
-        ],
-    },
-}
-def get_default_config() -> dict:
-    """
-    Get a deep copy of the default configuration.
-    Returns:
-        A deep copy of the default configuration dictionary
-    """
-    import copy
-    return copy.deepcopy(DEFAULT_CONFIG)

{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.5.0.dist-info}/WHEEL RENAMED Viewed

File without changes

{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.5.0.dist-info}/entry_points.txt RENAMED Viewed

File without changes

{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.5.0.dist-info}/licenses/LICENSE RENAMED Viewed

File without changes

iam-policy-validator 1.4.0__py3-none-any.whl → 1.5.0__py3-none-any.whl

iam-policy-validator 1.4.0py3-none-any.whl → 1.5.0py3-none-any.whl