iam-policy-validator 1.4.0__py3-none-any.whl → 1.5.0__py3-none-any.whl

iam_validator/checks/sensitive_action.py

@@ -0,0 +1,178 @@
+"""Sensitive action check - detects sensitive actions without IAM conditions."""
+
+from typing import TYPE_CHECKING
+
+from iam_validator.checks.utils.policy_level_checks import check_policy_level_actions
+from iam_validator.checks.utils.sensitive_action_matcher import (
+    DEFAULT_SENSITIVE_ACTIONS,
+    check_sensitive_actions,
+)
+from iam_validator.checks.utils.wildcard_expansion import expand_wildcard_actions
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+if TYPE_CHECKING:
+    from iam_validator.core.models import IAMPolicy
+
+
+class SensitiveActionCheck(PolicyCheck):
+    """Checks for sensitive actions without IAM conditions to limit their use."""
+
+    @property
+    def check_id(self) -> str:
+        return "sensitive_action"
+
+    @property
+    def description(self) -> str:
+        return "Checks for sensitive actions without conditions"
+
+    @property
+    def default_severity(self) -> str:
+        return "medium"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute sensitive action check on a statement."""
+        issues = []
+
+        # Only check Allow statements
+        if statement.effect != "Allow":
+            return issues
+
+        actions = statement.get_actions()
+        has_conditions = statement.condition is not None and len(statement.condition) > 0
+
+        # Expand wildcards to actual actions using AWS API
+        expanded_actions = await expand_wildcard_actions(actions, fetcher)
+
+        # Check if sensitive actions match using any_of/all_of logic
+        is_sensitive, matched_actions = check_sensitive_actions(
+            expanded_actions, config, DEFAULT_SENSITIVE_ACTIONS
+        )
+
+        if is_sensitive and not has_conditions:
+            # Create appropriate message based on matched actions using configurable templates
+            if len(matched_actions) == 1:
+                message_template = config.config.get(
+                    "message_single",
+                    "Sensitive action '{action}' should have conditions to limit when it can be used",
+                )
+                message = message_template.format(action=matched_actions[0])
+            else:
+                action_list = "', '".join(matched_actions)
+                message_template = config.config.get(
+                    "message_multiple",
+                    "Sensitive actions '{actions}' should have conditions to limit when they can be used",
+                )
+                message = message_template.format(actions=action_list)
+
+            suggestion_text = config.config.get(
+                "suggestion",
+                "Add IAM conditions to limit when this action can be used. Consider: ABAC (ResourceTag OR RequestTag matching ${aws:PrincipalTag}), IP restrictions (aws:SourceIp), MFA requirements (aws:MultiFactorAuthPresent), or time-based restrictions (aws:CurrentTime)",
+            )
+            example = config.config.get("example", "")
+
+            # Combine suggestion + example
+            suggestion = f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+
+            issues.append(
+                ValidationIssue(
+                    severity=self.get_severity(config),
+                    statement_sid=statement.sid,
+                    statement_index=statement_idx,
+                    issue_type="missing_condition",
+                    message=message,
+                    action=(matched_actions[0] if len(matched_actions) == 1 else None),
+                    suggestion=suggestion,
+                    line_number=statement.line_number,
+                )
+            )
+
+        return issues
+
+    async def execute_policy(
+        self,
+        policy: "IAMPolicy",
+        policy_file: str,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+        **kwargs,
+    ) -> list[ValidationIssue]:
+        """
+        Execute policy-level sensitive action checks.
+
+        This method examines the entire policy to detect privilege escalation patterns
+        and other security issues that span multiple statements.
+
+        Args:
+            policy: The complete IAM policy to check
+            policy_file: Path to the policy file (for context/reporting)
+            fetcher: AWS service fetcher for validation against AWS APIs
+            config: Configuration for this check instance
+
+        Returns:
+            List of ValidationIssue objects found by this check
+        """
+        del policy_file, fetcher  # Not used in current implementation
+        issues = []
+
+        # Collect all actions from all Allow statements across the entire policy
+        all_actions: set[str] = set()
+        statement_map: dict[
+            str, list[tuple[int, str | None]]
+        ] = {}  # action -> [(stmt_idx, sid), ...]
+
+        for idx, statement in enumerate(policy.statement):
+            if statement.effect == "Allow":
+                actions = statement.get_actions()
+                # Filter out wildcards for privilege escalation detection
+                filtered_actions = [a for a in actions if a != "*"]
+
+                for action in filtered_actions:
+                    all_actions.add(action)
+                    if action not in statement_map:
+                        statement_map[action] = []
+                    statement_map[action].append((idx, statement.sid))
+
+        # Get configuration for sensitive actions
+        sensitive_actions_config = config.config.get("sensitive_actions")
+        sensitive_patterns_config = config.config.get("sensitive_action_patterns")
+
+        # Check for privilege escalation patterns using all_of logic
+        # We need to check both exact actions and patterns
+        policy_issues = []
+
+        # Check sensitive_actions configuration
+        if sensitive_actions_config:
+            policy_issues.extend(
+                check_policy_level_actions(
+                    list(all_actions),
+                    statement_map,
+                    sensitive_actions_config,
+                    config,
+                    "actions",
+                    self.get_severity,
+                )
+            )
+
+        # Check sensitive_action_patterns configuration
+        if sensitive_patterns_config:
+            policy_issues.extend(
+                check_policy_level_actions(
+                    list(all_actions),
+                    statement_map,
+                    sensitive_patterns_config,
+                    config,
+                    "patterns",
+                    self.get_severity,
+                )
+            )
+
+        issues.extend(policy_issues)
+        return issues

iam_validator/checks/service_wildcard.py

@@ -0,0 +1,105 @@
+"""Service wildcard check - detects service-level wildcards like 'iam:*', 's3:*'."""
+
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class ServiceWildcardCheck(PolicyCheck):
+    """Checks for service-level wildcards (e.g., 'iam:*', 's3:*') which grant all permissions for a service."""
+
+    @property
+    def check_id(self) -> str:
+        return "service_wildcard"
+
+    @property
+    def description(self) -> str:
+        return "Checks for service-level wildcards (e.g., 'iam:*', 's3:*')"
+
+    @property
+    def default_severity(self) -> str:
+        return "high"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute service wildcard check on a statement."""
+        issues = []
+
+        # Only check Allow statements
+        if statement.effect != "Allow":
+            return issues
+
+        actions = statement.get_actions()
+        allowed_services = self._get_allowed_service_wildcards(config)
+
+        for action in actions:
+            # Skip full wildcard (covered by wildcard_action check)
+            if action == "*":
+                continue
+
+            # Check if it's a service-level wildcard (e.g., "iam:*", "s3:*")
+            if ":" in action and action.endswith(":*"):
+                service = action.split(":")[0]
+
+                # Check if this service is in the allowed list
+                if service not in allowed_services:
+                    # Get message template and replace placeholders
+                    message_template = config.config.get(
+                        "message",
+                        "Service-level wildcard '{action}' grants all permissions for {service} service",
+                    )
+                    suggestion_template = config.config.get(
+                        "suggestion",
+                        "Consider specifying explicit actions instead of '{action}'. If you need multiple actions, list them individually or use more specific wildcards like '{service}:Get*' or '{service}:List*'.",
+                    )
+                    example_template = config.config.get("example", "")
+
+                    message = message_template.format(action=action, service=service)
+                    suggestion_text = suggestion_template.format(action=action, service=service)
+                    example = (
+                        example_template.format(action=action, service=service)
+                        if example_template
+                        else ""
+                    )
+
+                    # Combine suggestion + example
+                    suggestion = (
+                        f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+                    )
+
+                    issues.append(
+                        ValidationIssue(
+                            severity=self.get_severity(config),
+                            statement_sid=statement.sid,
+                            statement_index=statement_idx,
+                            issue_type="overly_permissive",
+                            message=message,
+                            action=action,
+                            suggestion=suggestion,
+                            line_number=statement.line_number,
+                        )
+                    )
+
+        return issues
+
+    def _get_allowed_service_wildcards(self, config: CheckConfig) -> set[str]:
+        """
+        Get list of services that are allowed to use service-level wildcards.
+
+        This allows configuration like:
+          service_wildcard:
+            allowed_services:
+              - "logs"        # Allow "logs:*"
+              - "cloudwatch"  # Allow "cloudwatch:*"
+
+        Returns empty set if no exceptions are configured.
+        """
+        allowed = config.config.get("allowed_services", [])
+        if allowed and isinstance(allowed, list):
+            return set(allowed)
+        return set()

iam_validator/checks/utils/sensitive_action_matcher.py

@@ -2,6 +2,11 @@
 
 This module provides functionality to match actions against sensitive action
 configurations, supporting exact matches, regex patterns, and any_of/all_of logic.
+
+Performance optimizations:
+- Uses frozenset for O(1) lookups
+- LRU cache for compiled regex patterns
+- Lazy loading of default actions from modular data structure
 """
 
 import re
@@ -9,30 +14,32 @@ from functools import lru_cache
 from re import Pattern
 
 from iam_validator.core.check_registry import CheckConfig
+from iam_validator.core.config.sensitive_actions import get_sensitive_actions
+
+# Lazy-loaded default set of sensitive actions
+# This will be loaded only when first accessed
+_DEFAULT_SENSITIVE_ACTIONS_CACHE: frozenset[str] | None = None
+
+
+def _get_default_sensitive_actions() -> frozenset[str]:
+    """
+    Get default sensitive actions with lazy loading and caching.
 
-# Default set of sensitive actions for backward compatibility
-# Using frozenset for O(1) lookups and immutability
-DEFAULT_SENSITIVE_ACTIONS = frozenset(
-    {
-        "ec2:DeleteVolume",
-        "ec2:TerminateInstances",
-        "eks:DeleteCluster",
-        "iam:AttachRolePolicy",
-        "iam:AttachUserPolicy",
-        "iam:CreateAccessKey",
-        "iam:CreateRole",
-        "iam:CreateUser",
-        "iam:DeleteRole",
-        "iam:DeleteUser",
-        "iam:PutRolePolicy",
-        "iam:PutUserPolicy",
-        "lambda:DeleteFunction",
-        "rds:DeleteDBInstance",
-        "s3:DeleteBucket",
-        "s3:DeleteBucketPolicy",
-        "s3:PutBucketPolicy",
-    }
-)
+    Returns:
+        Frozenset of all default sensitive actions
+
+    Performance:
+        - First call: Loads from sensitive actions list
+        - Subsequent calls: O(1) cached lookup
+    """
+    global _DEFAULT_SENSITIVE_ACTIONS_CACHE
+    if _DEFAULT_SENSITIVE_ACTIONS_CACHE is None:
+        _DEFAULT_SENSITIVE_ACTIONS_CACHE = get_sensitive_actions()
+    return _DEFAULT_SENSITIVE_ACTIONS_CACHE
+
+
+# Export for backward compatibility
+DEFAULT_SENSITIVE_ACTIONS = _get_default_sensitive_actions()
 
 
 # Global regex pattern cache for performance
@@ -61,15 +68,19 @@ def check_sensitive_actions(
     Args:
         actions: List of actions to check
         config: Check configuration
-        default_actions: Default sensitive actions to use if no config (defaults to DEFAULT_SENSITIVE_ACTIONS)
+        default_actions: Default sensitive actions to use if no config (lazy-loaded)
 
     Returns:
         tuple[bool, list[str]]: (is_sensitive, matched_actions)
             - is_sensitive: True if the actions match the sensitive criteria
             - matched_actions: List of actions that matched the criteria
+
+    Performance:
+        - Uses lazy-loaded defaults (only loaded on first use)
+        - O(1) frozenset lookups for action matching
     """
     if default_actions is None:
-        default_actions = DEFAULT_SENSITIVE_ACTIONS
+        default_actions = _get_default_sensitive_actions()
 
     # Filter out wildcards
     filtered_actions = [a for a in actions if a != "*"]
@@ -77,12 +88,9 @@ def check_sensitive_actions(
         return False, []
 
     # Get configuration for both sensitive_actions and sensitive_action_patterns
-    sub_check_config = config.config.get("sensitive_action_check", {})
-    if not isinstance(sub_check_config, dict):
-        return False, []
-
-    sensitive_actions_config = sub_check_config.get("sensitive_actions")
-    sensitive_patterns_config = sub_check_config.get("sensitive_action_patterns")
+    # Config is now flat (no longer nested under sensitive_action_check)
+    sensitive_actions_config = config.config.get("sensitive_actions")
+    sensitive_patterns_config = config.config.get("sensitive_action_patterns")
 
     # Check sensitive_actions (exact matches)
     actions_match, actions_matched = check_actions_config(

iam_validator/checks/wildcard_action.py

@@ -0,0 +1,62 @@
+"""Wildcard action check - detects Action: '*' in IAM policies."""
+
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class WildcardActionCheck(PolicyCheck):
+    """Checks for wildcard actions (Action: '*') which grant all permissions."""
+
+    @property
+    def check_id(self) -> str:
+        return "wildcard_action"
+
+    @property
+    def description(self) -> str:
+        return "Checks for wildcard actions (*)"
+
+    @property
+    def default_severity(self) -> str:
+        return "medium"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute wildcard action check on a statement."""
+        issues = []
+
+        # Only check Allow statements
+        if statement.effect != "Allow":
+            return issues
+
+        actions = statement.get_actions()
+
+        # Check for wildcard action (Action: "*")
+        if "*" in actions:
+            message = config.config.get("message", "Statement allows all actions (*)")
+            suggestion_text = config.config.get(
+                "suggestion", "Replace wildcard with specific actions needed for your use case"
+            )
+            example = config.config.get("example", "")
+
+            # Combine suggestion + example
+            suggestion = f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+
+            issues.append(
+                ValidationIssue(
+                    severity=self.get_severity(config),
+                    statement_sid=statement.sid,
+                    statement_index=statement_idx,
+                    issue_type="overly_permissive",
+                    message=message,
+                    suggestion=suggestion,
+                    line_number=statement.line_number,
+                )
+            )
+
+        return issues

iam_validator/checks/wildcard_resource.py

@@ -0,0 +1,131 @@
+"""Wildcard resource check - detects Resource: '*' in IAM policies."""
+
+from iam_validator.checks.utils.wildcard_expansion import expand_wildcard_actions
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class WildcardResourceCheck(PolicyCheck):
+    """Checks for wildcard resources (Resource: '*') which grant access to all resources."""
+
+    @property
+    def check_id(self) -> str:
+        return "wildcard_resource"
+
+    @property
+    def description(self) -> str:
+        return "Checks for wildcard resources (*)"
+
+    @property
+    def default_severity(self) -> str:
+        return "medium"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute wildcard resource check on a statement."""
+        issues = []
+
+        # Only check Allow statements
+        if statement.effect != "Allow":
+            return issues
+
+        actions = statement.get_actions()
+        resources = statement.get_resources()
+
+        # Check for wildcard resource (Resource: "*")
+        if "*" in resources:
+            # Check if all actions are in the allowed_wildcards list
+            # allowed_wildcards works by expanding wildcard patterns (like "ec2:Describe*")
+            # to all matching AWS actions using the AWS API, then checking if the policy's
+            # actions are in that expanded list. This ensures only validated AWS actions
+            # are allowed with Resource: "*".
+            allowed_wildcards_expanded = await self._get_expanded_allowed_wildcards(config, fetcher)
+
+            # Check if ALL actions (excluding full wildcard "*") are in the expanded list
+            non_wildcard_actions = [a for a in actions if a != "*"]
+
+            if allowed_wildcards_expanded and non_wildcard_actions:
+                # Check if all actions are in the expanded allowed list (exact match)
+                all_actions_allowed = all(
+                    action in allowed_wildcards_expanded for action in non_wildcard_actions
+                )
+
+                # If all actions are in the expanded list, skip the wildcard resource warning
+                if all_actions_allowed:
+                    # All actions are safe, Resource: "*" is acceptable
+                    return issues
+
+            # Flag the issue if actions are not all allowed or no allowed_wildcards configured
+            message = config.config.get("message", "Statement applies to all resources (*)")
+            suggestion_text = config.config.get(
+                "suggestion", "Replace wildcard with specific resource ARNs"
+            )
+            example = config.config.get("example", "")
+
+            # Combine suggestion + example
+            suggestion = f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+
+            issues.append(
+                ValidationIssue(
+                    severity=self.get_severity(config),
+                    statement_sid=statement.sid,
+                    statement_index=statement_idx,
+                    issue_type="overly_permissive",
+                    message=message,
+                    suggestion=suggestion,
+                    line_number=statement.line_number,
+                )
+            )
+
+        return issues
+
+    async def _get_expanded_allowed_wildcards(
+        self, config: CheckConfig, fetcher: AWSServiceFetcher
+    ) -> frozenset[str]:
+        """Get and expand allowed_wildcards configuration.
+
+        This method retrieves wildcard patterns from the allowed_wildcards config
+        and expands them using the AWS API to get all matching actual AWS actions.
+
+        How it works:
+        1. Retrieves patterns from config (e.g., ["ec2:Describe*", "s3:List*"])
+        2. Expands each pattern using AWS API:
+           - "ec2:Describe*" → ["ec2:DescribeInstances", "ec2:DescribeImages", ...]
+           - "s3:List*" → ["s3:ListBucket", "s3:ListObjects", ...]
+        3. Returns a set of all expanded actions
+
+        This allows you to:
+        - Specify patterns like "ec2:Describe*" in config
+        - Have the validator allow specific actions like "ec2:DescribeInstances" with Resource: "*"
+        - Ensure only real AWS actions (validated via API) are allowed
+
+        Example:
+            Config: allowed_wildcards: ["ec2:Describe*"]
+            Expands to: ["ec2:DescribeInstances", "ec2:DescribeImages", ...]
+            Policy: "Action": ["ec2:DescribeInstances"], "Resource": "*"
+            Result: ✅ Allowed (ec2:DescribeInstances is in expanded list)
+
+        Args:
+            config: The check configuration
+            fetcher: AWS service fetcher for expanding wildcards via AWS API
+
+        Returns:
+            A frozenset of all expanded action names from the configured patterns
+        """
+        patterns_to_expand = config.config.get("allowed_wildcards", [])
+
+        # If no patterns configured, return empty set
+        if not patterns_to_expand or not isinstance(patterns_to_expand, list):
+            return frozenset()
+
+        # Expand the wildcard patterns using the AWS API
+        # This converts patterns like "ec2:Describe*" to actual AWS actions
+        expanded_actions = await expand_wildcard_actions(patterns_to_expand, fetcher)
+
+        return frozenset(expanded_actions)

iam_validator/commands/download_services.py

@@ -9,20 +9,15 @@ from pathlib import Path
 
 import httpx
 from rich.console import Console
-from rich.progress import (
-    BarColumn,
-    Progress,
-    TaskID,
-    TextColumn,
-    TimeRemainingColumn,
-)
+from rich.progress import BarColumn, Progress, TaskID, TextColumn, TimeRemainingColumn
 
 from iam_validator.commands.base import Command
+from iam_validator.core.config import AWS_SERVICE_REFERENCE_BASE_URL
 
 logger = logging.getLogger(__name__)
 console = Console()
 
-BASE_URL = "https://servicereference.us-east-1.amazonaws.com/"
+BASE_URL = AWS_SERVICE_REFERENCE_BASE_URL
 DEFAULT_OUTPUT_DIR = Path("aws_services")
 
 

iam_validator/commands/validate.py

@@ -166,6 +166,18 @@ Examples:
             help="Number of policies to process per batch (default: 10, only with --stream)",
         )
 
+        parser.add_argument(
+            "--no-summary",
+            action="store_true",
+            help="Hide Executive Summary section in enhanced format output",
+        )
+
+        parser.add_argument(
+            "--no-severity-breakdown",
+            action="store_true",
+            help="Hide Issue Severity Breakdown section in enhanced format output",
+        )
+
     async def execute(self, args: argparse.Namespace) -> int:
         """Execute the validate command."""
         # Check if streaming mode is enabled
@@ -229,7 +241,14 @@ Examples:
                 print(generator.generate_github_comment(report))
         else:
             # Use formatter registry for other formats (enhanced, html, csv, sarif)
-            output_content = generator.format_report(report, args.format)
+            # Pass options for enhanced format
+            format_options = {}
+            if args.format == "enhanced":
+                format_options["show_summary"] = not getattr(args, "no_summary", False)
+                format_options["show_severity_breakdown"] = not getattr(
+                    args, "no_severity_breakdown", False
+                )
+            output_content = generator.format_report(report, args.format, **format_options)
             if args.output:
                 with open(args.output, "w", encoding="utf-8") as f:
                     f.write(output_content)
@@ -348,7 +367,14 @@ Examples:
                 print(generator.generate_github_comment(report))
         else:
             # Use formatter registry for other formats (enhanced, html, csv, sarif)
-            output_content = generator.format_report(report, args.format)
+            # Pass options for enhanced format
+            format_options = {}
+            if args.format == "enhanced":
+                format_options["show_summary"] = not getattr(args, "no_summary", False)
+                format_options["show_severity_breakdown"] = not getattr(
+                    args, "no_severity_breakdown", False
+                )
+            output_content = generator.format_report(report, args.format, **format_options)
             if args.output:
                 with open(args.output, "w", encoding="utf-8") as f:
                     f.write(output_content)