PyPI - iam-policy-validator - Versions diffs - 1.4.0__py3-none-any.whl → 1.6.0__py3-none-any.whl - Mend

iam-policy-validator 1.4.0py3-none-any.whl → 1.6.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (57) hide show

{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.6.0.dist-info}/METADATA +106 -78
iam_policy_validator-1.6.0.dist-info/RECORD +82 -0
iam_validator/__version__.py +1 -1
iam_validator/checks/__init__.py +20 -4
iam_validator/checks/action_condition_enforcement.py +165 -8
iam_validator/checks/action_resource_matching.py +424 -0
iam_validator/checks/condition_key_validation.py +24 -2
iam_validator/checks/condition_type_mismatch.py +259 -0
iam_validator/checks/full_wildcard.py +67 -0
iam_validator/checks/mfa_condition_check.py +112 -0
iam_validator/checks/principal_validation.py +497 -3
iam_validator/checks/sensitive_action.py +250 -0
iam_validator/checks/service_wildcard.py +105 -0
iam_validator/checks/set_operator_validation.py +157 -0
iam_validator/checks/utils/sensitive_action_matcher.py +74 -32
iam_validator/checks/wildcard_action.py +62 -0
iam_validator/checks/wildcard_resource.py +131 -0
iam_validator/commands/cache.py +1 -1
iam_validator/commands/download_services.py +3 -8
iam_validator/commands/validate.py +72 -13
iam_validator/core/aws_fetcher.py +114 -64
iam_validator/core/check_registry.py +167 -29
iam_validator/core/condition_validators.py +626 -0
iam_validator/core/config/__init__.py +81 -0
iam_validator/core/config/aws_api.py +35 -0
iam_validator/core/config/aws_global_conditions.py +160 -0
iam_validator/core/config/category_suggestions.py +104 -0
iam_validator/core/config/condition_requirements.py +155 -0
iam_validator/core/{config_loader.py → config/config_loader.py} +32 -9
iam_validator/core/config/defaults.py +523 -0
iam_validator/core/config/principal_requirements.py +421 -0
iam_validator/core/config/sensitive_actions.py +672 -0
iam_validator/core/config/service_principals.py +95 -0
iam_validator/core/config/wildcards.py +124 -0
iam_validator/core/formatters/enhanced.py +11 -5
iam_validator/core/formatters/sarif.py +78 -14
iam_validator/core/models.py +14 -1
iam_validator/core/policy_checks.py +4 -4
iam_validator/core/pr_commenter.py +1 -1
iam_validator/sdk/__init__.py +187 -0
iam_validator/sdk/arn_matching.py +274 -0
iam_validator/sdk/context.py +222 -0
iam_validator/sdk/exceptions.py +48 -0
iam_validator/sdk/helpers.py +177 -0
iam_validator/sdk/policy_utils.py +425 -0
iam_validator/sdk/shortcuts.py +283 -0
iam_validator/utils/__init__.py +31 -0
iam_validator/utils/cache.py +105 -0
iam_validator/utils/regex.py +206 -0
iam_policy_validator-1.4.0.dist-info/RECORD +0 -56
iam_validator/checks/action_resource_constraint.py +0 -151
iam_validator/checks/security_best_practices.py +0 -536
iam_validator/core/aws_global_conditions.py +0 -137
iam_validator/core/defaults.py +0 -393
{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.6.0.dist-info}/WHEEL +0 -0
{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.6.0.dist-info}/entry_points.txt +0 -0
{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.6.0.dist-info}/licenses/LICENSE +0 -0

iam_validator/core/aws_global_conditions.py DELETED Viewed

@@ -1,137 +0,0 @@
-"""
-AWS Global Condition Keys Management.
-Provides access to the list of valid AWS global condition keys
-that can be used across all AWS services.
-Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html
-Last updated: 2025-01-17
-"""
-import re
-from typing import Any
-# AWS Global Condition Keys
-# These condition keys are available for use in IAM policies across all AWS services
-AWS_GLOBAL_CONDITION_KEYS = {
-    # Properties of the Principal
-    "aws:PrincipalArn",  # ARN of the principal making the request
-    "aws:PrincipalAccount",  # Account to which the requesting principal belongs
-    "aws:PrincipalOrgPaths",  # AWS Organizations path for the principal
-    "aws:PrincipalOrgID",  # Organization identifier of the principal
-    "aws:PrincipalIsAWSService",  # Checks if call is made directly by AWS service principal
-    "aws:PrincipalServiceName",  # Service principal name making the request
-    "aws:PrincipalServiceNamesList",  # List of all service principal names
-    "aws:PrincipalType",  # Type of principal making the request
-    "aws:userid",  # Principal identifier of the requester
-    "aws:username",  # User name of the requester
-    # Properties of a Role Session
-    "aws:AssumedRoot",  # Checks if request used AssumeRoot for privileged access
-    "aws:FederatedProvider",  # Principal's issuing identity provider
-    "aws:TokenIssueTime",  # When temporary security credentials were issued
-    "aws:MultiFactorAuthAge",  # Seconds since MFA authorization
-    "aws:MultiFactorAuthPresent",  # Whether MFA was used for temporary credentials
-    "aws:ChatbotSourceArn",  # Source chat configuration ARN
-    "aws:Ec2InstanceSourceVpc",  # VPC where EC2 IAM role credentials were delivered
-    "aws:Ec2InstanceSourcePrivateIPv4",  # Private IPv4 of EC2 instance
-    "aws:SourceIdentity",  # Source identity set when assuming a role
-    "ec2:RoleDelivery",  # Instance metadata service version
-    # Network Properties
-    "aws:SourceIp",  # Requester's IP address (IPv4/IPv6)
-    "aws:SourceVpc",  # VPC through which request travels
-    "aws:SourceVpce",  # VPC endpoint identifier
-    "aws:VpceAccount",  # AWS account owning the VPC endpoint
-    "aws:VpceOrgID",  # Organization ID of VPC endpoint owner
-    "aws:VpceOrgPaths",  # AWS Organizations path of VPC endpoint
-    "aws:VpcSourceIp",  # IP address from VPC endpoint request
-    # Resource Properties
-    "aws:ResourceAccount",  # Resource owner's AWS account ID
-    "aws:ResourceOrgID",  # Organization ID of resource owner
-    "aws:ResourceOrgPaths",  # AWS Organizations path of resource
-    # Request Properties
-    "aws:CurrentTime",  # Current date and time
-    "aws:EpochTime",  # Request timestamp in epoch format
-    "aws:referer",  # HTTP referer header value (note: lowercase 'r')
-    "aws:Referer",  # HTTP referer header value (alternate capitalization)
-    "aws:RequestedRegion",  # AWS Region for the request
-    "aws:TagKeys",  # Tag keys present in request
-    "aws:SecureTransport",  # Whether HTTPS was used
-    "aws:SourceAccount",  # Account making the request
-    "aws:SourceArn",  # ARN of request source
-    "aws:SourceOrgID",  # Organization ID of request source
-    "aws:SourceOrgPaths",  # Organization paths of request source
-    "aws:UserAgent",  # HTTP user agent string
-    # Cross-Service Keys
-    "aws:CalledVia",  # Services called in request chain
-    "aws:CalledViaFirst",  # First service in call chain
-    "aws:CalledViaLast",  # Last service in call chain
-    "aws:ViaAWSService",  # Whether AWS service made the request
-}
-# Patterns that should be recognized (wildcards and tag-based keys)
-# These allow things like aws:RequestTag/Department or aws:PrincipalTag/Environment
-AWS_CONDITION_KEY_PATTERNS = [
-    {
-        "pattern": r"^aws:RequestTag/[a-zA-Z0-9+\-=._:/@]+$",
-        "description": "Tag keys in the request (for tag-based access control)",
-    },
-    {
-        "pattern": r"^aws:ResourceTag/[a-zA-Z0-9+\-=._:/@]+$",
-        "description": "Tags on the resource being accessed",
-    },
-    {
-        "pattern": r"^aws:PrincipalTag/[a-zA-Z0-9+\-=._:/@]+$",
-        "description": "Tags attached to the principal making the request",
-    },
-]
-class AWSGlobalConditions:
-    """Manages AWS global condition keys."""
-    def __init__(self):
-        """Initialize with global condition keys."""
-        self._global_keys: set[str] = AWS_GLOBAL_CONDITION_KEYS.copy()
-        self._patterns: list[dict[str, Any]] = AWS_CONDITION_KEY_PATTERNS.copy()
-    def is_valid_global_key(self, condition_key: str) -> bool:
-        """
-        Check if a condition key is a valid AWS global condition key.
-        Args:
-            condition_key: The condition key to validate (e.g., "aws:SourceIp")
-        Returns:
-            True if valid global condition key, False otherwise
-        """
-        # Check exact matches first
-        if condition_key in self._global_keys:
-            return True
-        # Check patterns (for tags and wildcards)
-        for pattern_config in self._patterns:
-            pattern = pattern_config["pattern"]
-            if re.match(pattern, condition_key):
-                return True
-        return False
-    def get_all_keys(self) -> set[str]:
-        """Get all explicit global condition keys."""
-        return self._global_keys.copy()
-    def get_patterns(self) -> list[dict[str, Any]]:
-        """Get all condition key patterns."""
-        return self._patterns.copy()
-# Singleton instance
-_global_conditions_instance = None
-def get_global_conditions() -> AWSGlobalConditions:
-    """Get singleton instance of AWSGlobalConditions."""
-    global _global_conditions_instance
-    if _global_conditions_instance is None:
-        _global_conditions_instance = AWSGlobalConditions()
-    return _global_conditions_instance

iam_validator/core/defaults.py DELETED Viewed

@@ -1,393 +0,0 @@
-"""
-Default configuration for IAM Policy Validator.
-This module contains the default configuration that is used when no user
-configuration file is provided. User configuration files will override
-these defaults.
-This configuration is synced with the default-config.yaml file.
-"""
-# ============================================================================
-# SEVERITY LEVELS
-# ============================================================================
-# The validator uses two types of severity levels:
-#
-# 1. IAM VALIDITY SEVERITIES (for AWS IAM policy correctness):
-#    - error:   Policy violates AWS IAM rules (invalid actions, ARNs, etc.)
-#    - warning: Policy may have IAM-related issues but is technically valid
-#    - info:    Informational messages about the policy structure
-#
-# 2. SECURITY SEVERITIES (for security best practices):
-#    - critical: Critical security risk (e.g., wildcard action + resource)
-#    - high:     High security risk (e.g., missing required conditions)
-#    - medium:   Medium security risk (e.g., overly permissive wildcards)
-#    - low:      Low security risk (e.g., minor best practice violations)
-#
-# Use 'error' for policy validity issues, and 'critical/high/medium/low' for
-# security best practices. This distinction helps separate "broken policies"
-# from "insecure but valid policies".
-# ============================================================================
-# Default configuration dictionary
-DEFAULT_CONFIG = {
-    "settings": {
-        "fail_fast": False,
-        "max_concurrent": 10,
-        "enable_builtin_checks": True,
-        "parallel_execution": True,
-        "aws_services_dir": None,
-        "cache_enabled": True,
-        "cache_ttl_hours": 168,
-        "fail_on_severity": ["error", "critical", "high"],
-    },
-    "sid_uniqueness_check": {
-        "enabled": True,
-        "severity": "error",
-        "description": "Validates that Statement IDs (Sids) are unique and follow AWS naming requirements",
-    },
-    "policy_size_check": {
-        "enabled": True,
-        "severity": "error",
-        "description": "Validates that IAM policies don't exceed AWS size limits",
-        "policy_type": "managed",
-    },
-    "action_validation_check": {
-        "enabled": True,
-        "severity": "error",
-        "description": "Validates that actions exist in AWS services",
-    },
-    "condition_key_validation_check": {
-        "enabled": True,
-        "severity": "error",
-        "description": "Validates condition keys against AWS service definitions for specified actions",
-        "validate_aws_global_keys": True,
-    },
-    "resource_validation_check": {
-        "enabled": True,
-        "severity": "error",
-        "description": "Validates ARN format for resources",
-        "arn_pattern": "^arn:(aws|aws-cn|aws-us-gov|aws-eusc|aws-iso|aws-iso-b|aws-iso-e|aws-iso-f):[a-z0-9\\-]+:[a-z0-9\\-*]*:[0-9*]*:.+$",
-    },
-    "principal_validation_check": {
-        "enabled": True,
-        "severity": "high",
-        "description": "Validates Principal elements in resource policies for security best practices",
-        "blocked_principals": ["*"],
-        "allowed_principals": [],
-        "require_conditions_for": {
-            "*": ["aws:SourceArn", "aws:SourceAccount"],
-        },
-        "allowed_service_principals": [
-            "cloudfront.amazonaws.com",
-            "s3.amazonaws.com",
-            "sns.amazonaws.com",
-            "lambda.amazonaws.com",
-            "logs.amazonaws.com",
-            "events.amazonaws.com",
-        ],
-    },
-    "action_resource_constraint_check": {
-        "enabled": True,
-        "severity": "error",
-        "description": "Validates that actions without required resource types use Resource: '*'",
-    },
-    "security_best_practices_check": {
-        "enabled": True,
-        "description": "Checks for common security anti-patterns",
-        "allowed_wildcards": [
-            "autoscaling:Describe*",
-            "cloudwatch:Describe*",
-            "cloudwatch:Get*",
-            "cloudwatch:List*",
-            "dynamodb:Describe*",
-            "ec2:Describe*",
-            "elasticloadbalancing:Describe*",
-            "iam:Get*",
-            "iam:List*",
-            "kms:Describe*",
-            "lambda:Get*",
-            "lambda:List*",
-            "logs:Describe*",
-            "logs:Filter*",
-            "logs:Get*",
-            "rds:Describe*",
-            "route53:Get*",
-            "route53:List*",
-            "s3:Describe*",
-            "s3:GetBucket*",
-            "s3:GetM*",
-            "s3:List*",
-            "sqs:Get*",
-            "sqs:List*",
-            "apigateway:GET",
-        ],
-        "wildcard_action_check": {
-            "enabled": True,
-            "severity": "medium",
-            "message": "Statement allows all actions (*)",
-            "suggestion": "Replace wildcard with specific actions needed for your use case",
-            "example": """Replace:
-  "Action": ["*"]
-With specific actions:
-  "Action": [
-    "s3:GetObject",
-    "s3:PutObject",
-    "s3:ListBucket"
-  ]
-""",
-        },
-        "wildcard_resource_check": {
-            "enabled": True,
-            "severity": "medium",
-            "message": "Statement applies to all resources (*)",
-            "suggestion": "Replace wildcard with specific resource ARNs",
-            "example": """Replace:
-  "Resource": "*"
-With specific ARNs:
-  "Resource": [
-    "arn:aws:service:region:account-id:resource-type/resource-id",
-    "arn:aws:service:region:account-id:resource-type/*"
-  ]
-""",
-        },
-        "full_wildcard_check": {
-            "enabled": True,
-            "severity": "critical",
-            "message": "Statement allows all actions on all resources - CRITICAL SECURITY RISK",
-            "suggestion": "This grants full administrative access. Replace both wildcards with specific actions and resources to follow least-privilege principle",
-            "example": """Replace:
-  "Action": "*",
-  "Resource": "*"
-With specific values:
-  "Action": [
-    "s3:GetObject",
-    "s3:PutObject"
-  ],
-  "Resource": [
-    "arn:aws:s3:::my-bucket/*"
-  ]
-""",
-        },
-        "service_wildcard_check": {
-            "enabled": True,
-            "severity": "high",
-            "allowed_services": ["logs", "cloudwatch", "xray"],
-        },
-        "sensitive_action_check": {
-            "enabled": True,
-            "severity": "medium",
-            "message_single": "Sensitive action '{action}' should have conditions to limit when it can be used",
-            "message_multiple": "Sensitive actions '{actions}' should have conditions to limit when they can be used",
-            "suggestion": "Add IAM conditions to limit when this action can be used. Consider: ABAC (ResourceTag OR RequestTag must match PrincipalTag), IP restrictions (aws:SourceIp), MFA requirements (aws:MultiFactorAuthPresent), or time-based restrictions (aws:CurrentTime)",
-            "example": """"Condition": {
-  "StringEquals": {
-    "aws:ResourceTag/owner": "${aws:PrincipalTag/owner}"
-  }
-}
-""",
-            "sensitive_actions": [
-                "iam:AddClientIDToOpenIDConnectProvider",
-                "iam:AttachRolePolicy",
-                "iam:AttachUserPolicy",
-                "iam:CreateAccessKey",
-                "iam:CreateOpenIDConnectProvider",
-                "iam:CreatePolicyVersion",
-                "iam:CreateRole",
-                "iam:CreateSAMLProvider",
-                "iam:CreateUser",
-                "iam:DeleteAccessKey",
-                "iam:DeleteLoginProfile",
-                "iam:DeleteOpenIDConnectProvider",
-                "iam:DeleteRole",
-                "iam:DeleteRolePolicy",
-                "iam:DeleteSAMLProvider",
-                "iam:DeleteUser",
-                "iam:DeleteUserPolicy",
-                "iam:DetachRolePolicy",
-                "iam:DetachUserPolicy",
-                "iam:PutRolePolicy",
-                "iam:PutUserPolicy",
-                "iam:SetDefaultPolicyVersion",
-                "iam:UpdateAccessKey",
-                "iam:UpdateAssumeRolePolicy",
-                "kms:DisableKey",
-                "kms:PutKeyPolicy",
-                "kms:ScheduleKeyDeletion",
-                "secretsmanager:DeleteSecret",
-                "secretsmanager:GetSecretValue",
-                "secretsmanager:PutSecretValue",
-                "ssm:DeleteParameter",
-                "ssm:PutParameter",
-                "ec2:DeleteSnapshot",
-                "ec2:DeleteVolume",
-                "ec2:DeleteVpc",
-                "ec2:ModifyInstanceAttribute",
-                "ec2:TerminateInstances",
-                "ecr:DeleteRepository",
-                "ecs:DeleteCluster",
-                "ecs:DeleteService",
-                "eks:DeleteCluster",
-                "lambda:DeleteFunction",
-                "lambda:DeleteFunctionConcurrency",
-                "lambda:PutFunctionConcurrency",
-                "dynamodb:DeleteTable",
-                "efs:DeleteFileSystem",
-                "elasticache:DeleteCacheCluster",
-                "fsx:DeleteFileSystem",
-                "rds:DeleteDBCluster",
-                "rds:DeleteDBInstance",
-                "redshift:DeleteCluster",
-                "backup:DeleteBackupVault",
-                "glacier:DeleteArchive",
-                "s3:DeleteBucket",
-                "s3:DeleteBucketPolicy",
-                "s3:DeleteObject",
-                "s3:PutBucketPolicy",
-                "s3:PutLifecycleConfiguration",
-                "ec2:AuthorizeSecurityGroupIngress",
-                "ec2:DeleteSecurityGroup",
-                "ec2:DisassociateRouteTable",
-                "ec2:RevokeSecurityGroupEgress",
-                "cloudtrail:DeleteTrail",
-                "cloudtrail:StopLogging",
-                "cloudwatch:DeleteLogGroup",
-                "config:DeleteConfigurationRecorder",
-                "guardduty:DeleteDetector",
-                "account:CloseAccount",
-                "account:CreateAccount",
-                "organizations:LeaveOrganization",
-                "organizations:RemoveAccountFromOrganization",
-            ],
-        },
-    },
-    "action_condition_enforcement_check": {
-        "enabled": True,
-        "severity": "high",
-        "description": "Enforce specific IAM condition requirements (unified: MFA, IP, tags, etc.)",
-        "action_condition_requirements": [
-            {
-                "actions": ["iam:PassRole"],
-                "severity": "high",
-                "required_conditions": [
-                    {
-                        "condition_key": "iam:PassedToService",
-                        "description": "Specify which AWS services are allowed to use the passed role to prevent privilege escalation",
-                        "example": """"Condition": {
-  "StringEquals": {
-    "iam:PassedToService": [
-      "lambda.amazonaws.com",
-      "ecs-tasks.amazonaws.com",
-      "ec2.amazonaws.com",
-      "glue.amazonaws.com",
-      "lambda.amazonaws.com"
-    ]
-  }
-}
-""",
-                    },
-                ],
-            },
-            {
-                "actions": [
-                    "iam:CreateRole",
-                    "iam:PutRolePolicy*",
-                    "iam:PutUserPolicy",
-                    "iam:PutRolePolicy",
-                    "iam:Attach*Policy*",
-                    "iam:AttachUserPolicy",
-                    "iam:AttachRolePolicy",
-                ],
-                "severity": "high",
-                "required_conditions": [
-                    {
-                        "condition_key": "iam:PermissionsBoundary",
-                        "description": "Require permissions boundary for sensitive IAM operations to prevent privilege escalation",
-                        "expected_value": "arn:aws:iam::*:policy/DeveloperBoundary",
-                        "example": """# See: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
-"Condition": {
-  "StringEquals": {
-    "iam:PermissionsBoundary": "arn:aws:iam::123456789012:policy/XCompanyBoundaries"
-  }
-}
-""",
-                    },
-                ],
-            },
-            {
-                "actions": ["s3:PutObject"],
-                "severity": "medium",
-                "required_conditions": [
-                    {
-                        "condition_key": "aws:ResourceOrgId",
-                        "description": "Require aws:ResourceOrgId condition for S3 write actions to enforce organization-level access control",
-                        "example": """"Condition": {
-  "StringEquals": {
-    "aws:ResourceOrgId": "${aws:PrincipalOrgID}"
-  }
-}
-""",
-                    },
-                ],
-            },
-            {
-                "action_patterns": [
-                    "^ssm:StartSession$",
-                    "^ssm:Run.*$",
-                    "^s3:GetObject$",
-                    "^rds-db:Connect$",
-                ],
-                "severity": "low",
-                "required_conditions": [
-                    {
-                        "condition_key": "aws:SourceIp",
-                        "description": "Restrict access to corporate IP ranges",
-                        "example": """"Condition": {
-  "IpAddress": {
-    "aws:SourceIp": [
-      "10.0.0.0/8",
-      "172.16.0.0/12"
-    ]
-  }
-}
-""",
-                    },
-                ],
-            },
-            {
-                "actions": ["s3:GetObject", "s3:PutObject"],
-                "required_conditions": {
-                    "none_of": [
-                        {
-                            "condition_key": "aws:SecureTransport",
-                            "expected_value": False,
-                            "description": "Never allow insecure transport to be explicitly permitted",
-                            "example": """# Set this condition to true to enforce secure transport or remove it entirely
-"Condition": {
-  "Bool": {
-    "aws:SecureTransport": "true"
-  }
-}
-""",
-                        },
-                    ],
-                },
-            },
-        ],
-    },
-}
-def get_default_config() -> dict:
-    """
-    Get a deep copy of the default configuration.
-    Returns:
-        A deep copy of the default configuration dictionary
-    """
-    import copy
-    return copy.deepcopy(DEFAULT_CONFIG)

{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.6.0.dist-info}/WHEEL RENAMED Viewed

File without changes

{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.6.0.dist-info}/entry_points.txt RENAMED Viewed

File without changes

{iam_policy_validator-1.4.0.dist-info → iam_policy_validator-1.6.0.dist-info}/licenses/LICENSE RENAMED Viewed

File without changes

iam-policy-validator 1.4.0__py3-none-any.whl → 1.6.0__py3-none-any.whl

iam-policy-validator 1.4.0py3-none-any.whl → 1.6.0py3-none-any.whl