iam-policy-validator 1.4.0__py3-none-any.whl → 1.6.0__py3-none-any.whl

iam_validator/checks/sensitive_action.py

@@ -0,0 +1,250 @@
+"""Sensitive action check - detects sensitive actions without IAM conditions."""
+
+from typing import TYPE_CHECKING
+
+from iam_validator.checks.utils.policy_level_checks import check_policy_level_actions
+from iam_validator.checks.utils.sensitive_action_matcher import (
+    DEFAULT_SENSITIVE_ACTIONS,
+    check_sensitive_actions,
+)
+from iam_validator.checks.utils.wildcard_expansion import expand_wildcard_actions
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.config.sensitive_actions import get_category_for_action
+from iam_validator.core.models import Statement, ValidationIssue
+
+if TYPE_CHECKING:
+    from iam_validator.core.models import IAMPolicy
+
+
+class SensitiveActionCheck(PolicyCheck):
+    """Checks for sensitive actions without IAM conditions to limit their use."""
+
+    @property
+    def check_id(self) -> str:
+        return "sensitive_action"
+
+    @property
+    def description(self) -> str:
+        return "Checks for sensitive actions without conditions"
+
+    @property
+    def default_severity(self) -> str:
+        return "medium"
+
+    def _get_severity_for_action(self, action: str, config: CheckConfig) -> str:
+        """
+        Get severity for a specific action, considering category-based overrides.
+
+        Args:
+            action: The AWS action to check
+            config: Check configuration
+
+        Returns:
+            Severity level for the action (considers category overrides)
+        """
+        # Check if category severities are configured
+        category_severities = config.config.get("category_severities", {})
+        if not category_severities:
+            return self.get_severity(config)
+
+        # Get the category for this action
+        category = get_category_for_action(action)
+        if category and category in category_severities:
+            return category_severities[category]
+
+        # Fall back to default severity
+        return self.get_severity(config)
+
+    def _get_category_specific_suggestion(
+        self, action: str, config: CheckConfig
+    ) -> tuple[str, str]:
+        """
+        Get category-specific suggestion and example for an action.
+
+        Args:
+            action: The AWS action to check
+            config: Check configuration
+
+        Returns:
+            Tuple of (suggestion_text, example_text) tailored to the action's category
+        """
+        category = get_category_for_action(action)
+
+        # Get category suggestions from config (ABAC-focused by default)
+        # See: iam_validator/core/config/category_suggestions.py
+        category_suggestions = config.config.get("category_suggestions", {})
+
+        # Get category-specific content or fall back to generic ABAC guidance
+        if category and category in category_suggestions:
+            return (
+                category_suggestions[category]["suggestion"],
+                category_suggestions[category]["example"],
+            )
+
+        # Generic ABAC fallback for uncategorized actions
+        return (
+            "Add IAM conditions to limit when this action can be used. Use ABAC for scalability:\n"
+            "• Match principal tags to resource tags (aws:PrincipalTag/X = aws:ResourceTag/X)\n"
+            "• Require MFA (aws:MultiFactorAuthPresent = true)\n"
+            "• Restrict by IP (aws:SourceIp) or VPC (aws:SourceVpc)",
+            '"Condition": {\n'
+            '  "StringEquals": {\n'
+            '    "aws:PrincipalTag/owner": "${aws:ResourceTag/owner}"\n'
+            "  }\n"
+            "}",
+        )
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute sensitive action check on a statement."""
+        issues = []
+
+        # Only check Allow statements
+        if statement.effect != "Allow":
+            return issues
+
+        actions = statement.get_actions()
+        has_conditions = statement.condition is not None and len(statement.condition) > 0
+
+        # Expand wildcards to actual actions using AWS API
+        expanded_actions = await expand_wildcard_actions(actions, fetcher)
+
+        # Check if sensitive actions match using any_of/all_of logic
+        is_sensitive, matched_actions = check_sensitive_actions(
+            expanded_actions, config, DEFAULT_SENSITIVE_ACTIONS
+        )
+
+        if is_sensitive and not has_conditions:
+            # Create appropriate message based on matched actions using configurable templates
+            if len(matched_actions) == 1:
+                message_template = config.config.get(
+                    "message_single",
+                    "Sensitive action '{action}' should have conditions to limit when it can be used",
+                )
+                message = message_template.format(action=matched_actions[0])
+            else:
+                action_list = "', '".join(matched_actions)
+                message_template = config.config.get(
+                    "message_multiple",
+                    "Sensitive actions '{actions}' should have conditions to limit when they can be used",
+                )
+                message = message_template.format(actions=action_list)
+
+            # Get category-specific suggestion and example (or use config defaults)
+            # Use the first matched action to determine the category
+            suggestion_text, example = self._get_category_specific_suggestion(
+                matched_actions[0], config
+            )
+
+            # Combine suggestion + example
+            suggestion = f"{suggestion_text}\n\nExample:\n{example}" if example else suggestion_text
+
+            # Determine severity based on the highest severity action in the list
+            # If single action, use its category severity
+            # If multiple actions, use the highest severity among them
+            severity = self.get_severity(config)  # Default
+            if matched_actions:
+                # Get severity for first action (or highest if we want to be more sophisticated)
+                severity = self._get_severity_for_action(matched_actions[0], config)
+
+            issues.append(
+                ValidationIssue(
+                    severity=severity,
+                    statement_sid=statement.sid,
+                    statement_index=statement_idx,
+                    issue_type="missing_condition",
+                    message=message,
+                    action=(matched_actions[0] if len(matched_actions) == 1 else None),
+                    suggestion=suggestion,
+                    line_number=statement.line_number,
+                )
+            )
+
+        return issues
+
+    async def execute_policy(
+        self,
+        policy: "IAMPolicy",
+        policy_file: str,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+        **kwargs,
+    ) -> list[ValidationIssue]:
+        """
+        Execute policy-level sensitive action checks.
+
+        This method examines the entire policy to detect privilege escalation patterns
+        and other security issues that span multiple statements.
+
+        Args:
+            policy: The complete IAM policy to check
+            policy_file: Path to the policy file (for context/reporting)
+            fetcher: AWS service fetcher for validation against AWS APIs
+            config: Configuration for this check instance
+
+        Returns:
+            List of ValidationIssue objects found by this check
+        """
+        del policy_file, fetcher  # Not used in current implementation
+        issues = []
+
+        # Collect all actions from all Allow statements across the entire policy
+        all_actions: set[str] = set()
+        statement_map: dict[
+            str, list[tuple[int, str | None]]
+        ] = {}  # action -> [(stmt_idx, sid), ...]
+
+        for idx, statement in enumerate(policy.statement):
+            if statement.effect == "Allow":
+                actions = statement.get_actions()
+                # Filter out wildcards for privilege escalation detection
+                filtered_actions = [a for a in actions if a != "*"]
+
+                for action in filtered_actions:
+                    all_actions.add(action)
+                    if action not in statement_map:
+                        statement_map[action] = []
+                    statement_map[action].append((idx, statement.sid))
+
+        # Get configuration for sensitive actions
+        sensitive_actions_config = config.config.get("sensitive_actions")
+        sensitive_patterns_config = config.config.get("sensitive_action_patterns")
+
+        # Check for privilege escalation patterns using all_of logic
+        # We need to check both exact actions and patterns
+        policy_issues = []
+
+        # Check sensitive_actions configuration
+        if sensitive_actions_config:
+            policy_issues.extend(
+                check_policy_level_actions(
+                    list(all_actions),
+                    statement_map,
+                    sensitive_actions_config,
+                    config,
+                    "actions",
+                    self.get_severity,
+                )
+            )
+
+        # Check sensitive_action_patterns configuration
+        if sensitive_patterns_config:
+            policy_issues.extend(
+                check_policy_level_actions(
+                    list(all_actions),
+                    statement_map,
+                    sensitive_patterns_config,
+                    config,
+                    "patterns",
+                    self.get_severity,
+                )
+            )
+
+        issues.extend(policy_issues)
+        return issues

iam_validator/checks/service_wildcard.py

@@ -0,0 +1,105 @@
+"""Service wildcard check - detects service-level wildcards like 'iam:*', 's3:*'."""
+
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class ServiceWildcardCheck(PolicyCheck):
+    """Checks for service-level wildcards (e.g., 'iam:*', 's3:*') which grant all permissions for a service."""
+
+    @property
+    def check_id(self) -> str:
+        return "service_wildcard"
+
+    @property
+    def description(self) -> str:
+        return "Checks for service-level wildcards (e.g., 'iam:*', 's3:*')"
+
+    @property
+    def default_severity(self) -> str:
+        return "high"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute service wildcard check on a statement."""
+        issues = []
+
+        # Only check Allow statements
+        if statement.effect != "Allow":
+            return issues
+
+        actions = statement.get_actions()
+        allowed_services = self._get_allowed_service_wildcards(config)
+
+        for action in actions:
+            # Skip full wildcard (covered by wildcard_action check)
+            if action == "*":
+                continue
+
+            # Check if it's a service-level wildcard (e.g., "iam:*", "s3:*")
+            if ":" in action and action.endswith(":*"):
+                service = action.split(":")[0]
+
+                # Check if this service is in the allowed list
+                if service not in allowed_services:
+                    # Get message template and replace placeholders
+                    message_template = config.config.get(
+                        "message",
+                        "Service-level wildcard '{action}' grants all permissions for {service} service",
+                    )
+                    suggestion_template = config.config.get(
+                        "suggestion",
+                        "Consider specifying explicit actions instead of '{action}'. If you need multiple actions, list them individually or use more specific wildcards like '{service}:Get*' or '{service}:List*'.",
+                    )
+                    example_template = config.config.get("example", "")
+
+                    message = message_template.format(action=action, service=service)
+                    suggestion_text = suggestion_template.format(action=action, service=service)
+                    example = (
+                        example_template.format(action=action, service=service)
+                        if example_template
+                        else ""
+                    )
+
+                    # Combine suggestion + example
+                    suggestion = (
+                        f"{suggestion_text}\nExample:\n{example}" if example else suggestion_text
+                    )
+
+                    issues.append(
+                        ValidationIssue(
+                            severity=self.get_severity(config),
+                            statement_sid=statement.sid,
+                            statement_index=statement_idx,
+                            issue_type="overly_permissive",
+                            message=message,
+                            action=action,
+                            suggestion=suggestion,
+                            line_number=statement.line_number,
+                        )
+                    )
+
+        return issues
+
+    def _get_allowed_service_wildcards(self, config: CheckConfig) -> set[str]:
+        """
+        Get list of services that are allowed to use service-level wildcards.
+
+        This allows configuration like:
+          service_wildcard:
+            allowed_services:
+              - "logs"        # Allow "logs:*"
+              - "cloudwatch"  # Allow "cloudwatch:*"
+
+        Returns empty set if no exceptions are configured.
+        """
+        allowed = config.config.get("allowed_services", [])
+        if allowed and isinstance(allowed, list):
+            return set(allowed)
+        return set()

iam_validator/checks/set_operator_validation.py

@@ -0,0 +1,157 @@
+"""Set Operator Validation Check.
+
+Validates proper usage of ForAllValues and ForAnyValue set operators in IAM policies.
+
+Based on AWS IAM best practices:
+https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html
+"""
+
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.condition_validators import (
+    is_multivalued_context_key,
+    normalize_operator,
+)
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class SetOperatorValidationCheck(PolicyCheck):
+    """Check for proper usage of ForAllValues and ForAnyValue set operators."""
+
+    @property
+    def check_id(self) -> str:
+        """Unique identifier for this check."""
+        return "set_operator_validation"
+
+    @property
+    def description(self) -> str:
+        """Description of what this check does."""
+        return "Validates proper usage of ForAllValues and ForAnyValue set operators"
+
+    @property
+    def default_severity(self) -> str:
+        """Default severity level for issues found by this check."""
+        return "error"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """
+        Execute the set operator validation check.
+
+        Validates:
+        1. ForAllValues/ForAnyValue not used with single-valued context keys (anti-pattern)
+        2. ForAllValues with Allow effect includes Null condition check (security)
+        3. ForAnyValue with Deny effect includes Null condition check (predictability)
+
+        Args:
+            statement: The IAM statement to check
+            statement_idx: Index of this statement in the policy
+            fetcher: AWS service fetcher (unused but required by interface)
+            config: Check configuration
+
+        Returns:
+            List of validation issues found
+        """
+        issues = []
+
+        # Only check statements with conditions
+        if not statement.condition:
+            return issues
+
+        statement_sid = statement.sid
+        line_number = statement.line_number
+        effect = statement.effect
+
+        # Track which condition keys have set operators and Null checks
+        set_operator_keys: dict[str, str] = {}  # key -> operator prefix
+        null_checked_keys: set[str] = set()
+
+        # First pass: Identify set operators and Null checks
+        for operator, conditions in statement.condition.items():
+            base_operator, operator_type, set_prefix = normalize_operator(operator)
+
+            # Track Null checks
+            if base_operator == "Null":
+                for condition_key in conditions.keys():
+                    null_checked_keys.add(condition_key)
+
+            # Track set operators
+            if set_prefix in ["ForAllValues", "ForAnyValue"]:
+                for condition_key in conditions.keys():
+                    set_operator_keys[condition_key] = set_prefix
+
+        # Second pass: Validate set operator usage
+        for operator, conditions in statement.condition.items():
+            base_operator, operator_type, set_prefix = normalize_operator(operator)
+
+            if not set_prefix:
+                continue
+
+            # Check each condition key used with a set operator
+            for condition_key, condition_values in conditions.items():
+                # Issue 1: Set operator used with single-valued context key (anti-pattern)
+                if not is_multivalued_context_key(condition_key):
+                    issues.append(
+                        ValidationIssue(
+                            severity=self.get_severity(config),
+                            message=(
+                                f"Set operator '{set_prefix}' should not be used with single-valued "
+                                f"condition key '{condition_key}'. This can lead to overly permissive policies. "
+                                f"Set operators are designed for multivalued context keys like 'aws:TagKeys'. "
+                                f"See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html"
+                            ),
+                            statement_sid=statement_sid,
+                            statement_index=statement_idx,
+                            issue_type="set_operator_on_single_valued_key",
+                            condition_key=condition_key,
+                            line_number=line_number,
+                        )
+                    )
+
+                # Issue 2: ForAllValues with Allow effect without Null check (security risk)
+                if set_prefix == "ForAllValues" and effect == "Allow":
+                    if condition_key not in null_checked_keys:
+                        issues.append(
+                            ValidationIssue(
+                                severity="warning",
+                                message=(
+                                    f"Security risk: ForAllValues with Allow effect on '{condition_key}' "
+                                    f"should include a Null condition check. Without it, requests with missing "
+                                    f'\'{condition_key}\' will be granted access. Add: \'"Null": {{"{condition_key}": "false"}}\'. '
+                                    f"See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html"
+                                ),
+                                statement_sid=statement_sid,
+                                statement_index=statement_idx,
+                                issue_type="forallvalues_allow_without_null_check",
+                                condition_key=condition_key,
+                                line_number=line_number,
+                            )
+                        )
+
+                # Issue 3: ForAnyValue with Deny effect without Null check (unpredictable)
+                if set_prefix == "ForAnyValue" and effect == "Deny":
+                    if condition_key not in null_checked_keys:
+                        issues.append(
+                            ValidationIssue(
+                                severity="warning",
+                                message=(
+                                    f"Unpredictable behavior: ForAnyValue with Deny effect on '{condition_key}' "
+                                    f"should include a Null condition check. Without it, requests with missing "
+                                    f"'{condition_key}' will evaluate to 'No match' instead of denying access. "
+                                    f'Add: \'"Null": {{"{condition_key}": "false"}}\'. '
+                                    f"See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html"
+                                ),
+                                statement_sid=statement_sid,
+                                statement_index=statement_idx,
+                                issue_type="foranyvalue_deny_without_null_check",
+                                condition_key=condition_key,
+                                line_number=line_number,
+                            )
+                        )
+
+        return issues

iam_validator/checks/utils/sensitive_action_matcher.py

@@ -2,6 +2,11 @@
 
 This module provides functionality to match actions against sensitive action
 configurations, supporting exact matches, regex patterns, and any_of/all_of logic.
+
+Performance optimizations:
+- Uses frozenset for O(1) lookups
+- LRU cache for compiled regex patterns
+- Lazy loading of default actions from modular data structure
 """
 
 import re
@@ -9,30 +14,57 @@ from functools import lru_cache
 from re import Pattern
 
 from iam_validator.core.check_registry import CheckConfig
+from iam_validator.core.config.sensitive_actions import get_sensitive_actions
+
+# Lazy-loaded default set of sensitive actions
+# This will be loaded only when first accessed
+_DEFAULT_SENSITIVE_ACTIONS_CACHE: frozenset[str] | None = None
+
+
+def _get_default_sensitive_actions() -> frozenset[str]:
+    """
+    Get default sensitive actions with lazy loading and caching.
+
+    Returns:
+        Frozenset of all default sensitive actions
+
+    Performance:
+        - First call: Loads from sensitive actions list
+        - Subsequent calls: O(1) cached lookup
+    """
+    global _DEFAULT_SENSITIVE_ACTIONS_CACHE
+    if _DEFAULT_SENSITIVE_ACTIONS_CACHE is None:
+        _DEFAULT_SENSITIVE_ACTIONS_CACHE = get_sensitive_actions()
+    return _DEFAULT_SENSITIVE_ACTIONS_CACHE
+
+
+def get_sensitive_actions_by_categories(categories: list[str] | None = None) -> frozenset[str]:
+    """
+    Get sensitive actions filtered by categories.
 
-# Default set of sensitive actions for backward compatibility
-# Using frozenset for O(1) lookups and immutability
-DEFAULT_SENSITIVE_ACTIONS = frozenset(
-    {
-        "ec2:DeleteVolume",
-        "ec2:TerminateInstances",
-        "eks:DeleteCluster",
-        "iam:AttachRolePolicy",
-        "iam:AttachUserPolicy",
-        "iam:CreateAccessKey",
-        "iam:CreateRole",
-        "iam:CreateUser",
-        "iam:DeleteRole",
-        "iam:DeleteUser",
-        "iam:PutRolePolicy",
-        "iam:PutUserPolicy",
-        "lambda:DeleteFunction",
-        "rds:DeleteDBInstance",
-        "s3:DeleteBucket",
-        "s3:DeleteBucketPolicy",
-        "s3:PutBucketPolicy",
-    }
-)
+    Args:
+        categories: List of category IDs to include. If None, returns all actions.
+                   Valid categories: 'credential_exposure', 'data_access',
+                   'priv_esc', 'resource_exposure'
+
+    Returns:
+        Frozenset of sensitive actions matching the specified categories
+
+    Examples:
+        >>> # Get all sensitive actions (default behavior)
+        >>> all_actions = get_sensitive_actions_by_categories()
+
+        >>> # Get only privilege escalation actions
+        >>> priv_esc = get_sensitive_actions_by_categories(['priv_esc'])
+
+        >>> # Get credential exposure and data access actions
+        >>> sensitive = get_sensitive_actions_by_categories(['credential_exposure', 'data_access'])
+    """
+    return get_sensitive_actions(categories)
+
+
+# Export for backward compatibility
+DEFAULT_SENSITIVE_ACTIONS = _get_default_sensitive_actions()
 
 
 # Global regex pattern cache for performance
@@ -61,15 +93,28 @@ def check_sensitive_actions(
     Args:
         actions: List of actions to check
         config: Check configuration
-        default_actions: Default sensitive actions to use if no config (defaults to DEFAULT_SENSITIVE_ACTIONS)
+        default_actions: Default sensitive actions to use if no config (lazy-loaded)
 
     Returns:
         tuple[bool, list[str]]: (is_sensitive, matched_actions)
             - is_sensitive: True if the actions match the sensitive criteria
             - matched_actions: List of actions that matched the criteria
+
+    Performance:
+        - Uses lazy-loaded defaults (only loaded on first use)
+        - O(1) frozenset lookups for action matching
     """
-    if default_actions is None:
-        default_actions = DEFAULT_SENSITIVE_ACTIONS
+    # Check if categories are specified in config
+    categories = config.config.get("categories")
+    if categories is not None:
+        # If categories is an empty list, disable the check
+        if len(categories) == 0:
+            return False, []
+        # Get sensitive actions filtered by categories
+        default_actions = get_sensitive_actions_by_categories(categories)
+    elif default_actions is None:
+        # Use all categories if no specific categories configured
+        default_actions = _get_default_sensitive_actions()
 
     # Filter out wildcards
     filtered_actions = [a for a in actions if a != "*"]
@@ -77,12 +122,9 @@ def check_sensitive_actions(
         return False, []
 
     # Get configuration for both sensitive_actions and sensitive_action_patterns
-    sub_check_config = config.config.get("sensitive_action_check", {})
-    if not isinstance(sub_check_config, dict):
-        return False, []
-
-    sensitive_actions_config = sub_check_config.get("sensitive_actions")
-    sensitive_patterns_config = sub_check_config.get("sensitive_action_patterns")
+    # Config is now flat (no longer nested under sensitive_action_check)
+    sensitive_actions_config = config.config.get("sensitive_actions")
+    sensitive_patterns_config = config.config.get("sensitive_action_patterns")
 
     # Check sensitive_actions (exact matches)
     actions_match, actions_matched = check_actions_config(