iam-policy-validator 1.4.0__py3-none-any.whl

iam_validator/checks/action_resource_constraint.py

@@ -0,0 +1,151 @@
+"""Action resource constraint check - validates resource constraints for actions.
+
+This check ensures that:
+- Actions WITHOUT required resource types (empty or missing Resources field in AWS API)
+  MUST use Resource: "*" because they are account-level operations
+
+Examples of actions without required resources:
+- s3:ListAllMyBuckets (lists all buckets in account)
+- iam:ListRoles (lists all roles in account)
+- ec2:DescribeInstances (describes instances across all regions)
+
+These actions cannot target specific resources because they operate at the account level.
+"""
+
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class ActionResourceConstraintCheck(PolicyCheck):
+    """Validates resource constraints based on action requirements.
+    This check ensures that actions without required resource types use Resource: "*".
+
+    Examples of such actions include s3:ListAllMyBuckets, iam:ListRoles, etc.
+    """
+
+    @property
+    def check_id(self) -> str:
+        return "action_resource_constraint"
+
+    @property
+    def description(self) -> str:
+        return "Validates that actions without required resource types use Resource: '*'"
+
+    @property
+    def default_severity(self) -> str:
+        return "error"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute action resource constraint validation on a statement."""
+        issues = []
+
+        # Only check Allow statements
+        if statement.effect != "Allow":
+            return issues
+
+        # Get actions and resources from statement
+        actions = statement.get_actions()
+        resources = statement.get_resources()
+        statement_sid = statement.sid
+        line_number = statement.line_number
+
+        # Skip if no actions or wildcard action
+        if not actions or "*" in actions:
+            return issues
+
+        # Skip if already using wildcard resource (this is correct for these actions)
+        if "*" in resources:
+            return issues
+
+        # Check each action for resource requirements
+        actions_without_required_resources = []
+
+        for action in actions:
+            # Skip wildcard actions
+            if "*" in action:
+                continue
+
+            try:
+                # Parse action to get service and action name
+                service_prefix, action_name = fetcher.parse_action(action)
+
+                # Fetch service detail to check resource requirements
+                service_detail = await fetcher.fetch_service_by_name(service_prefix)
+
+                # Check if action exists
+                if action_name not in service_detail.actions:
+                    # Action doesn't exist - skip (will be caught by action_validation_check)
+                    continue
+
+                action_detail = service_detail.actions[action_name]
+
+                # Check if action has NO required resources (empty or missing Resources field)
+                has_no_required_resources = (
+                    not action_detail.resources or len(action_detail.resources) == 0
+                )
+
+                if has_no_required_resources:
+                    actions_without_required_resources.append(action)
+
+            except ValueError:
+                # Invalid action format - skip (will be caught by action_validation_check)
+                continue
+            except Exception:
+                # Service not found or other error - skip
+                continue
+
+        # If we found actions without required resources, report the issue
+        if actions_without_required_resources:
+            # Get a sample of the resources to show in error message
+            resource_sample = resources[:3] if len(resources) > 3 else resources
+            resource_display = ", ".join(f'"{r}"' for r in resource_sample)
+            if len(resources) > 3:
+                resource_display += f", ... ({len(resources) - 3} more)"
+
+            # Format action list
+            action_list = ", ".join(f'"{a}"' for a in actions_without_required_resources)
+
+            # Determine message based on how many actions are affected
+            if len(actions_without_required_resources) == 1:
+                message = (
+                    f"Action {action_list} does not operate on specific resources "
+                    f'and requires Resource: "*"'
+                )
+                suggestion = (
+                    f"Action {action_list} is an account-level operation that cannot target "
+                    'specific resources. Move this action to a separate statement with Resource: "*", '
+                    "and keep resource-specific actions in another statement with their specific ARNs"
+                )
+            else:
+                message = (
+                    f"Actions {action_list} do not operate on specific resources "
+                    f'and require Resource: "*"'
+                )
+                suggestion = (
+                    "These actions are account-level operations that cannot target "
+                    'specific resources. Move these actions to a dedicated statement with Resource: "*", '
+                    "and keep resource-specific actions in separate statements with their specific ARNs"
+                )
+
+            issues.append(
+                ValidationIssue(
+                    severity=self.get_severity(config),
+                    statement_sid=statement_sid,
+                    statement_index=statement_idx,
+                    issue_type="invalid_resource_constraint",
+                    message=message,
+                    action=action_list,
+                    resource=resource_display,
+                    suggestion=suggestion,
+                    line_number=line_number,
+                )
+            )
+
+        return issues

iam_validator/checks/action_validation.py

@@ -0,0 +1,72 @@
+"""Action validation check - validates IAM actions against AWS service definitions.
+
+This check ensures that all actions specified in IAM policies are valid actions
+defined by AWS services. It helps identify typos or deprecated actions that may
+lead to unintended access permissions.
+
+This check is not necessary when using Access Analyzer, as it performs similar
+validations. However, it can be useful in environments where Access Analyzer is
+not available or for pre-deployment policy validation to catch errors early.
+"""
+
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class ActionValidationCheck(PolicyCheck):
+    """Validates that IAM actions exist in AWS services."""
+
+    @property
+    def check_id(self) -> str:
+        return "action_validation"
+
+    @property
+    def description(self) -> str:
+        return "Validates that actions exist in AWS service definitions"
+
+    @property
+    def default_severity(self) -> str:
+        return "error"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute action validation on a statement.
+
+        This check ONLY validates that actions exist in AWS service definitions.
+        Wildcard security checks are handled by security_best_practices_check.
+        """
+        issues = []
+
+        # Get actions from statement
+        actions = statement.get_actions()
+        statement_sid = statement.sid
+        line_number = statement.line_number
+
+        for action in actions:
+            # Skip wildcard actions - they're handled by security_best_practices_check
+            if action == "*" or "*" in action:
+                continue
+
+            # Validate the action exists in AWS
+            is_valid, error_msg, _is_wildcard = await fetcher.validate_action(action)
+
+            if not is_valid:
+                issues.append(
+                    ValidationIssue(
+                        severity=self.get_severity(config),
+                        statement_sid=statement_sid,
+                        statement_index=statement_idx,
+                        issue_type="invalid_action",
+                        message=error_msg or f"Invalid action: {action}",
+                        action=action,
+                        line_number=line_number,
+                    )
+                )
+
+        return issues

iam_validator/checks/condition_key_validation.py

@@ -0,0 +1,70 @@
+"""Condition key validation check - validates condition keys against AWS definitions."""
+
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class ConditionKeyValidationCheck(PolicyCheck):
+    """Validates condition keys against AWS service definitions and global keys."""
+
+    @property
+    def check_id(self) -> str:
+        return "condition_key_validation"
+
+    @property
+    def description(self) -> str:
+        return "Validates condition keys against AWS service definitions"
+
+    @property
+    def default_severity(self) -> str:
+        return "error"  # Invalid condition keys are IAM policy errors
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute condition key validation on a statement."""
+        issues = []
+
+        # Get conditions from statement
+        if not statement.condition:
+            return issues
+
+        statement_sid = statement.sid
+        line_number = statement.line_number
+        actions = statement.get_actions()
+
+        # Extract all condition keys from all condition operators
+        for operator, conditions in statement.condition.items():
+            for condition_key in conditions.keys():
+                # Validate this condition key against each action in the statement
+                for action in actions:
+                    # Skip wildcard actions
+                    if action == "*":
+                        continue
+
+                    is_valid, error_msg = await fetcher.validate_condition_key(
+                        action, condition_key
+                    )
+
+                    if not is_valid:
+                        issues.append(
+                            ValidationIssue(
+                                severity=self.get_severity(config),
+                                statement_sid=statement_sid,
+                                statement_index=statement_idx,
+                                issue_type="invalid_condition_key",
+                                message=error_msg or f"Invalid condition key: {condition_key}",
+                                action=action,
+                                condition_key=condition_key,
+                                line_number=line_number,
+                            )
+                        )
+                        # Only report once per condition key (not per action)
+                        break
+
+        return issues

iam_validator/checks/policy_size.py

@@ -0,0 +1,151 @@
+"""Policy size validation check.
+
+This check validates that IAM policies don't exceed AWS's maximum size limits.
+AWS enforces different size limits based on policy type:
+- Managed policies: 6,144 characters maximum
+- Inline policies for users: 2,048 characters maximum
+- Inline policies for groups: 5,120 characters maximum
+- Inline policies for roles: 10,240 characters maximum
+
+Note: AWS does not count whitespace when calculating policy size.
+"""
+
+import json
+import re
+from typing import TYPE_CHECKING
+
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+if TYPE_CHECKING:
+    from iam_validator.core.models import IAMPolicy
+
+
+class PolicySizeCheck(PolicyCheck):
+    """Validates that IAM policies don't exceed AWS size limits."""
+
+    # AWS IAM policy size limits (in characters, excluding whitespace)
+    DEFAULT_LIMITS = {
+        "managed": 6144,
+        "inline_user": 2048,
+        "inline_group": 5120,
+        "inline_role": 10240,
+    }
+
+    @property
+    def check_id(self) -> str:
+        return "policy_size"
+
+    @property
+    def description(self) -> str:
+        return "Validates that IAM policies don't exceed AWS size limits"
+
+    @property
+    def default_severity(self) -> str:
+        return "error"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute the policy size check at statement level.
+
+        This is a policy-level check, so statement-level execution returns empty.
+        The actual check runs in execute_policy() which has access to the full policy.
+
+        Args:
+            statement: The IAM policy statement (unused)
+            statement_idx: Index of the statement in the policy (unused)
+            fetcher: AWS service fetcher (unused for this check)
+            config: Configuration for this check instance (unused)
+
+        Returns:
+            Empty list (actual check runs in execute_policy())
+        """
+        del statement, statement_idx, fetcher, config  # Unused
+        # This is a policy-level check - execution happens in execute_policy()
+        return []
+
+    async def execute_policy(
+        self,
+        policy: "IAMPolicy",
+        policy_file: str,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+        **kwargs,
+    ) -> list[ValidationIssue]:
+        """Execute the policy size check on the entire policy.
+
+        This method calculates the policy size (excluding whitespace) and validates
+        it against AWS limits based on the configured policy type.
+
+        Args:
+            policy: The complete IAM policy to validate
+            policy_file: Path to the policy file (for context/reporting)
+            fetcher: AWS service fetcher (unused for this check)
+            config: Configuration for this check instance
+
+        Returns:
+            List of ValidationIssue objects if policy exceeds size limits
+        """
+        del policy_file, fetcher  # Unused
+        issues = []
+
+        # Get the policy type from config (default to managed)
+        policy_type = config.config.get("policy_type", "managed")
+
+        # Get custom limits if provided in config, otherwise use defaults
+        size_limits = config.config.get("size_limits", self.DEFAULT_LIMITS.copy())
+
+        # Determine the applicable limit
+        limit_key = policy_type
+        if limit_key not in size_limits:
+            # If custom policy_type not found, default to managed
+            limit_key = "managed"
+
+        max_size = size_limits[limit_key]
+
+        # Convert policy to JSON and calculate size (excluding whitespace)
+        policy_json = policy.model_dump(by_alias=True, exclude_none=True)
+        policy_string = json.dumps(policy_json, separators=(",", ":"))
+
+        # Remove all whitespace as AWS doesn't count it
+        policy_size = len(re.sub(r"\s+", "", policy_string))
+
+        # Check if policy exceeds the limit
+        if policy_size > max_size:
+            severity = self.get_severity(config)
+
+            # Calculate percentage over limit
+            percentage_over = ((policy_size - max_size) / max_size) * 100
+
+            # Determine policy type description
+            policy_type_desc = {
+                "managed": "managed policy",
+                "inline_user": "inline policy for users",
+                "inline_group": "inline policy for groups",
+                "inline_role": "inline policy for roles",
+            }.get(policy_type, policy_type)
+
+            issues.append(
+                ValidationIssue(
+                    severity=severity,
+                    statement_sid=None,  # Policy-level issue
+                    statement_index=-1,  # -1 indicates policy-level issue
+                    issue_type="policy_size_exceeded",
+                    message=f"Policy size ({policy_size:,} characters) exceeds AWS limit for {policy_type_desc} ({max_size:,} characters)",
+                    suggestion=f"The policy is {policy_size - max_size:,} characters over the limit ({percentage_over:.1f}% too large). Consider:\n"
+                    f"  1. Splitting the policy into multiple smaller policies\n"
+                    f"  2. Using more concise action/resource patterns with wildcards\n"
+                    f"  3. Removing unnecessary statements or conditions\n"
+                    f"  4. For inline policies, consider using managed policies instead\n"
+                    f"\nNote: AWS does not count whitespace in the size calculation.",
+                    line_number=None,
+                )
+            )
+
+        return issues