iam-policy-validator 1.5.0__py3-none-any.whl → 1.6.0__py3-none-any.whl

{iam_policy_validator-1.5.0.dist-info → iam_policy_validator-1.6.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.5.0
+Version: 1.6.0
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs
@@ -58,7 +58,7 @@ Description-Content-Type: text/markdown
 
 **This tool prevents these issues** by:
 - ✅ **Validating early** - Catch errors in PRs before merge
-- ✅ **Comprehensive checks** - AWS Access Analyzer + 15+ security checks
+- ✅ **Comprehensive checks** - AWS Access Analyzer + 18 built-in security checks
 - ✅ **Smart filtering** - Auto-detects IAM policies from mixed JSON/YAML files
 - ✅ **Developer-friendly** - Clear error messages with fix suggestions
 - ✅ **Zero setup** - Works as a GitHub Action out of the box
@@ -67,7 +67,7 @@ Description-Content-Type: text/markdown
 
 ### 🔍 Multi-Layer Validation
 - **AWS IAM Access Analyzer** - Official AWS validation (syntax, permissions, security)
-- **Custom Security Checks** - 15+ specialized checks for best practices
+- **18 Built-in Security Checks** - Comprehensive validation across AWS requirements and security best practices
 - **Policy Comparison** - Detect new permissions vs baseline (prevent scope creep)
 - **Public Access Detection** - Check 29+ AWS resource types for public exposure
 - **Privilege Escalation Detection** - Identify dangerous action combinations
@@ -748,7 +748,7 @@ iam-validator analyze \
 - **API**: API Gateway REST API
 - **DevOps**: CodeArtifact Domain, Backup Vault, CloudTrail
 
-See [docs/custom-policy-checks.md](docs/custom-policy-checks.md) for complete documentation.
+See [docs/custom-checks.md](docs/custom-checks.md) for complete documentation.
 
 ### As a Python Package
 
@@ -782,70 +782,96 @@ asyncio.run(main())
 
 ## Validation Checks
 
-### 1. Action Validation
-
-Verifies that IAM actions exist in AWS services:
-
+IAM Policy Validator performs **18 built-in checks** to ensure your policies are secure and valid.
+
+**📖 For detailed check documentation with configuration examples and pass/fail scenarios:**
+- **[Check Reference Guide](docs/check-reference.md)** - Complete reference for all 18 checks
+- **[Condition Requirements](docs/condition-requirements.md)** - Action condition enforcement
+- **[Privilege Escalation Detection](docs/privilege-escalation.md)** - Detecting escalation paths
+
+### Quick Overview
+
+**AWS IAM Validation (12 checks)** - Ensure policies work correctly in AWS:
+- Statement ID uniqueness and format
+- Policy size limits
+- Action and condition key validation
+- Condition operator and value type checking
+- Set operator validation
+- MFA anti-pattern detection
+- Resource ARN format validation
+- Principal validation (resource policies)
+- Policy type validation
+- Action-resource constraint and matching
+
+**Security Best Practices (6 checks)** - Identify security risks:
+- Wildcard actions (`Action: "*"`)
+- Wildcard resources (`Resource: "*"`)
+- Full wildcard (CRITICAL: both wildcards together)
+- Service-level wildcards (`iam:*`, `s3:*`, etc.)
+- Sensitive actions without conditions (490 actions across 4 risk categories)
+- Action condition enforcement (MFA, IP restrictions, tags, etc.)
+
+### Quick Examples
+
+**Action Validation:**
 ```json
+// ✅ PASS: Valid S3 action
 {
   "Effect": "Allow",
-  "Action": "s3:GetObject",  // ✅ Valid
-  "Resource": "*"
+  "Action": "s3:GetObject",
+  "Resource": "arn:aws:s3:::my-bucket/*"
 }
-```
 
-```json
+// ❌ FAIL: Invalid action name
 {
   "Effect": "Allow",
-  "Action": "s3:InvalidAction",  // ❌ Invalid - action doesn't exist
+  "Action": "s3:InvalidAction",  // ERROR: Action doesn't exist
   "Resource": "*"
 }
 ```
 
-### 2. Condition Key Validation
+**Full Wildcard (Critical):**
+```json
+// ✅ PASS: Specific actions and resources
+{
+  "Effect": "Allow",
+  "Action": ["s3:GetObject", "s3:PutObject"],
+  "Resource": "arn:aws:s3:::my-bucket/*"
+}
 
-Checks that condition keys are valid for the specified actions:
+// ❌ FAIL: Administrative access
+{
+  "Effect": "Allow",
+  "Action": "*",        // CRITICAL: All actions
+  "Resource": "*"       // CRITICAL: All resources
+}
+```
 
+**Action Condition Enforcement:**
 ```json
+// ✅ PASS: iam:PassRole with required condition
 {
   "Effect": "Allow",
-  "Action": "s3:GetObject",
+  "Action": "iam:PassRole",
   "Resource": "*",
   "Condition": {
     "StringEquals": {
-      "aws:RequestedRegion": "us-east-1"  // ✅ Valid global condition key
+      "iam:PassedToService": ["lambda.amazonaws.com"]
     }
   }
 }
-```
-
-### 3. Resource ARN Validation
-
-Ensures ARNs follow proper AWS format:
-
-```json
-{
-  "Effect": "Allow",
-  "Action": "s3:GetObject",
-  "Resource": "arn:aws:s3:::my-bucket/*"  // ✅ Valid ARN
-}
-```
 
-```json
+// ❌ FAIL: iam:PassRole without condition
 {
   "Effect": "Allow",
-  "Action": "s3:GetObject",
-  "Resource": "not-a-valid-arn"  // ❌ Invalid ARN format
+  "Action": "iam:PassRole",  // HIGH: Missing iam:PassedToService condition
+  "Resource": "*"
 }
 ```
 
-### 4. Security Best Practices
+**📚 For complete documentation of all 18 checks with detailed examples, see [Check Reference Guide](docs/check-reference.md)**
 
-Identifies potential security risks:
-
-- Overly permissive wildcard usage (`*` for both Action and Resource)
-- Sensitive actions without conditions
-- Administrative permissions without restrictions
+_Note: The old [CHECKS.md](docs/CHECKS.md) has been deprecated in favor of the new check-reference.md with better organization and examples._
 
 ## GitHub Integration Features
 
@@ -956,28 +982,27 @@ Result: PR always shows current state, no stale comments
 
 ## 📚 Documentation
 
-**[📖 Complete Documentation →](DOCS.md)**
-
-The comprehensive [DOCS.md](DOCS.md) file contains everything you need:
-- Installation & Quick Start
-- GitHub Actions Integration
-- CLI Reference & Examples
-- Custom Policy Checks (CheckAccessNotGranted, CheckNoNewAccess, CheckNoPublicAccess)
-- Configuration Guide
-- Creating Custom Validation Rules
-- Performance Optimization
-- Troubleshooting
-
-**Additional Resources:**
-- **[Examples Directory](examples/)** - Real-world examples:
-  - [GitHub Actions Workflows](examples/github-actions/)
-  - [Custom Checks](examples/custom_checks/)
-  - [Configuration Files](examples/configs/)
-  - [Test IAM Policies](examples/iam-test-policies/)
+### Core Documentation
+- **[📖 Complete Usage Guide (DOCS.md)](DOCS.md)** - Installation, CLI reference, GitHub Actions, configuration
+- **[✅ Validation Checks Reference](docs/check-reference.md)** - All 18 checks with pass/fail examples
+- **[🐍 Python SDK Guide (SDK.md)](docs/SDK.md)** - Use as a Python library in your applications
+- **[🤝 Contributing Guide (CONTRIBUTING.md)](CONTRIBUTING.md)** - How to contribute to the project
+
+### Examples & Resources
+- **[Configuration Examples](examples/configs/)** - 9 configuration files for different use cases
+- **[GitHub Actions Workflows](examples/github-actions/)** - Ready-to-use workflow examples
+- **[Custom Checks](examples/custom_checks/)** - Example custom validation rules
+- **[Library Usage Examples](examples/library-usage/)** - Python SDK examples
+- **[Test IAM Policies](examples/iam-test-policies/)** - Example policies for testing
+
+### Advanced Topics
 - **[Roadmap](docs/ROADMAP.md)** - Planned features and improvements
-- **[AWS Services Backup Guide](docs/aws-services-backup.md)** - Offline validation
-- **[Contributing Guide](CONTRIBUTING.md)** - Contribution guidelines
-- **[Publishing Guide](docs/development/PUBLISHING.md)** - Release process
+- **[AWS Services Backup Guide](docs/aws-services-backup.md)** - Offline validation setup
+- **[Publishing Guide](docs/development/PUBLISHING.md)** - Release process for maintainers
+
+### Quick Links
+- **[GitHub Issues](https://github.com/boogy/iam-policy-validator/issues)** - Report bugs or request features
+- **[GitHub Discussions](https://github.com/boogy/iam-policy-validator/discussions)** - Ask questions and share ideas
 
 ## 🤝 Contributing
 
@@ -1014,6 +1039,10 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for detailed instructions.
 
 This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
 
+### Third-Party Code
+
+Portions of the ARN pattern matching code in [`iam_validator/sdk/arn_matching.py`](iam_validator/sdk/arn_matching.py) are derived from [Parliament](https://github.com/duo-labs/parliament) (Copyright 2019 Duo Security, [BSD 3-Clause License](https://github.com/duo-labs/parliament/blob/master/LICENSE)). See file header for details.
+
 ## 🆘 Support
 
 - **Documentation**: Check the [docs/](docs/) directory

{iam_policy_validator-1.5.0.dist-info → iam_policy_validator-1.6.0.dist-info}/RECORD

@@ -1,51 +1,56 @@
 iam_validator/__init__.py,sha256=APnMR3Fu4fHhxfsHBvUM2dJIwazgvLKQbfOsSgFPidg,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=aNFKvgY68bb-MhUFw2OC-8_0VmwOTwY6_J5GPtri6os,206
-iam_validator/checks/__init__.py,sha256=OSgwk2WO_lLYOgSrTAycUNgRHw0NSU33Rse39thvVSk,1456
-iam_validator/checks/action_condition_enforcement.py,sha256=bKQEkD7PJYA0g9CwfrgfQSAKcVJkQgqfSnpXKE3Rz_0,29588
-iam_validator/checks/action_resource_constraint.py,sha256=p-gP7S9QYR6M7vffrnJY6LOlMUTn0kpEbrxQ8pTY5rs,6031
+iam_validator/__version__.py,sha256=U-2GASzFF5PD483Cth0LG6biXahUQLBsW4BrfQVnGhw,206
+iam_validator/checks/__init__.py,sha256=eDiDlVon0CwWGSBnZgM-arn1i5R5ZSG89pgR-ifETxE,1782
+iam_validator/checks/action_condition_enforcement.py,sha256=qE2ae6vzOG2LqYGrvxeDdKyXtfdtqgfCBBceTpIGqNY,36573
+iam_validator/checks/action_resource_matching.py,sha256=KyF9GgZrfSLy-DR_iaj9J9fOTOaj8G5BvBYqHEiSnkg,16577
 iam_validator/checks/action_validation.py,sha256=IpxtTsk58f2zEZ-xzAoyHw4QK8BCRV43OffP-8ydf9E,2578
-iam_validator/checks/condition_key_validation.py,sha256=XmlwSDHq7p48dEDxjUJiRtaqtfAiFgpBJnj2jY_25LU,3796
+iam_validator/checks/condition_key_validation.py,sha256=E-doe2QjvKSkyjXZO9TBp0QS7M0Fv2oYYQQ9738QNxg,3918
+iam_validator/checks/condition_type_mismatch.py,sha256=qAbP6pP_vM1aBvIBRHji56XLH_5cQI4cDhpMQe19CHM,10588
 iam_validator/checks/full_wildcard.py,sha256=8zkmkQo2TkflgNgbclThH73mIBRHbuiob0YO2HwQhuE,2371
+iam_validator/checks/mfa_condition_check.py,sha256=s7K2r9hxlJI1KWk8qXl-JOWE6jLIhpxooK26Pr7acKs,4915
 iam_validator/checks/policy_size.py,sha256=gJD8rFHa1CstKaZ2Dj9B5XEI3o0wsGv7ksqjqZXoSXI,5771
 iam_validator/checks/policy_type_validation.py,sha256=w85W4zdZ6ZrDy0DmHxxnAXbJGfN8peRDjLfJ4Bp1dWc,15009
 iam_validator/checks/principal_validation.py,sha256=DLmqX_QbfuV8O5XtcuocBeR_Vwa50_3RBx35XuLQob8,29837
 iam_validator/checks/resource_validation.py,sha256=AEIoiR6AKYLuVaA8ne3QE5qy6NCMDe98_2JAiwE9-JU,4261
-iam_validator/checks/sensitive_action.py,sha256=mGxUELAuzsY_zK382WgJeeRGJDl8lumIsWgGIm_tmPs,6852
+iam_validator/checks/sensitive_action.py,sha256=gxPhxMxQzsj7xrvRfMZlfh1o67B2s1ddSLF_KQ0FKOw,9716
 iam_validator/checks/service_wildcard.py,sha256=1O3NF8_T1LsCzpm8SFViv1KTh9NYQSqXN8-D3xx6Erw,4156
+iam_validator/checks/set_operator_validation.py,sha256=1XjOdf-xk-m6m1bODuHsELZccriGqOJTDI-HCcuId80,7464
 iam_validator/checks/sid_uniqueness.py,sha256=1Ux9W1hPPhzgdCzfxwxvD-nSBRo1SyrxFWlnTXDcOys,6887
 iam_validator/checks/wildcard_action.py,sha256=KsAej_GP6qL2XpmvGnS56SIJw3Z-5xyvZ7VDfsERFrU,2045
 iam_validator/checks/wildcard_resource.py,sha256=V5aBmb1pr8KhbVv2G4nzjBlZWz0kCOCgW6jKnb2_U60,5504
 iam_validator/checks/utils/__init__.py,sha256=j0X4ibUB6RGx2a-kNoJnlVZwHfoEvzZsIeTmJIAoFzA,45
 iam_validator/checks/utils/policy_level_checks.py,sha256=2V60C0zhKfsFPjQ-NMlD3EemtwA9S6-4no8nETgXdQE,5274
-iam_validator/checks/utils/sensitive_action_matcher.py,sha256=Wl_YHktQR1LthkePaLMVF5iCeBpax2QgNRN0_azgfD8,9295
+iam_validator/checks/utils/sensitive_action_matcher.py,sha256=e67RIi-zg7ssFwq6x4kt4wsTF-brNz91KaBxgV-23jg,10687
 iam_validator/checks/utils/wildcard_expansion.py,sha256=V3V_KRpapOzPBhpUObJjGHoMhvCH90QvDxppeEHIG_U,3152
 iam_validator/commands/__init__.py,sha256=M-5bo8w0TCWydK0cXgJyPD2fmk8bpQs-3b26YbgLzlc,565
 iam_validator/commands/analyze.py,sha256=TWlDaZ8gVOdNv6__KQQfzeLVW36qLiL5IzlhGYfvq_g,16501
 iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gzs,1074
-iam_validator/commands/cache.py,sha256=NHfbIDWI8tj-3o-4fIZJQS-Vvd9bxIH3Lk6kBtNuiUU,14212
+iam_validator/commands/cache.py,sha256=p4ucRVuh42sbK3Lk0b610L3ofAR5TnUreF00fpO6VFg,14219
 iam_validator/commands/download_services.py,sha256=KKz3ybMLT8DQUf9aFZ0tilJ-o1b6PE8Pf1pC4K6cT8I,9175
 iam_validator/commands/post_to_pr.py,sha256=CvUXs2xvO-UhluxdfNM6F0TCWD8hDBEOiYw60fm1Dms,2363
-iam_validator/commands/validate.py,sha256=Nz6nC8UoRSLjnxTjv5n1qc5SOC88vK1ZwV04nH4oPDI,22333
+iam_validator/commands/validate.py,sha256=vyPsEenHoQPc_ftaVv0Ek5i52OvoqHaRCpVLLjCU5As,23508
 iam_validator/core/__init__.py,sha256=1FvJPMrbzJfS9YbRUJCshJLd5gzWwR9Fd_slS0Aq9c8,416
 iam_validator/core/access_analyzer.py,sha256=poeT1i74jXpKr1B3UmvqiTvCTbq82zffWgZHwiFUwoo,24337
 iam_validator/core/access_analyzer_report.py,sha256=IrQVszlhFfQ6WykYLpig7TU3hf8dnQTegPDsOvHjR5Q,24873
-iam_validator/core/aws_fetcher.py,sha256=raEnvUi3rFaE1Bf9h6Am0bKeDSUN0WI6MPuVt4LSQzg,34169
-iam_validator/core/aws_global_conditions.py,sha256=ADVcMEWhgvDZWdBmRUQN3HB7a9OycbTLecXFAy3LPbo,5837
-iam_validator/core/check_registry.py,sha256=-3MDcJvzN07cyMbi9UTzw_JcPJCcB-tXGl5hKX-Y2ZY,16067
+iam_validator/core/aws_fetcher.py,sha256=NEXS7w6M5_EIXAm6OyyUEenpPU6p2Aj_a_p93aR9vAI,36147
+iam_validator/core/check_registry.py,sha256=cMjtJROkZOLzXxl-mTdLYHdxyajNnOsaHGs-EeaSZ7k,21741
 iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
-iam_validator/core/config_loader.py,sha256=qPdRokl8Hdc1t1vX--JQjOC_colgnnq1MrKsGtcW56s,17609
-iam_validator/core/models.py,sha256=8v-b8Z8PFqpbdEpkZZ33kuZ_5D81Z2lIHzlFLu3i5mE,11094
-iam_validator/core/policy_checks.py,sha256=zmA1GupD5jE1avCdaYLdZ7WA7CVG0CWjmgkd_2F-p7A,26429
+iam_validator/core/condition_validators.py,sha256=7zBjlcf2xGFKGbcFrXSLvWT5tFhWxoqwzhsJqS2E8uY,21524
+iam_validator/core/models.py,sha256=spL5USsDFNfzQ_7R6yaTo-fcoRANkKS-zCwn88XYjYQ,11544
+iam_validator/core/policy_checks.py,sha256=Uz2yCsqRaoIja31F4ZM-39a1pHv51yZqKyWWkGUZKNY,26489
 iam_validator/core/policy_loader.py,sha256=TR7SpzlRG3TwH4HBGEFUuhNOmxIR8Cud2SQ-AmHWBpM,14040
-iam_validator/core/pr_commenter.py,sha256=7wt1q1rQE3bozNfrynWaE2RVkyRxu4CUNKX7u1_Ii1c,11593
+iam_validator/core/pr_commenter.py,sha256=EDE8lWsabkHYrOw2ApIUrPbjI5K3-Z_QxJkjakaVsTk,11600
 iam_validator/core/report.py,sha256=Yeh_u9jQvTyDV3ignyPcWEQVfFcxNZNrxf4T0fjeWb4,33283
-iam_validator/core/config/__init__.py,sha256=e9Dh-NtUtW6-Kk_RwLiOzLn8X09E4_VqgNp0Cuva7y0,2655
+iam_validator/core/config/__init__.py,sha256=CWSyIA7kEyzrskEenjYbs9Iih10BXRpiY9H2dHg61rU,2671
 iam_validator/core/config/aws_api.py,sha256=HLIzOItQ0A37wxHcgWck6ZFO0wmNY8JNTiWMMK6JKYU,1248
-iam_validator/core/config/condition_requirements.py,sha256=45HITvpClti453CgrMLlV1AwoZVUbSTVVhflaxapJTM,17021
-iam_validator/core/config/defaults.py,sha256=_GcVnGkMMqqG1OCxQy4lsS5pM7rDD3phXHTq1w3ECJU,19334
+iam_validator/core/config/aws_global_conditions.py,sha256=gdmMxXGBy95B3uYUG-J7rnM6Ixgc6L7Y9Pcd2XAMb60,7170
+iam_validator/core/config/category_suggestions.py,sha256=QlrYi4BTkxDSTlL7NZGE9BWN-atWetZ6XjkI9F_7YzI,4370
+iam_validator/core/config/condition_requirements.py,sha256=1PuADTB9pLqh-kNUGC7kSU6LMLtXMSc003tvI7qKeAY,5170
+iam_validator/core/config/config_loader.py,sha256=MjO9SJ3HSXl6gnv_Qy0d906pX9iW8cONM8alOotUaKI,17749
+iam_validator/core/config/defaults.py,sha256=w5ievxkqki3zYr7NaREoWtVx5rTfxBpZlgoNdovcILs,27112
 iam_validator/core/config/principal_requirements.py,sha256=VCX7fBDgeDTJQyoz7_x7GI7Kf9O1Eu-sbihoHOrKv6o,15105
-iam_validator/core/config/sensitive_actions.py,sha256=J03x_Y3z2gqU4QmeQF2iDWEZfeWKoNls1qL2VgtwtOU,4464
+iam_validator/core/config/sensitive_actions.py,sha256=uATDIp_TD3OQQlsYTZp79qd1mSK2Bf9hJ0JwcqLBr84,25344
 iam_validator/core/config/service_principals.py,sha256=gQSROsxUWBD6P2F9qP320UZV4lHGlsyvHSkMyy0njrU,2685
 iam_validator/core/config/wildcards.py,sha256=H_v6hb-rZ0UUz4cul9lxkVI39e6knaK4Y-MbWz2Ebpw,3228
 iam_validator/core/formatters/__init__.py,sha256=fnCKAEBXItnOf2m4rhVs7zwMaTxbG6ESh3CF8V5j5ec,868
@@ -60,8 +65,18 @@ iam_validator/core/formatters/sarif.py,sha256=O3pn7whqFq5xxk-tuoqSb2k4Fk5ai_A2SK
 iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
 iam_validator/integrations/github_integration.py,sha256=bKs94vNT4PmcmUPUeuY2WJFhCYpUY2SWiBP1vj-andA,25673
 iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
-iam_policy_validator-1.5.0.dist-info/METADATA,sha256=D5TTVNQDeankIcLYRBT_UzysyZgWTZtaHzby0CHH_Vc,34222
-iam_policy_validator-1.5.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-iam_policy_validator-1.5.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.5.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.5.0.dist-info/RECORD,,
+iam_validator/sdk/__init__.py,sha256=fRDSXAclGmCU3KDft4StL8JUcpAsdzwIRf8mVj461q0,5306
+iam_validator/sdk/arn_matching.py,sha256=we70RM2sriCcsd5GAUj7gL0iGKZt3oa0kle2VLF-X2E,8841
+iam_validator/sdk/context.py,sha256=SBFeedu8rhCzFA-zC2cH4wLZxEJT6XOW30hIZAyXPVU,6826
+iam_validator/sdk/exceptions.py,sha256=tm91TxIwU157U_UHN7w5qICf_OhU11agj6pV5W_YP-4,1023
+iam_validator/sdk/helpers.py,sha256=OVBg4xrW95LT74wXCg1LQkba9kw5RfFqeCLuTqhgL-A,5697
+iam_validator/sdk/policy_utils.py,sha256=CZS1OGSdiWsd2lsCwg0BDcUNWa61tUwgvn-P5rKqeN8,12987
+iam_validator/sdk/shortcuts.py,sha256=EVNSYV7rv4TFH03ulsZ3mS1UVmTSp2jKpc2AXs4j1q4,8531
+iam_validator/utils/__init__.py,sha256=V8u-SSdnL4a7NwF-yg9x0JRl5epKAXEs2f5RiwK2qPo,856
+iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
+iam_validator/utils/regex.py,sha256=PMVCYxjlVa2zLNEnIU3upQCSIhPazlXWg_sJClIiqiM,6221
+iam_policy_validator-1.6.0.dist-info/METADATA,sha256=rghXQo_4hFarMkPFzCmWFgD_1yMW1dwtwGIId_MsBdc,36586
+iam_policy_validator-1.6.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.6.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.6.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.6.0.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,5 +3,5 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.5.0"
+__version__ = "1.6.0"
 __version_info__ = tuple(int(part) for part in __version__.split("."))

iam_validator/checks/__init__.py

@@ -5,32 +5,38 @@ Built-in policy checks for IAM Policy Validator.
 from iam_validator.checks.action_condition_enforcement import (
     ActionConditionEnforcementCheck,
 )
-from iam_validator.checks.action_resource_constraint import (
-    ActionResourceConstraintCheck,
+from iam_validator.checks.action_resource_matching import (
+    ActionResourceMatchingCheck,
 )
 from iam_validator.checks.action_validation import ActionValidationCheck
 from iam_validator.checks.condition_key_validation import ConditionKeyValidationCheck
+from iam_validator.checks.condition_type_mismatch import ConditionTypeMismatchCheck
 from iam_validator.checks.full_wildcard import FullWildcardCheck
+from iam_validator.checks.mfa_condition_check import MFAConditionCheck
 from iam_validator.checks.policy_size import PolicySizeCheck
 from iam_validator.checks.principal_validation import PrincipalValidationCheck
 from iam_validator.checks.resource_validation import ResourceValidationCheck
 from iam_validator.checks.sensitive_action import SensitiveActionCheck
 from iam_validator.checks.service_wildcard import ServiceWildcardCheck
+from iam_validator.checks.set_operator_validation import SetOperatorValidationCheck
 from iam_validator.checks.sid_uniqueness import SidUniquenessCheck
 from iam_validator.checks.wildcard_action import WildcardActionCheck
 from iam_validator.checks.wildcard_resource import WildcardResourceCheck
 
 __all__ = [
     "ActionConditionEnforcementCheck",
-    "ActionResourceConstraintCheck",
+    "ActionResourceMatchingCheck",
     "ActionValidationCheck",
     "ConditionKeyValidationCheck",
+    "ConditionTypeMismatchCheck",
     "FullWildcardCheck",
+    "MFAConditionCheck",
     "PolicySizeCheck",
     "PrincipalValidationCheck",
     "ResourceValidationCheck",
     "SensitiveActionCheck",
     "ServiceWildcardCheck",
+    "SetOperatorValidationCheck",
     "SidUniquenessCheck",
     "WildcardActionCheck",
     "WildcardResourceCheck",

iam_validator/checks/action_condition_enforcement.py

@@ -5,6 +5,7 @@ This built-in check ensures that specific actions have required conditions.
 Supports ALL types of conditions: MFA, IP, VPC, time, tags, encryption, etc.
 
 Supports advanced "all_of" and "any_of" logic for both actions and conditions.
+Supports both STATEMENT-LEVEL and POLICY-LEVEL enforcement.
 
 Common use cases:
 - iam:PassRole must have iam:PassedToService condition
@@ -12,6 +13,7 @@ Common use cases:
 - Actions must have source IP restrictions
 - Resources must have required tags
 - Combine multiple conditions (MFA + IP + Tags)
+- Policy-level: Ensure ALL statements granting certain actions have MFA
 
 Configuration in iam-validator.yaml:
 
@@ -21,6 +23,7 @@ Configuration in iam-validator.yaml:
         severity: error
         description: "Enforce specific conditions for specific actions"
 
+        # STATEMENT-LEVEL: Check individual statements (default)
         action_condition_requirements:
           # BASIC: Simple action with required condition
           - actions:
@@ -90,15 +93,56 @@ Configuration in iam-validator.yaml:
                 - "iam:*"
                 - "s3:DeleteBucket"
             description: "These dangerous actions should never be used"
+
+        # POLICY-LEVEL: Scan entire policy and enforce conditions across all matching statements
+        policy_level_requirements:
+          # Example: If ANY statement grants privilege escalation actions,
+          # then ALL such statements must have MFA
+          - actions:
+              any_of:
+                - "iam:CreateUser"
+                - "iam:AttachUserPolicy"
+                - "iam:PutUserPolicy"
+            scope: "policy"
+            required_conditions:
+              - condition_key: "aws:MultiFactorAuthPresent"
+                expected_value: true
+            description: "Privilege escalation actions require MFA across entire policy"
+            severity: "critical"
+
+          # Example: All admin actions across the policy must have MFA
+          - actions:
+              any_of:
+                - "iam:*"
+                - "s3:*"
+            scope: "policy"
+            required_conditions:
+              all_of:
+                - condition_key: "aws:MultiFactorAuthPresent"
+                  expected_value: true
+                - condition_key: "aws:SourceIp"
+            apply_to: "all_matching_statements"
+
+          # Example: Ensure no statement in the policy allows dangerous combinations
+          - actions:
+              all_of:
+                - "iam:CreateAccessKey"
+                - "iam:UpdateAccessKey"
+            scope: "policy"
+            severity: "critical"
+            description: "Dangerous combination of actions detected in policy"
 """
 
 import re
-from typing import Any
+from typing import TYPE_CHECKING, Any
 
 from iam_validator.core.aws_fetcher import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
+if TYPE_CHECKING:
+    from iam_validator.core.models import IAMPolicy
+
 
 class ActionConditionEnforcementCheck(PolicyCheck):
     """Enforces specific condition requirements for specific actions with all_of/any_of support."""
@@ -122,7 +166,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         fetcher: AWSServiceFetcher,
         config: CheckConfig,
     ) -> list[ValidationIssue]:
-        """Execute condition enforcement check."""
+        """Execute statement-level condition enforcement check."""
         issues = []
 
         # Only check Allow statements
@@ -186,6 +230,124 @@ class ActionConditionEnforcementCheck(PolicyCheck):
 
         return issues
 
+    async def execute_policy(
+        self,
+        policy: "IAMPolicy",
+        policy_file: str,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+        **kwargs,
+    ) -> list[ValidationIssue]:
+        """
+        Execute policy-level condition enforcement check.
+
+        This method scans the entire policy and enforces that ALL statements granting
+        certain actions must have specific conditions. This is useful for ensuring
+        consistent security controls across the entire policy.
+
+        Example use case:
+        - "If ANY statement in the policy grants iam:CreateUser, iam:AttachUserPolicy,
+          or iam:PutUserPolicy, then ALL such statements must have MFA condition."
+
+        Args:
+            policy: The complete IAM policy to check
+            policy_file: Path to the policy file (for context/reporting)
+            fetcher: AWS service fetcher for validation against AWS APIs
+            config: Configuration for this check instance
+            **kwargs: Additional context (policy_type, etc.)
+
+        Returns:
+            List of ValidationIssue objects found by this check
+        """
+        del policy_file, kwargs  # Not used in current implementation
+        issues = []
+
+        # Get policy-level requirements from config
+        policy_level_requirements = config.config.get("policy_level_requirements", [])
+        if not policy_level_requirements:
+            return issues
+
+        # Process each policy-level requirement
+        for requirement in policy_level_requirements:
+            # Collect all statements that match the action criteria
+            matching_statements: list[tuple[int, Statement, list[str]]] = []
+
+            for idx, statement in enumerate(policy.statement):
+                # Only check Allow statements
+                if statement.effect != "Allow":
+                    continue
+
+                statement_actions = statement.get_actions()
+
+                # Check if this statement matches the action requirement
+                actions_match, matching_actions = await self._check_action_match(
+                    statement_actions, requirement, fetcher
+                )
+
+                if actions_match and matching_actions:
+                    matching_statements.append((idx, statement, matching_actions))
+
+            # If no statements match, skip this requirement
+            if not matching_statements:
+                continue
+
+            # Now validate that ALL matching statements have the required conditions
+            required_conditions_config = requirement.get("required_conditions", [])
+            if not required_conditions_config:
+                # No conditions specified, just report that actions were found
+                description = requirement.get("description", "")
+                severity = requirement.get("severity", self.get_severity(config))
+
+                # Create a summary issue for all matching statements
+                all_actions = set()
+                statement_refs = []
+                for idx, stmt, actions in matching_statements:
+                    all_actions.update(actions)
+                    sid_info = f" (SID: {stmt.sid})" if stmt.sid else ""
+                    statement_refs.append(f"Statement #{idx + 1}{sid_info}")
+
+                # Use the first matching statement's index for the issue
+                first_idx, first_stmt, _ = matching_statements[0]
+
+                issues.append(
+                    ValidationIssue(
+                        severity=severity,
+                        statement_sid=first_stmt.sid,
+                        statement_index=first_idx,
+                        issue_type="policy_level_action_detected",
+                        message=f"POLICY-LEVEL: Actions {sorted(all_actions)} found in {len(matching_statements)} statement(s). {description}",
+                        action=", ".join(sorted(all_actions)),
+                        suggestion=f"Review these statements: {', '.join(statement_refs)}. {description}",
+                        line_number=first_stmt.line_number,
+                    )
+                )
+                continue
+
+            # Validate conditions for each matching statement
+            for idx, statement, matching_actions in matching_statements:
+                condition_issues = self._validate_conditions(
+                    statement,
+                    idx,
+                    required_conditions_config,
+                    matching_actions,
+                    config,
+                    requirement,
+                )
+
+                # Add policy-level context to each issue
+                for issue in condition_issues:
+                    # Modify the message to indicate this is part of policy-level enforcement
+                    issue.message = f"POLICY-LEVEL: {issue.message}"
+                    issue.suggestion = (
+                        f"{issue.suggestion}\n\n"
+                        f"Note: This is enforced at the policy level. "
+                        f"Found {len(matching_statements)} statement(s) with these actions in the policy."
+                    )
+
+                issues.extend(condition_issues)
+
+        return issues
+
     async def _check_action_match(
         self, statement_actions: list[str], requirement: dict[str, Any], fetcher: AWSServiceFetcher
     ) -> tuple[bool, list[str]]: