iam-policy-validator 1.7.0__py3-none-any.whl → 1.7.2__py3-none-any.whl

iam_policy_validator-1.7.2.dist-info/METADATA

@@ -0,0 +1,428 @@
+Metadata-Version: 2.4
+Name: iam-policy-validator
+Version: 1.7.2
+Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
+Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
+Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs
+Project-URL: Repository, https://github.com/boogy/iam-policy-validator
+Project-URL: Issues, https://github.com/boogy/iam-policy-validator/issues
+Project-URL: Changelog, https://github.com/boogy/iam-policy-validator/blob/main/docs/CHANGELOG.md
+Author-email: boogy <0xboogy@gmail.com>
+License: MIT
+License-File: LICENSE
+Keywords: aws,github-action,iam,policy,security,validation
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: System Administrators
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Classifier: Topic :: System :: Systems Administration
+Requires-Python: >=3.10
+Requires-Dist: boto3>=1.28.0
+Requires-Dist: botocore>=1.40.55
+Requires-Dist: httpx[http2]>=0.27.0
+Requires-Dist: pydantic>=2.0.0
+Requires-Dist: pyyaml>=6.0
+Requires-Dist: rich>=13.0.0
+Provides-Extra: dev
+Requires-Dist: mypy>=1.0.0; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.21.0; extra == 'dev'
+Requires-Dist: pytest-benchmark>=4.0.0; extra == 'dev'
+Requires-Dist: pytest-cov>=7.0.0; extra == 'dev'
+Requires-Dist: pytest>=7.0.0; extra == 'dev'
+Requires-Dist: ruff>=0.1.0; extra == 'dev'
+Requires-Dist: types-boto3; extra == 'dev'
+Requires-Dist: types-pyyaml; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# IAM Policy Validator
+
+> **⚡ Catch IAM policy security issues and errors before they reach production** - A comprehensive validation tool for AWS IAM policies with built-in security checks and optional AWS Access Analyzer integration.
+
+[![GitHub Actions](https://img.shields.io/badge/GitHub%20Actions-Ready-blue)](https://github.com/marketplace/actions/iam-policy-validator)
+[![Python 3.12+](https://img.shields.io/badge/python-3.12+-blue.svg)](https://www.python.org/downloads/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/boogy/iam-policy-validator/badge)](https://scorecard.dev/viewer/?uri=github.com/boogy/iam-policy-validator)
+
+## 🚀 Why IAM Policy Validator?
+
+**IAM policy errors are costly and dangerous.** A single misconfigured policy can:
+- ❌ Grant unintended admin access (privilege escalation)
+- ❌ Expose sensitive data to the public
+- ❌ Break production deployments with invalid syntax
+- ❌ Create security vulnerabilities that persist for months
+
+**This tool prevents these issues** by:
+- ✅ **Dual validation** - built-in checks + optional AWS Access Analyzer
+- ✅ **Catches real threats** - Privilege escalation, wildcards, missing conditions
+- ✅ **PR integration** - Automated validation in GitHub Actions
+- ✅ **Saves security team time** - Catches common issues before manual review
+- ✅ **Developer-friendly** - Clear errors with fix suggestions
+- ✅ **Zero setup** - Works as a GitHub Action out of the box
+
+## ✨ What Makes It Special
+
+### 🔍 Two Validation Layers
+
+**1. Built-in Checks (No AWS Credentials Required)**
+- **Security & Compliance Checks** - Works offline, no AWS account needed
+- **Privilege Escalation Detection** - Detects dangerous IAM actions and configurable combination patterns
+- **Wildcard Analysis** - Catches overly permissive wildcards (`*`, `s3:*`)
+- **Sensitive Action Enforcement** - 490 actions requiring conditions (MFA, IP, tags)
+- **AWS Requirements Validation** - Actions, conditions, ARN formats, policy size
+
+**2. AWS Access Analyzer (Optional)**
+- **Official AWS Validation** - Syntax, semantics, and security checks
+- **Public Access Detection** - Checks 29+ resource types (S3, Lambda, SNS, etc.)
+- **Policy Comparison** - Detect new permissions vs baseline
+- **Cross-account Analysis** - Validates external access
+
+### 🎯 Developer Experience
+- **Auto-detects IAM policies** - Scans mixed JSON/YAML repos automatically
+- **PR comments & reviews** - Line-specific feedback in GitHub
+- **7 output formats** - Console, JSON, Markdown, SARIF, CSV, HTML, Enhanced
+- **Extensible** - Add custom checks via Python plugins
+
+**📖 See [full feature documentation](docs/README.md) for details**
+
+## 📈 What It Catches
+
+### Example 1: Privilege Escalation (Built-in Check)
+```json
+{
+  "Statement": [
+    {"Effect": "Allow", "Action": "iam:CreateUser", "Resource": "*"},
+    {"Effect": "Allow", "Action": "iam:AttachUserPolicy", "Resource": "*"}
+  ]
+}
+```
+
+**Detected:**
+```
+🚨 CRITICAL: Privilege escalation risk detected!
+Actions ['iam:CreateUser', 'iam:AttachUserPolicy'] enable:
+  1. Create new IAM user
+  2. Attach AdministratorAccess to that user
+  3. Gain full AWS account access
+```
+
+### Example 2: Overly Permissive Wildcards (Built-in Check)
+```json
+{
+  "Effect": "Allow",
+  "Action": "s3:*",
+  "Resource": "*"
+}
+```
+
+**Detected:**
+```
+❌ HIGH: Service wildcard 's3:*' detected
+❌ MEDIUM: Wildcard resource '*' - applies to all S3 buckets
+❌ CRITICAL: Full wildcard (Action + Resource) grants excessive access
+```
+
+### Example 3: Missing Required Conditions (Built-in Check)
+```json
+{
+  "Effect": "Allow",
+  "Action": "iam:PassRole",
+  "Resource": "*"
+}
+```
+
+**Detected:**
+```
+❌ HIGH: iam:PassRole missing required condition
+💡 Add condition: iam:PassedToService to restrict role passing
+```
+
+### Example 4: Public Access (Access Analyzer - Optional)
+```json
+{
+  "Principal": "*",
+  "Action": "s3:GetObject",
+  "Resource": "arn:aws:s3:::private-bucket/*"
+}
+```
+
+**Detected:**
+```
+🛑 CRITICAL: Resource policy allows public internet access
+Principal "*" grants world-readable access to S3 bucket
+💡 Use specific AWS principals or add aws:SourceIp conditions
+```
+
+## Quick Start
+
+### GitHub Action (Recommended)
+
+Create `.github/workflows/iam-validator.yml`:
+
+```yaml
+name: IAM Policy Validation
+
+on:
+  pull_request:
+    paths: ['policies/**/*.json']
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v5
+      - uses: boogy/iam-policy-validator@v1
+        with:
+          path: policies/
+          fail-on-warnings: true
+```
+
+**With AWS Access Analyzer (optional):**
+```yaml
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsRole
+          aws-region: us-east-1
+      - uses: boogy/iam-policy-validator@v1
+        with:
+          path: policies/
+          use-access-analyzer: true
+          run-all-checks: true  # Run both Access Analyzer + built-in checks
+```
+
+**📖 For all GitHub Action inputs and advanced workflows, see [GitHub Actions Guide](docs/github-actions-workflows.md)**
+
+### CLI Tool
+
+```bash
+# Install
+pip install iam-policy-validator
+
+# Validate (built-in checks only - no AWS credentials needed)
+iam-validator validate --path ./policies/
+
+# Validate with AWS Access Analyzer (requires AWS credentials)
+iam-validator analyze --path ./policies/
+
+# With both Access Analyzer + built-in checks
+iam-validator analyze --path ./policies/ --run-all-checks
+
+# Different policy types
+iam-validator validate --path ./policies/ --policy-type RESOURCE_POLICY
+
+# Output formats
+iam-validator validate --path ./policies/ --format json --output report.json
+```
+
+**📖 See [CLI documentation](docs/README.md) for all commands and options**
+
+### Python Library
+
+```python
+from iam_validator.core.policy_loader import PolicyLoader
+from iam_validator.core.policy_checks import validate_policies
+
+# Load and validate
+loader = PolicyLoader()
+policies = loader.load_from_path("./policies")
+results = await validate_policies(policies)
+```
+
+**📖 See [Python Library Guide](docs/python-library-usage.md) for complete examples**
+
+## Built-in Validation Checks
+
+**All checks are fully configurable** - Enable/disable checks, adjust severity levels, add custom requirements, and define ignore patterns through the configuration file.
+
+### AWS Correctness Checks (12)
+Validates policies against AWS IAM requirements:
+- **Action validation** - Verify actions exist in AWS services
+- **Condition key validation** - Check condition keys are valid for actions
+- **Condition type matching** - Ensure condition values match expected types
+- **Resource ARN validation** - Validate ARN formats and patterns
+- **Principal validation** - Check principal formats (resource policies)
+- **Policy size limits** - Enforce AWS size constraints
+- **SID uniqueness** - Ensure statement IDs are unique
+- **Set operator validation** - Validate ForAllValues/ForAnyValue usage
+- **MFA condition patterns** - Detect common MFA anti-patterns
+- **Policy type validation** - Enforce policy type requirements (RCP, SCP, etc.)
+- **Action-resource matching** - Detect impossible action-resource combinations
+- **Action-resource constraints** - Validate service-specific constraints
+
+### Security Best Practices (6)
+Identifies security risks and overly permissive permissions:
+- **Wildcard action** (`Action: "*"`)
+- **Wildcard resource** (`Resource: "*"`)
+- **Full wildcard** (CRITICAL: both `Action: "*"` and `Resource: "*"`)
+- **Service wildcards** (`s3:*`, `iam:*`, etc.)
+- **Sensitive actions** - ~490 actions across 4 risk categories requiring conditions
+- **Action condition enforcement** - Enforce required conditions (MFA, IP, SourceArn, etc.)
+
+### Configuration & Customization
+
+All checks can be customized via a yaml configuration file ex: `.iam-validator.yaml`:
+
+```yaml
+settings:
+  enable_builtin_checks: true
+  fail_on_severity: high
+
+# Customize individual checks
+wildcard_action:
+  enabled: true
+  severity: critical
+
+# Detect privilege escalation patterns
+sensitive_action:
+  enabled: true
+  severity: critical
+  sensitive_actions:
+    # all_of: Detects when ALL actions exist across the entire policy
+    # (checks multiple statements - finds scattered dangerous combinations)
+    - all_of:
+        - "iam:CreateUser"
+        - "iam:AttachUserPolicy"
+
+    # any_of: Detects when ANY action exists in a single statement
+    # (per-statement check - flags individual dangerous actions)
+    - any_of:
+        - "iam:PutUserPolicy"
+        - "iam:PutGroupPolicy"
+        - "iam:PutRolePolicy"
+
+    # Lambda backdoor: Needs both actions somewhere in policy
+    - all_of:
+        - "lambda:CreateFunction"
+        - "iam:PassRole"
+
+    # Regex patterns work with all_of (policy-wide check)
+    - all_of:
+        - "iam:Create.*"  # Any IAM Create action
+        - "iam:Attach.*"  # Any IAM Attach action
+
+# Enforce required conditions for sensitive actions
+action_condition_enforcement:
+  enabled: true
+  action_condition_requirements:
+    - actions: ["iam:PassRole"]
+      severity: critical
+      required_conditions:
+        - condition_key: "iam:PassedToService"
+
+# Ignore specific patterns
+ignore_patterns:
+  - filepath: "terraform/modules/admin/*.json"
+  - action: "s3:*"
+    filepath: "policies/s3-admin-policy.json"
+```
+
+**📖 Complete documentation:**
+- [Check Reference Guide](docs/check-reference.md) - All 18 checks with examples
+- [Configuration Guide](docs/configuration.md) - Full configuration options
+- [Condition Requirements](docs/condition-requirements.md) - Action-specific requirements
+- [Privilege Escalation Detection](docs/privilege-escalation.md) - How privilege escalation works
+
+## Output Formats & GitHub Integration
+
+### Output Formats
+- **Console** - Clean terminal output with colors
+- **Enhanced** - Visual output with progress bars
+- **JSON** - Structured data for automation
+- **Markdown** - GitHub PR comments
+- **SARIF** - GitHub Code Scanning integration
+- **CSV** - Spreadsheet analysis
+- **HTML** - Interactive reports
+
+### GitHub PR Integration
+
+**Three comment modes (use any combination):**
+- `--github-comment` - Summary in PR conversation
+- `--github-review` - Line-specific review comments on files
+- `--github-summary` - Overview in GitHub Actions summary tab
+
+**Smart comment management:**
+- Automatically cleans up old comments from previous runs
+- Updates summaries instead of duplicating
+- No stale comments left behind
+
+**📖 See [GitHub Integration Guide](docs/github-actions-workflows.md) for detailed examples**
+
+## AWS Access Analyzer (Optional)
+
+In addition to the 18 built-in checks, optionally enable AWS Access Analyzer for additional validation capabilities that require AWS credentials:
+
+### Access Analyzer Capabilities
+
+**Custom Policy Checks:**
+- `check-access-not-granted` - Verify policies DON'T grant specific actions (max 100 actions)
+- `check-no-new-access` - Compare against baseline to detect permission creep
+- `check-no-public-access` - Validate 29+ resource types for public exposure
+
+**Example:**
+```bash
+# Prevent dangerous actions
+iam-validator analyze --path policies/ \
+  --check-access-not-granted "s3:DeleteBucket iam:AttachUserPolicy"
+
+# Compare against baseline
+iam-validator analyze --path new-policy.json \
+  --check-no-new-access baseline-policy.json
+
+# Check for public access
+iam-validator analyze --path bucket-policy.json \
+  --policy-type RESOURCE_POLICY \
+  --check-no-public-access \
+  --public-access-resource-type "AWS::S3::Bucket"
+```
+
+**Supported Policy Types:**
+- `IDENTITY_POLICY` (default) - User/role policies
+- `RESOURCE_POLICY` - S3, SNS, KMS resource policies
+- `SERVICE_CONTROL_POLICY` - AWS Organizations SCPs
+- `RESOURCE_CONTROL_POLICY` - AWS Organizations RCPs (2024)
+
+**📖 See [Access Analyzer documentation](docs/custom-checks.md) for complete details**
+
+## 📚 Documentation
+
+**Guides:**
+- [Check Reference](docs/check-reference.md) - All 18 checks with examples
+- [Configuration Guide](docs/configuration.md) - Customize checks and behavior
+- [GitHub Actions Guide](docs/github-actions-workflows.md) - CI/CD integration
+- [Python Library Guide](docs/python-library-usage.md) - Use as Python package
+- [Contributing Guide](CONTRIBUTING.md) - How to contribute
+
+**Examples:**
+- [Configuration Examples](examples/configs/) - 9 config file templates
+- [Workflow Examples](examples/github-actions/) - GitHub Actions workflows
+- [Custom Checks](examples/custom_checks/) - Add your own validation rules
+
+## 🤝 Contributing
+
+Contributions are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines.
+
+**Quick start:**
+```bash
+git clone https://github.com/YOUR-USERNAME/iam-policy-validator.git
+cd iam-policy-validator
+uv sync --extra dev
+uv run pytest
+```
+
+## 📄 License
+
+MIT License - see [LICENSE](LICENSE) file for details.
+
+**Third-party code:** ARN pattern matching in [iam_validator/sdk/arn_matching.py](iam_validator/sdk/arn_matching.py) is derived from [Parliament](https://github.com/duo-labs/parliament) (BSD 3-Clause License).
+
+## 🆘 Support
+
+- **Issues**: [GitHub Issues](https://github.com/boogy/iam-policy-validator/issues)

{iam_policy_validator-1.7.0.dist-info → iam_policy_validator-1.7.2.dist-info}/RECORD

@@ -1,70 +1,70 @@
 iam_validator/__init__.py,sha256=APnMR3Fu4fHhxfsHBvUM2dJIwazgvLKQbfOsSgFPidg,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=FNrocEukG5quczKGW_qtlYvs4m4L6shLFDfOqT0Q7bE,206
+iam_validator/__version__.py,sha256=0niAY6KgsXeeyFV5nTmvfvem16X3OTrO_DItEqsW74A,361
 iam_validator/checks/__init__.py,sha256=eDiDlVon0CwWGSBnZgM-arn1i5R5ZSG89pgR-ifETxE,1782
-iam_validator/checks/action_condition_enforcement.py,sha256=_yyWFHTNwIYYf8neSMK4EmFfqBgJvBb3nuCerZPE2a4,36587
-iam_validator/checks/action_resource_matching.py,sha256=X9dqWy1s_-h1rA81wZRLOxAVLmUHlGVPjxMo0WKIlwM,17433
+iam_validator/checks/action_condition_enforcement.py,sha256=VhFEGbkcgkRwNRRuslvat5uib2tlH2Nr6sltbAQTs6I,36834
+iam_validator/checks/action_resource_matching.py,sha256=sk67jcDF1WzW4tPgcRSdTj4UBe2stALdwHx5ViVA9dU,19207
 iam_validator/checks/action_validation.py,sha256=IpxtTsk58f2zEZ-xzAoyHw4QK8BCRV43OffP-8ydf9E,2578
-iam_validator/checks/condition_key_validation.py,sha256=E-doe2QjvKSkyjXZO9TBp0QS7M0Fv2oYYQQ9738QNxg,3918
-iam_validator/checks/condition_type_mismatch.py,sha256=qAbP6pP_vM1aBvIBRHji56XLH_5cQI4cDhpMQe19CHM,10588
-iam_validator/checks/full_wildcard.py,sha256=0_F6h4goWlc3DuZwo1F9YGw5hvpnkfZxYSDxhXXK50I,2449
-iam_validator/checks/mfa_condition_check.py,sha256=s7K2r9hxlJI1KWk8qXl-JOWE6jLIhpxooK26Pr7acKs,4915
+iam_validator/checks/condition_key_validation.py,sha256=10XxTwIcr887CbgmN90jfRZabj5RHo08dGa8csM50Fo,3980
+iam_validator/checks/condition_type_mismatch.py,sha256=JyiAOyUZShzXZI8dgycL4oqwRkpJYUPwoGX4zigsi5I,10613
+iam_validator/checks/full_wildcard.py,sha256=ywD762BOV8WxFuTTARkaGMJn27f3ZZVuZUjKo8URnTc,2281
+iam_validator/checks/mfa_condition_check.py,sha256=YCBX3tFTQRmVTAed_W-Tu1b6WqD2LBYyom53P7lBjh4,4935
 iam_validator/checks/policy_size.py,sha256=ibgmrErpkz6OfUAN6bFuHe1KHzpzzra9gHwNtVAkPWc,5729
 iam_validator/checks/policy_type_validation.py,sha256=9qmrA8CXwsVpCU4rT0RrqDXgVOzNamMEpdg3cXWAtBI,15213
-iam_validator/checks/principal_validation.py,sha256=Bm4pH6eiJLDa9ID7UyM63phgffh-P5DpPpSBUbYyVn8,29851
+iam_validator/checks/principal_validation.py,sha256=gTv_TqJDspGEX3iJkHXrw3DyKMJeyE33uQakZ0PjNoo,29969
 iam_validator/checks/resource_validation.py,sha256=fGi9QuX-lIHDtLm8xB3VReFFhbZpQ2Yub-FKRafQCkw,5984
-iam_validator/checks/sensitive_action.py,sha256=mdl4g67HBioYTvAvar9CaTjxfaPvpYkNo9phL4E1c1w,9794
-iam_validator/checks/service_wildcard.py,sha256=CiQQoti06nqVgvH-HpBIjoW23tnTJqDU4S-ZnM1DwsA,4218
+iam_validator/checks/sensitive_action.py,sha256=0vuhF1UkAH_vxhfHsC8xk68aJXHvI7c9KTLcJFNlnHM,9652
+iam_validator/checks/service_wildcard.py,sha256=1ynXLG6_82SIH8aHP88qQojJf38ZH0agnSmHp0VkZ98,4010
 iam_validator/checks/set_operator_validation.py,sha256=1XjOdf-xk-m6m1bODuHsELZccriGqOJTDI-HCcuId80,7464
-iam_validator/checks/sid_uniqueness.py,sha256=1Ux9W1hPPhzgdCzfxwxvD-nSBRo1SyrxFWlnTXDcOys,6887
-iam_validator/checks/wildcard_action.py,sha256=XAVuk5L9dQqiWPgd3HJXGNmYr2bh2szJMVVcHSBXb_8,2140
-iam_validator/checks/wildcard_resource.py,sha256=IEpyoU4mA3t2kRxSwVavtROYIyF0Bq1xZJAL9P7XbVQ,5582
+iam_validator/checks/sid_uniqueness.py,sha256=yWNHyy002aIHxJKtHeYpYds7bKgreL0BvQmRkI2UwvQ,6891
+iam_validator/checks/wildcard_action.py,sha256=f1QZ68eHzQwCTeYY_9UiYaMxUaq7XYia6DaBjIspZ2A,1972
+iam_validator/checks/wildcard_resource.py,sha256=GNpbk7WDExHG6Yqu4_gxeRCK6NUEL8TFjgbvaHgg7V0,5414
 iam_validator/checks/utils/__init__.py,sha256=j0X4ibUB6RGx2a-kNoJnlVZwHfoEvzZsIeTmJIAoFzA,45
 iam_validator/checks/utils/policy_level_checks.py,sha256=2V60C0zhKfsFPjQ-NMlD3EemtwA9S6-4no8nETgXdQE,5274
-iam_validator/checks/utils/sensitive_action_matcher.py,sha256=e67RIi-zg7ssFwq6x4kt4wsTF-brNz91KaBxgV-23jg,10687
-iam_validator/checks/utils/wildcard_expansion.py,sha256=V3V_KRpapOzPBhpUObJjGHoMhvCH90QvDxppeEHIG_U,3152
+iam_validator/checks/utils/sensitive_action_matcher.py,sha256=tcWK4nImpSVNia0FUsN2uLK9LM5EnzjRFtaPQLHZaLw,10667
+iam_validator/checks/utils/wildcard_expansion.py,sha256=fSSoquVdVZaVWS_qBxAx7LMOzxgHed4ffQ6OAZnuqos,3132
 iam_validator/commands/__init__.py,sha256=M-5bo8w0TCWydK0cXgJyPD2fmk8bpQs-3b26YbgLzlc,565
 iam_validator/commands/analyze.py,sha256=rvLBJ5_A3HB530xtixhaIsC19QON68olEQnn8TievgI,20784
 iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gzs,1074
 iam_validator/commands/cache.py,sha256=p4ucRVuh42sbK3Lk0b610L3ofAR5TnUreF00fpO6VFg,14219
 iam_validator/commands/download_services.py,sha256=KKz3ybMLT8DQUf9aFZ0tilJ-o1b6PE8Pf1pC4K6cT8I,9175
 iam_validator/commands/post_to_pr.py,sha256=CvUXs2xvO-UhluxdfNM6F0TCWD8hDBEOiYw60fm1Dms,2363
-iam_validator/commands/validate.py,sha256=Eik-w613zCnX7hUHziBq4k5la3e3qJ0CO1__7aw-gBk,23554
+iam_validator/commands/validate.py,sha256=2v91ogbEzKfjk2u6Y4NO0yvsCOwxi9jXoqD7acBbVTE,23624
 iam_validator/core/__init__.py,sha256=1FvJPMrbzJfS9YbRUJCshJLd5gzWwR9Fd_slS0Aq9c8,416
 iam_validator/core/access_analyzer.py,sha256=8GgkR-vCkCtSxtXGywvQNBPYq-rvDLexUuLSyflq0V4,24520
 iam_validator/core/access_analyzer_report.py,sha256=O17gagknvkNMTTlq7BrLM68FjlCEm4LjIKD9oqxEbPg,24860
-iam_validator/core/aws_fetcher.py,sha256=cZFo5JMSoNLx1tpM6NzYr2cnq8Bvc2KQx2nJDmo69lc,36504
+iam_validator/core/aws_fetcher.py,sha256=obTzxHD9pMsWo-SojSOeWyw2s2_St-LNgbmh5BGEM9c,41215
 iam_validator/core/check_registry.py,sha256=cMjtJROkZOLzXxl-mTdLYHdxyajNnOsaHGs-EeaSZ7k,21741
 iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
 iam_validator/core/condition_validators.py,sha256=7zBjlcf2xGFKGbcFrXSLvWT5tFhWxoqwzhsJqS2E8uY,21524
-iam_validator/core/constants.py,sha256=oblMWsjoroIhwjYgZdcyLxaATsGeR99zQwRg6h59Nlo,3145
-iam_validator/core/models.py,sha256=59yqvHoX3nCSJyQDmWCuEsQzNz9PNiF7um7A1wti-2w,12176
-iam_validator/core/policy_checks.py,sha256=Uz2yCsqRaoIja31F4ZM-39a1pHv51yZqKyWWkGUZKNY,26489
-iam_validator/core/policy_loader.py,sha256=TR7SpzlRG3TwH4HBGEFUuhNOmxIR8Cud2SQ-AmHWBpM,14040
+iam_validator/core/constants.py,sha256=H3eH0yddn5Dk-xZxJWtuvluRIpuXKYGiiteBSHPpJoI,5560
+iam_validator/core/models.py,sha256=55BCSqqJiAN96SFwK3tiTy6fhu6YBL6avKo8VpCpy2A,12766
+iam_validator/core/policy_checks.py,sha256=3UMLl8SQ4oJLTU1kwscvh7c7gpT5QtjITk_bJCJ_rzs,26616
+iam_validator/core/policy_loader.py,sha256=HVEnaXhQwrb9WbXpu0tn8SJBvHNW9UgDO6w4zLjLsu0,16776
 iam_validator/core/pr_commenter.py,sha256=MU-t7SfdHUpSc6BDbh8_dNAbxDiG-bZBCry-jUXivAc,15066
-iam_validator/core/report.py,sha256=j6uWlFL6Xavl4BnpaQtQoxFOEgKEiuY0IYBq8I9DH5Q,34134
+iam_validator/core/report.py,sha256=kzSeWnT1LqWZVA5pqKKz-maVowXVj0djdoShfRhhpz4,35899
 iam_validator/core/config/__init__.py,sha256=CWSyIA7kEyzrskEenjYbs9Iih10BXRpiY9H2dHg61rU,2671
 iam_validator/core/config/aws_api.py,sha256=HLIzOItQ0A37wxHcgWck6ZFO0wmNY8JNTiWMMK6JKYU,1248
 iam_validator/core/config/aws_global_conditions.py,sha256=gdmMxXGBy95B3uYUG-J7rnM6Ixgc6L7Y9Pcd2XAMb60,7170
 iam_validator/core/config/category_suggestions.py,sha256=QlrYi4BTkxDSTlL7NZGE9BWN-atWetZ6XjkI9F_7YzI,4370
 iam_validator/core/config/condition_requirements.py,sha256=1PuADTB9pLqh-kNUGC7kSU6LMLtXMSc003tvI7qKeAY,5170
-iam_validator/core/config/config_loader.py,sha256=7YkuPnroR-Up5CUTQOXIyS_b732WrzNn8o1EH9O6lyI,17730
-iam_validator/core/config/defaults.py,sha256=w5ievxkqki3zYr7NaREoWtVx5rTfxBpZlgoNdovcILs,27112
+iam_validator/core/config/config_loader.py,sha256=qKD8aR8YAswaFf68pnYJLFNwKznvcc6lNxSQWU3i6SY,17713
+iam_validator/core/config/defaults.py,sha256=mCOr_YgiRQp6fThtxrcjMtm-LPdZQbd6AS16gLzV17c,27589
 iam_validator/core/config/principal_requirements.py,sha256=VCX7fBDgeDTJQyoz7_x7GI7Kf9O1Eu-sbihoHOrKv6o,15105
 iam_validator/core/config/sensitive_actions.py,sha256=uATDIp_TD3OQQlsYTZp79qd1mSK2Bf9hJ0JwcqLBr84,25344
 iam_validator/core/config/service_principals.py,sha256=gQSROsxUWBD6P2F9qP320UZV4lHGlsyvHSkMyy0njrU,2685
 iam_validator/core/config/wildcards.py,sha256=H_v6hb-rZ0UUz4cul9lxkVI39e6knaK4Y-MbWz2Ebpw,3228
 iam_validator/core/formatters/__init__.py,sha256=fnCKAEBXItnOf2m4rhVs7zwMaTxbG6ESh3CF8V5j5ec,868
 iam_validator/core/formatters/base.py,sha256=SShDeDiy5mYQnS6BpA8xYg91N-KX1EObkOtlrVHqx1Q,4451
-iam_validator/core/formatters/console.py,sha256=lX4Yp4bTW61fxe0fCiHuO6bCZtC_6cjCwqDNQ55nT_8,1937
-iam_validator/core/formatters/csv.py,sha256=2FaN6Y_0TPMFOb3A3tNtj0-9bkEc5P-6eZ7eLROIqFE,5899
-iam_validator/core/formatters/enhanced.py,sha256=S0UgYKFOgILfOqwnBC8-WFab3F1CiEko33g0nbaswtk,17085
+iam_validator/core/formatters/console.py,sha256=FdTp7AzeILCWrUynSvSew8QJKGOMJaAA9_YiQJd-uco,2196
+iam_validator/core/formatters/csv.py,sha256=pPqgvGh4KtD5Qm36xnMaDAavXYR6MlQhs4zbcrxT550,5941
+iam_validator/core/formatters/enhanced.py,sha256=TVtkcTIow8NGoLhG45-5ms-_PTxyxMcAHxf_uPMyKAc,18155
 iam_validator/core/formatters/html.py,sha256=j4sQi-wXiD9kCHldW5JCzbJe0frhiP5uQI9KlH3Sj_g,22994
 iam_validator/core/formatters/json.py,sha256=A7gZ8P32GEdbDvrSn6v56yQ4fOP_kyMaoFVXG2bgnew,939
-iam_validator/core/formatters/markdown.py,sha256=aPAY6FpZBHsVBDag3FAsB_X9CZzznFjX9dQr0ysDrTE,2251
+iam_validator/core/formatters/markdown.py,sha256=dk4STeY-tOEZsVrlmolIEqZvWYP9JhRtygxxNA49DEE,2293
 iam_validator/core/formatters/sarif.py,sha256=O3pn7whqFq5xxk-tuoqSb2k4Fk5ai_A2SKX_ph8GLV4,10469
 iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
-iam_validator/integrations/github_integration.py,sha256=QoPkaxdRDQTzmHN4cKEXoGcn8BRv37JW4IvD2W5jEtc,26474
+iam_validator/integrations/github_integration.py,sha256=EnrolMq3uZbKWPxUMhYnqcKAfic6Fb8qJzieDruKqsc,26485
 iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
 iam_validator/sdk/__init__.py,sha256=fRDSXAclGmCU3KDft4StL8JUcpAsdzwIRf8mVj461q0,5306
 iam_validator/sdk/arn_matching.py,sha256=HSDpLltOYISq-SoPebAlM89mKOaUaghq_04urchEFDA,12778
@@ -73,11 +73,12 @@ iam_validator/sdk/exceptions.py,sha256=tm91TxIwU157U_UHN7w5qICf_OhU11agj6pV5W_YP
 iam_validator/sdk/helpers.py,sha256=OVBg4xrW95LT74wXCg1LQkba9kw5RfFqeCLuTqhgL-A,5697
 iam_validator/sdk/policy_utils.py,sha256=CZS1OGSdiWsd2lsCwg0BDcUNWa61tUwgvn-P5rKqeN8,12987
 iam_validator/sdk/shortcuts.py,sha256=EVNSYV7rv4TFH03ulsZ3mS1UVmTSp2jKpc2AXs4j1q4,8531
-iam_validator/utils/__init__.py,sha256=V8u-SSdnL4a7NwF-yg9x0JRl5epKAXEs2f5RiwK2qPo,856
+iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYuCs,1021
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
-iam_validator/utils/regex.py,sha256=PMVCYxjlVa2zLNEnIU3upQCSIhPazlXWg_sJClIiqiM,6221
-iam_policy_validator-1.7.0.dist-info/METADATA,sha256=gPtC5f-uipnujGSzMvZdgqR4LPpOTpS-KunMejzpsIo,36979
-iam_policy_validator-1.7.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-iam_policy_validator-1.7.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.7.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.7.0.dist-info/RECORD,,
+iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
+iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
+iam_policy_validator-1.7.2.dist-info/METADATA,sha256=fwySi0xxZPeiRTXyYfmp8YZPNyphy8HylBzhSXkNNG0,15244
+iam_policy_validator-1.7.2.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.7.2.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.7.2.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.7.2.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,5 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.7.0"
-__version_info__ = tuple(int(part) for part in __version__.split("."))
+__version__ = "1.7.2"
+# Parse version, handling pre-release suffixes like -rc, -alpha, -beta
+_version_base = __version__.split("-")[0]  # Remove pre-release suffix if present
+__version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/checks/action_condition_enforcement.py

@@ -349,7 +349,10 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         return issues
 
     async def _check_action_match(
-        self, statement_actions: list[str], requirement: dict[str, Any], fetcher: AWSServiceFetcher
+        self,
+        statement_actions: list[str],
+        requirement: dict[str, Any],
+        fetcher: AWSServiceFetcher,
     ) -> tuple[bool, list[str]]:
         """
         Check if statement actions match the requirement.
@@ -491,6 +494,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                 if re.match(f"^{wildcard_pattern}$", statement_action):
                     return True
             except re.error:
+                # Invalid regex pattern - skip this match attempt
                 pass
 
         # AWS wildcard match in statement_action (e.g., "iam:Creat*" in policy)
@@ -507,6 +511,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                     if re.match(f"^{stmt_wildcard_pattern}$", required_action):
                         return True
                 except re.error:
+                    # Invalid regex pattern - skip this match attempt
                     pass
 
             # Check if statement wildcard overlaps with any of our action patterns
@@ -764,6 +769,10 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             or self.get_severity(config)  # Global check severity
         )
 
+        suggestion_text, example_code = self._build_suggestion(
+            condition_key, description, example, expected_value, operator
+        )
+
         return ValidationIssue(
             severity=severity,
             statement_sid=statement.sid,
@@ -772,9 +781,8 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             message=f"{message_prefix} Action(s) {matching_actions} require condition '{condition_key}'",
             action=", ".join(matching_actions),
             condition_key=condition_key,
-            suggestion=self._build_suggestion(
-                condition_key, description, example, expected_value, operator
-            ),
+            suggestion=suggestion_text,
+            example=example_code,
             line_number=statement.line_number,
         )
 
@@ -785,19 +793,20 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         example: str,
         expected_value: Any = None,
         operator: str = "StringEquals",
-    ) -> str:
-        """Build a helpful suggestion for adding the missing condition."""
-        parts = []
+    ) -> tuple[str, str]:
+        """Build suggestion and example for adding the missing condition.
 
-        if description:
-            parts.append(description)
+        Returns:
+            Tuple of (suggestion_text, example_code)
+        """
+        suggestion = description if description else f"Add condition: {condition_key}"
 
         # Build example based on condition key type
         if example:
-            parts.append(f"Example:\n```json\n{example}\n```")
+            example_code = example
         else:
             # Auto-generate example
-            example_lines = ['Add to "Condition" block:', f'  "{operator}": {{']
+            example_lines = [f'  "{operator}": {{']
 
             if isinstance(expected_value, list):
                 value_str = (
@@ -824,9 +833,9 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             example_lines.append(f'    "{condition_key}": {value_str}')
             example_lines.append("  }")
 
-            parts.append("\n".join(example_lines))
+            example_code = "\n".join(example_lines)
 
-        return ". ".join(parts) if parts else f"Add condition: {condition_key}"
+        return suggestion, example_code
 
     def _build_any_of_suggestion(self, any_of_conditions: list[dict[str, Any]]) -> str:
         """Build suggestion for any_of conditions."""