iam-policy-validator 1.7.0__py3-none-any.whl

iam_validator/checks/resource_validation.py

@@ -0,0 +1,138 @@
+"""Resource validation check - validates ARN formats."""
+
+import re
+
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.constants import DEFAULT_ARN_VALIDATION_PATTERN, MAX_ARN_LENGTH
+from iam_validator.core.models import Statement, ValidationIssue
+from iam_validator.sdk.arn_matching import (
+    has_template_variables,
+    normalize_template_variables,
+)
+
+
+class ResourceValidationCheck(PolicyCheck):
+    """Validates ARN format for resources."""
+
+    @property
+    def check_id(self) -> str:
+        return "resource_validation"
+
+    @property
+    def description(self) -> str:
+        return "Validates ARN format for resources"
+
+    @property
+    def default_severity(self) -> str:
+        return "error"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute resource ARN validation on a statement."""
+        issues = []
+
+        # Get resources from statement
+        resources = statement.get_resources()
+        statement_sid = statement.sid
+        line_number = statement.line_number
+
+        # Get ARN pattern from config, or use default
+        # Pattern allows wildcards (*) in region and account fields
+        arn_pattern_str = config.config.get("arn_pattern", DEFAULT_ARN_VALIDATION_PATTERN)
+
+        # Compile pattern
+        try:
+            arn_pattern = re.compile(arn_pattern_str)
+        except re.error:
+            # Fallback to default pattern if custom pattern is invalid
+            arn_pattern = re.compile(DEFAULT_ARN_VALIDATION_PATTERN)
+
+        # Check if template variable support is enabled (default: true)
+        # Try global settings first, then check-specific config
+        allow_template_variables = config.root_config.get("settings", {}).get(
+            "allow_template_variables",
+            config.config.get("allow_template_variables", True),
+        )
+
+        for resource in resources:
+            # Skip wildcard resources (handled by security checks)
+            if resource == "*":
+                continue
+
+            # Validate ARN length to prevent ReDoS attacks
+            if len(resource) > MAX_ARN_LENGTH:
+                issues.append(
+                    ValidationIssue(
+                        severity=self.get_severity(config),
+                        statement_sid=statement_sid,
+                        statement_index=statement_idx,
+                        issue_type="invalid_resource",
+                        message=f"Resource ARN exceeds maximum length ({len(resource)} > {MAX_ARN_LENGTH}): {resource[:100]}...",
+                        resource=resource[:100] + "...",
+                        suggestion="ARN is too long and may be invalid",
+                        line_number=line_number,
+                    )
+                )
+                continue
+
+            # Check if resource contains template variables
+            has_templates = has_template_variables(resource)
+
+            # If template variables are found and allowed, normalize them for validation
+            validation_resource = resource
+            if has_templates and allow_template_variables:
+                validation_resource = normalize_template_variables(resource)
+
+            # Validate ARN format
+            try:
+                if not arn_pattern.match(validation_resource):
+                    # If original resource had templates and normalization didn't help,
+                    # provide a more informative message
+                    if has_templates and allow_template_variables:
+                        issues.append(
+                            ValidationIssue(
+                                severity=self.get_severity(config),
+                                statement_sid=statement_sid,
+                                statement_index=statement_idx,
+                                issue_type="invalid_resource",
+                                message=f"Invalid ARN format even after normalizing template variables: {resource}",
+                                resource=resource,
+                                suggestion="ARN should follow format: arn:partition:service:region:account-id:resource (template variables like ${aws_account_id} are supported)",
+                                line_number=line_number,
+                            )
+                        )
+                    else:
+                        issues.append(
+                            ValidationIssue(
+                                severity=self.get_severity(config),
+                                statement_sid=statement_sid,
+                                statement_index=statement_idx,
+                                issue_type="invalid_resource",
+                                message=f"Invalid ARN format: {resource}",
+                                resource=resource,
+                                suggestion="ARN should follow format: arn:partition:service:region:account-id:resource",
+                                line_number=line_number,
+                            )
+                        )
+            except Exception:
+                # If regex matching fails (shouldn't happen with length check), treat as invalid
+                issues.append(
+                    ValidationIssue(
+                        severity=self.get_severity(config),
+                        statement_sid=statement_sid,
+                        statement_index=statement_idx,
+                        issue_type="invalid_resource",
+                        message=f"Could not validate ARN format: {resource}",
+                        resource=resource,
+                        suggestion="ARN validation failed - may contain unexpected characters",
+                        line_number=line_number,
+                    )
+                )
+
+        return issues

iam_validator/checks/sensitive_action.py

@@ -0,0 +1,254 @@
+"""Sensitive action check - detects sensitive actions without IAM conditions."""
+
+from typing import TYPE_CHECKING
+
+from iam_validator.checks.utils.policy_level_checks import check_policy_level_actions
+from iam_validator.checks.utils.sensitive_action_matcher import (
+    DEFAULT_SENSITIVE_ACTIONS,
+    check_sensitive_actions,
+)
+from iam_validator.checks.utils.wildcard_expansion import expand_wildcard_actions
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.config.sensitive_actions import get_category_for_action
+from iam_validator.core.models import Statement, ValidationIssue
+
+if TYPE_CHECKING:
+    from iam_validator.core.models import IAMPolicy
+
+
+class SensitiveActionCheck(PolicyCheck):
+    """Checks for sensitive actions without IAM conditions to limit their use."""
+
+    @property
+    def check_id(self) -> str:
+        return "sensitive_action"
+
+    @property
+    def description(self) -> str:
+        return "Checks for sensitive actions without conditions"
+
+    @property
+    def default_severity(self) -> str:
+        return "medium"
+
+    def _get_severity_for_action(self, action: str, config: CheckConfig) -> str:
+        """
+        Get severity for a specific action, considering category-based overrides.
+
+        Args:
+            action: The AWS action to check
+            config: Check configuration
+
+        Returns:
+            Severity level for the action (considers category overrides)
+        """
+        # Check if category severities are configured
+        category_severities = config.config.get("category_severities", {})
+        if not category_severities:
+            return self.get_severity(config)
+
+        # Get the category for this action
+        category = get_category_for_action(action)
+        if category and category in category_severities:
+            return category_severities[category]
+
+        # Fall back to default severity
+        return self.get_severity(config)
+
+    def _get_category_specific_suggestion(
+        self, action: str, config: CheckConfig
+    ) -> tuple[str, str]:
+        """
+        Get category-specific suggestion and example for an action.
+
+        Args:
+            action: The AWS action to check
+            config: Check configuration
+
+        Returns:
+            Tuple of (suggestion_text, example_text) tailored to the action's category
+        """
+        category = get_category_for_action(action)
+
+        # Get category suggestions from config (ABAC-focused by default)
+        # See: iam_validator/core/config/category_suggestions.py
+        category_suggestions = config.config.get("category_suggestions", {})
+
+        # Get category-specific content or fall back to generic ABAC guidance
+        if category and category in category_suggestions:
+            return (
+                category_suggestions[category]["suggestion"],
+                category_suggestions[category]["example"],
+            )
+
+        # Generic ABAC fallback for uncategorized actions
+        return (
+            "Add IAM conditions to limit when this action can be used. Use ABAC for scalability:\n"
+            "• Match principal tags to resource tags (aws:PrincipalTag/X = aws:ResourceTag/X)\n"
+            "• Require MFA (aws:MultiFactorAuthPresent = true)\n"
+            "• Restrict by IP (aws:SourceIp) or VPC (aws:SourceVpc)",
+            '"Condition": {\n'
+            '  "StringEquals": {\n'
+            '    "aws:PrincipalTag/owner": "${aws:ResourceTag/owner}"\n'
+            "  }\n"
+            "}",
+        )
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute sensitive action check on a statement."""
+        issues = []
+
+        # Only check Allow statements
+        if statement.effect != "Allow":
+            return issues
+
+        actions = statement.get_actions()
+        has_conditions = statement.condition is not None and len(statement.condition) > 0
+
+        # Expand wildcards to actual actions using AWS API
+        expanded_actions = await expand_wildcard_actions(actions, fetcher)
+
+        # Check if sensitive actions match using any_of/all_of logic
+        is_sensitive, matched_actions = check_sensitive_actions(
+            expanded_actions, config, DEFAULT_SENSITIVE_ACTIONS
+        )
+
+        if is_sensitive and not has_conditions:
+            # Create appropriate message based on matched actions using configurable templates
+            if len(matched_actions) == 1:
+                message_template = config.config.get(
+                    "message_single",
+                    "Sensitive action '{action}' should have conditions to limit when it can be used",
+                )
+                message = message_template.format(action=matched_actions[0])
+            else:
+                action_list = "', '".join(matched_actions)
+                message_template = config.config.get(
+                    "message_multiple",
+                    "Sensitive actions '{actions}' should have conditions to limit when they can be used",
+                )
+                message = message_template.format(actions=action_list)
+
+            # Get category-specific suggestion and example (or use config defaults)
+            # Use the first matched action to determine the category
+            suggestion_text, example = self._get_category_specific_suggestion(
+                matched_actions[0], config
+            )
+
+            # Combine suggestion + example
+            suggestion = (
+                f"{suggestion_text}\n\nExample:\n```json\n{example}\n```"
+                if example
+                else suggestion_text
+            )
+
+            # Determine severity based on the highest severity action in the list
+            # If single action, use its category severity
+            # If multiple actions, use the highest severity among them
+            severity = self.get_severity(config)  # Default
+            if matched_actions:
+                # Get severity for first action (or highest if we want to be more sophisticated)
+                severity = self._get_severity_for_action(matched_actions[0], config)
+
+            issues.append(
+                ValidationIssue(
+                    severity=severity,
+                    statement_sid=statement.sid,
+                    statement_index=statement_idx,
+                    issue_type="missing_condition",
+                    message=message,
+                    action=(matched_actions[0] if len(matched_actions) == 1 else None),
+                    suggestion=suggestion,
+                    line_number=statement.line_number,
+                )
+            )
+
+        return issues
+
+    async def execute_policy(
+        self,
+        policy: "IAMPolicy",
+        policy_file: str,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+        **kwargs,
+    ) -> list[ValidationIssue]:
+        """
+        Execute policy-level sensitive action checks.
+
+        This method examines the entire policy to detect privilege escalation patterns
+        and other security issues that span multiple statements.
+
+        Args:
+            policy: The complete IAM policy to check
+            policy_file: Path to the policy file (for context/reporting)
+            fetcher: AWS service fetcher for validation against AWS APIs
+            config: Configuration for this check instance
+
+        Returns:
+            List of ValidationIssue objects found by this check
+        """
+        del policy_file, fetcher  # Not used in current implementation
+        issues = []
+
+        # Collect all actions from all Allow statements across the entire policy
+        all_actions: set[str] = set()
+        statement_map: dict[
+            str, list[tuple[int, str | None]]
+        ] = {}  # action -> [(stmt_idx, sid), ...]
+
+        for idx, statement in enumerate(policy.statement):
+            if statement.effect == "Allow":
+                actions = statement.get_actions()
+                # Filter out wildcards for privilege escalation detection
+                filtered_actions = [a for a in actions if a != "*"]
+
+                for action in filtered_actions:
+                    all_actions.add(action)
+                    if action not in statement_map:
+                        statement_map[action] = []
+                    statement_map[action].append((idx, statement.sid))
+
+        # Get configuration for sensitive actions
+        sensitive_actions_config = config.config.get("sensitive_actions")
+        sensitive_patterns_config = config.config.get("sensitive_action_patterns")
+
+        # Check for privilege escalation patterns using all_of logic
+        # We need to check both exact actions and patterns
+        policy_issues = []
+
+        # Check sensitive_actions configuration
+        if sensitive_actions_config:
+            policy_issues.extend(
+                check_policy_level_actions(
+                    list(all_actions),
+                    statement_map,
+                    sensitive_actions_config,
+                    config,
+                    "actions",
+                    self.get_severity,
+                )
+            )
+
+        # Check sensitive_action_patterns configuration
+        if sensitive_patterns_config:
+            policy_issues.extend(
+                check_policy_level_actions(
+                    list(all_actions),
+                    statement_map,
+                    sensitive_patterns_config,
+                    config,
+                    "patterns",
+                    self.get_severity,
+                )
+            )
+
+        issues.extend(policy_issues)
+        return issues

iam_validator/checks/service_wildcard.py

@@ -0,0 +1,107 @@
+"""Service wildcard check - detects service-level wildcards like 'iam:*', 's3:*'."""
+
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class ServiceWildcardCheck(PolicyCheck):
+    """Checks for service-level wildcards (e.g., 'iam:*', 's3:*') which grant all permissions for a service."""
+
+    @property
+    def check_id(self) -> str:
+        return "service_wildcard"
+
+    @property
+    def description(self) -> str:
+        return "Checks for service-level wildcards (e.g., 'iam:*', 's3:*')"
+
+    @property
+    def default_severity(self) -> str:
+        return "high"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Execute service wildcard check on a statement."""
+        issues = []
+
+        # Only check Allow statements
+        if statement.effect != "Allow":
+            return issues
+
+        actions = statement.get_actions()
+        allowed_services = self._get_allowed_service_wildcards(config)
+
+        for action in actions:
+            # Skip full wildcard (covered by wildcard_action check)
+            if action == "*":
+                continue
+
+            # Check if it's a service-level wildcard (e.g., "iam:*", "s3:*")
+            if ":" in action and action.endswith(":*"):
+                service = action.split(":")[0]
+
+                # Check if this service is in the allowed list
+                if service not in allowed_services:
+                    # Get message template and replace placeholders
+                    message_template = config.config.get(
+                        "message",
+                        "Service-level wildcard '{action}' grants all permissions for {service} service",
+                    )
+                    suggestion_template = config.config.get(
+                        "suggestion",
+                        "Consider specifying explicit actions instead of '{action}'. If you need multiple actions, list them individually or use more specific wildcards like '{service}:Get*' or '{service}:List*'.",
+                    )
+                    example_template = config.config.get("example", "")
+
+                    message = message_template.format(action=action, service=service)
+                    suggestion_text = suggestion_template.format(action=action, service=service)
+                    example = (
+                        example_template.format(action=action, service=service)
+                        if example_template
+                        else ""
+                    )
+
+                    # Combine suggestion + example
+                    suggestion = (
+                        f"{suggestion_text}\nExample:\n```json\n{example}\n```"
+                        if example
+                        else suggestion_text
+                    )
+
+                    issues.append(
+                        ValidationIssue(
+                            severity=self.get_severity(config),
+                            statement_sid=statement.sid,
+                            statement_index=statement_idx,
+                            issue_type="overly_permissive",
+                            message=message,
+                            action=action,
+                            suggestion=suggestion,
+                            line_number=statement.line_number,
+                        )
+                    )
+
+        return issues
+
+    def _get_allowed_service_wildcards(self, config: CheckConfig) -> set[str]:
+        """
+        Get list of services that are allowed to use service-level wildcards.
+
+        This allows configuration like:
+          service_wildcard:
+            allowed_services:
+              - "logs"        # Allow "logs:*"
+              - "cloudwatch"  # Allow "cloudwatch:*"
+
+        Returns empty set if no exceptions are configured.
+        """
+        allowed = config.config.get("allowed_services", [])
+        if allowed and isinstance(allowed, list):
+            return set(allowed)
+        return set()

iam_validator/checks/set_operator_validation.py

@@ -0,0 +1,157 @@
+"""Set Operator Validation Check.
+
+Validates proper usage of ForAllValues and ForAnyValue set operators in IAM policies.
+
+Based on AWS IAM best practices:
+https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html
+"""
+
+from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.check_registry import CheckConfig, PolicyCheck
+from iam_validator.core.condition_validators import (
+    is_multivalued_context_key,
+    normalize_operator,
+)
+from iam_validator.core.models import Statement, ValidationIssue
+
+
+class SetOperatorValidationCheck(PolicyCheck):
+    """Check for proper usage of ForAllValues and ForAnyValue set operators."""
+
+    @property
+    def check_id(self) -> str:
+        """Unique identifier for this check."""
+        return "set_operator_validation"
+
+    @property
+    def description(self) -> str:
+        """Description of what this check does."""
+        return "Validates proper usage of ForAllValues and ForAnyValue set operators"
+
+    @property
+    def default_severity(self) -> str:
+        """Default severity level for issues found by this check."""
+        return "error"
+
+    async def execute(
+        self,
+        statement: Statement,
+        statement_idx: int,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """
+        Execute the set operator validation check.
+
+        Validates:
+        1. ForAllValues/ForAnyValue not used with single-valued context keys (anti-pattern)
+        2. ForAllValues with Allow effect includes Null condition check (security)
+        3. ForAnyValue with Deny effect includes Null condition check (predictability)
+
+        Args:
+            statement: The IAM statement to check
+            statement_idx: Index of this statement in the policy
+            fetcher: AWS service fetcher (unused but required by interface)
+            config: Check configuration
+
+        Returns:
+            List of validation issues found
+        """
+        issues = []
+
+        # Only check statements with conditions
+        if not statement.condition:
+            return issues
+
+        statement_sid = statement.sid
+        line_number = statement.line_number
+        effect = statement.effect
+
+        # Track which condition keys have set operators and Null checks
+        set_operator_keys: dict[str, str] = {}  # key -> operator prefix
+        null_checked_keys: set[str] = set()
+
+        # First pass: Identify set operators and Null checks
+        for operator, conditions in statement.condition.items():
+            base_operator, operator_type, set_prefix = normalize_operator(operator)
+
+            # Track Null checks
+            if base_operator == "Null":
+                for condition_key in conditions.keys():
+                    null_checked_keys.add(condition_key)
+
+            # Track set operators
+            if set_prefix in ["ForAllValues", "ForAnyValue"]:
+                for condition_key in conditions.keys():
+                    set_operator_keys[condition_key] = set_prefix
+
+        # Second pass: Validate set operator usage
+        for operator, conditions in statement.condition.items():
+            base_operator, operator_type, set_prefix = normalize_operator(operator)
+
+            if not set_prefix:
+                continue
+
+            # Check each condition key used with a set operator
+            for condition_key, condition_values in conditions.items():
+                # Issue 1: Set operator used with single-valued context key (anti-pattern)
+                if not is_multivalued_context_key(condition_key):
+                    issues.append(
+                        ValidationIssue(
+                            severity=self.get_severity(config),
+                            message=(
+                                f"Set operator '{set_prefix}' should not be used with single-valued "
+                                f"condition key '{condition_key}'. This can lead to overly permissive policies. "
+                                f"Set operators are designed for multivalued context keys like 'aws:TagKeys'. "
+                                f"See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html"
+                            ),
+                            statement_sid=statement_sid,
+                            statement_index=statement_idx,
+                            issue_type="set_operator_on_single_valued_key",
+                            condition_key=condition_key,
+                            line_number=line_number,
+                        )
+                    )
+
+                # Issue 2: ForAllValues with Allow effect without Null check (security risk)
+                if set_prefix == "ForAllValues" and effect == "Allow":
+                    if condition_key not in null_checked_keys:
+                        issues.append(
+                            ValidationIssue(
+                                severity="warning",
+                                message=(
+                                    f"Security risk: ForAllValues with Allow effect on '{condition_key}' "
+                                    f"should include a Null condition check. Without it, requests with missing "
+                                    f'\'{condition_key}\' will be granted access. Add: \'"Null": {{"{condition_key}": "false"}}\'. '
+                                    f"See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html"
+                                ),
+                                statement_sid=statement_sid,
+                                statement_index=statement_idx,
+                                issue_type="forallvalues_allow_without_null_check",
+                                condition_key=condition_key,
+                                line_number=line_number,
+                            )
+                        )
+
+                # Issue 3: ForAnyValue with Deny effect without Null check (unpredictable)
+                if set_prefix == "ForAnyValue" and effect == "Deny":
+                    if condition_key not in null_checked_keys:
+                        issues.append(
+                            ValidationIssue(
+                                severity="warning",
+                                message=(
+                                    f"Unpredictable behavior: ForAnyValue with Deny effect on '{condition_key}' "
+                                    f"should include a Null condition check. Without it, requests with missing "
+                                    f"'{condition_key}' will evaluate to 'No match' instead of denying access. "
+                                    f'Add: \'"Null": {{"{condition_key}": "false"}}\'. '
+                                    f"See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html"
+                                ),
+                                statement_sid=statement_sid,
+                                statement_index=statement_idx,
+                                issue_type="foranyvalue_deny_without_null_check",
+                                condition_key=condition_key,
+                                line_number=line_number,
+                            )
+                        )
+
+        return issues