iam-policy-validator 1.7.1__py3-none-any.whl → 1.8.0__py3-none-any.whl

iam_validator/checks/sensitive_action.py

@@ -85,9 +85,9 @@ class SensitiveActionCheck(PolicyCheck):
         # Generic ABAC fallback for uncategorized actions
         return (
             "Add IAM conditions to limit when this action can be used. Use ABAC for scalability:\n"
-            "• Match principal tags to resource tags (aws:PrincipalTag/X = aws:ResourceTag/X)\n"
-            "• Require MFA (aws:MultiFactorAuthPresent = true)\n"
-            "• Restrict by IP (aws:SourceIp) or VPC (aws:SourceVpc)",
+            "• Match principal tags to resource tags (`aws:PrincipalTag/<tag-name>` = `aws:ResourceTag/<tag-name>`)\n"
+            "• Require MFA (`aws:MultiFactorAuthPresent` = `true`)\n"
+            "• Restrict by IP (`aws:SourceIp`) or VPC (`aws:SourceVpc`)",
             '"Condition": {\n'
             '  "StringEquals": {\n'
             '    "aws:PrincipalTag/owner": "${aws:ResourceTag/owner}"\n'
@@ -142,13 +142,6 @@ class SensitiveActionCheck(PolicyCheck):
                 matched_actions[0], config
             )
 
-            # Combine suggestion + example
-            suggestion = (
-                f"{suggestion_text}\n\nExample:\n```json\n{example}\n```"
-                if example
-                else suggestion_text
-            )
-
             # Determine severity based on the highest severity action in the list
             # If single action, use its category severity
             # If multiple actions, use the highest severity among them
@@ -165,7 +158,8 @@ class SensitiveActionCheck(PolicyCheck):
                     issue_type="missing_condition",
                     message=message,
                     action=(matched_actions[0] if len(matched_actions) == 1 else None),
-                    suggestion=suggestion,
+                    suggestion=suggestion_text,
+                    example=example if example else None,
                     line_number=statement.line_number,
                 )
             )
@@ -198,6 +192,10 @@ class SensitiveActionCheck(PolicyCheck):
         del policy_file, fetcher  # Not used in current implementation
         issues = []
 
+        # Handle policies with no statements
+        if not policy.statement:
+            return []
+
         # Collect all actions from all Allow statements across the entire policy
         all_actions: set[str] = set()
         statement_map: dict[

iam_validator/checks/service_wildcard.py

@@ -51,29 +51,22 @@ class ServiceWildcardCheck(PolicyCheck):
                     # Get message template and replace placeholders
                     message_template = config.config.get(
                         "message",
-                        "Service-level wildcard '{action}' grants all permissions for {service} service",
+                        "Service-level wildcard `{action}` grants all permissions for `{service}` service",
                     )
                     suggestion_template = config.config.get(
                         "suggestion",
-                        "Consider specifying explicit actions instead of '{action}'. If you need multiple actions, list them individually or use more specific wildcards like '{service}:Get*' or '{service}:List*'.",
+                        "Consider specifying explicit actions instead of `{action}`. If you need multiple actions, list them individually or use more specific wildcards like `{service}:Get*` or `{service}:List*`.",
                     )
                     example_template = config.config.get("example", "")
 
                     message = message_template.format(action=action, service=service)
-                    suggestion_text = suggestion_template.format(action=action, service=service)
+                    suggestion = suggestion_template.format(action=action, service=service)
                     example = (
                         example_template.format(action=action, service=service)
                         if example_template
                         else ""
                     )
 
-                    # Combine suggestion + example
-                    suggestion = (
-                        f"{suggestion_text}\nExample:\n```json\n{example}\n```"
-                        if example
-                        else suggestion_text
-                    )
-
                     issues.append(
                         ValidationIssue(
                             severity=self.get_severity(config),
@@ -83,6 +76,7 @@ class ServiceWildcardCheck(PolicyCheck):
                             message=message,
                             action=action,
                             suggestion=suggestion,
+                            example=example if example else None,
                             line_number=statement.line_number,
                         )
                     )

iam_validator/checks/set_operator_validation.py

@@ -73,7 +73,7 @@ class SetOperatorValidationCheck(PolicyCheck):
 
         # First pass: Identify set operators and Null checks
         for operator, conditions in statement.condition.items():
-            base_operator, operator_type, set_prefix = normalize_operator(operator)
+            base_operator, _operator_type, set_prefix = normalize_operator(operator)
 
             # Track Null checks
             if base_operator == "Null":
@@ -87,22 +87,22 @@ class SetOperatorValidationCheck(PolicyCheck):
 
         # Second pass: Validate set operator usage
         for operator, conditions in statement.condition.items():
-            base_operator, operator_type, set_prefix = normalize_operator(operator)
+            base_operator, _operator_type, set_prefix = normalize_operator(operator)
 
             if not set_prefix:
                 continue
 
             # Check each condition key used with a set operator
-            for condition_key, condition_values in conditions.items():
+            for condition_key, _condition_values in conditions.items():
                 # Issue 1: Set operator used with single-valued context key (anti-pattern)
                 if not is_multivalued_context_key(condition_key):
                     issues.append(
                         ValidationIssue(
                             severity=self.get_severity(config),
                             message=(
-                                f"Set operator '{set_prefix}' should not be used with single-valued "
-                                f"condition key '{condition_key}'. This can lead to overly permissive policies. "
-                                f"Set operators are designed for multivalued context keys like 'aws:TagKeys'. "
+                                f"Set operator `{set_prefix}` should not be used with single-valued "
+                                f"condition key `{condition_key}`. This can lead to overly permissive policies. "
+                                f"Set operators are designed for multivalued context keys like `aws:TagKeys`. "
                                 f"See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html"
                             ),
                             statement_sid=statement_sid,
@@ -120,9 +120,9 @@ class SetOperatorValidationCheck(PolicyCheck):
                             ValidationIssue(
                                 severity="warning",
                                 message=(
-                                    f"Security risk: ForAllValues with Allow effect on '{condition_key}' "
+                                    f"Security risk: ForAllValues with Allow effect on `{condition_key}` "
                                     f"should include a Null condition check. Without it, requests with missing "
-                                    f'\'{condition_key}\' will be granted access. Add: \'"Null": {{"{condition_key}": "false"}}\'. '
+                                    f'`{condition_key}` will be granted access. Add: `"Null": {{"{condition_key}": "false"}}`. '
                                     f"See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html"
                                 ),
                                 statement_sid=statement_sid,
@@ -140,10 +140,10 @@ class SetOperatorValidationCheck(PolicyCheck):
                             ValidationIssue(
                                 severity="warning",
                                 message=(
-                                    f"Unpredictable behavior: ForAnyValue with Deny effect on '{condition_key}' "
+                                    f"Unpredictable behavior: `ForAnyValue` with `Deny` effect on `{condition_key}` "
                                     f"should include a Null condition check. Without it, requests with missing "
-                                    f"'{condition_key}' will evaluate to 'No match' instead of denying access. "
-                                    f'Add: \'"Null": {{"{condition_key}": "false"}}\'. '
+                                    f"`{condition_key}` will evaluate to `No match` instead of denying access. "
+                                    f'Add: `"Null": {{"{condition_key}": "false"}}`. '
                                     f"See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html"
                                 ),
                                 statement_sid=statement_sid,

iam_validator/checks/sid_uniqueness.py

@@ -35,6 +35,10 @@ def _check_sid_uniqueness_impl(policy: IAMPolicy, severity: str) -> list[Validat
     # No spaces allowed
     sid_pattern = re.compile(r"^[a-zA-Z0-9_-]+$")
 
+    # Handle policies with no statements
+    if not policy.statement:
+        return []
+
     # Collect all SIDs (ignoring None/empty values) and check format
     sids_with_indices: list[tuple[str, int]] = []
     for idx, statement in enumerate(policy.statement):
@@ -43,15 +47,15 @@ def _check_sid_uniqueness_impl(policy: IAMPolicy, severity: str) -> list[Validat
             if not sid_pattern.match(statement.sid):
                 # Identify the issue
                 if " " in statement.sid:
-                    issue_msg = f"Statement ID '{statement.sid}' contains spaces, which are not allowed by AWS"
+                    issue_msg = f"Statement ID `{statement.sid}` contains spaces, which are not allowed by AWS"
                     suggestion = (
-                        f"Remove spaces from the SID. Example: '{statement.sid.replace(' ', '')}'"
+                        f"Remove spaces from the SID. Example: `{statement.sid.replace(' ', '')}`"
                     )
                 else:
                     invalid_chars = "".join(
                         set(c for c in statement.sid if not c.isalnum() and c not in "_-")
                     )
-                    issue_msg = f"Statement ID '{statement.sid}' contains invalid characters: {invalid_chars}"
+                    issue_msg = f"Statement ID `{statement.sid}` contains invalid characters: `{invalid_chars}`"
                     suggestion = (
                         "SIDs must contain only alphanumeric characters, hyphens, and underscores"
                     )
@@ -91,7 +95,7 @@ def _check_sid_uniqueness_impl(policy: IAMPolicy, severity: str) -> list[Validat
                     statement_sid=duplicate_sid,
                     statement_index=idx,
                     issue_type="duplicate_sid",
-                    message=f"Statement ID '{duplicate_sid}' is used {count} times in this policy (found in statements {statement_numbers})",
+                    message=f"Statement ID `{duplicate_sid}` is used **{count} times** in this policy (found in statements `{statement_numbers}`)",
                     suggestion="Change this SID to a unique value. Statement IDs help identify and reference specific statements, so duplicates can cause confusion.",
                     line_number=statement.line_number,
                 )