PyPI - iam-policy-validator - Versions diffs - 1.7.2__py3-none-any.whl → 1.9.0__py3-none-any.whl - Mend

iam-policy-validator 1.7.2py3-none-any.whl → 1.9.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (56) hide show

{iam_policy_validator-1.7.2.dist-info → iam_policy_validator-1.9.0.dist-info}/METADATA +127 -6
iam_policy_validator-1.9.0.dist-info/RECORD +95 -0
iam_validator/__init__.py +1 -1
iam_validator/__version__.py +1 -1
iam_validator/checks/__init__.py +5 -3
iam_validator/checks/action_condition_enforcement.py +559 -207
iam_validator/checks/action_resource_matching.py +12 -15
iam_validator/checks/action_validation.py +7 -13
iam_validator/checks/condition_key_validation.py +7 -13
iam_validator/checks/condition_type_mismatch.py +15 -22
iam_validator/checks/full_wildcard.py +9 -13
iam_validator/checks/mfa_condition_check.py +8 -17
iam_validator/checks/policy_size.py +6 -39
iam_validator/checks/policy_structure.py +547 -0
iam_validator/checks/policy_type_validation.py +61 -46
iam_validator/checks/principal_validation.py +71 -148
iam_validator/checks/resource_validation.py +13 -20
iam_validator/checks/sensitive_action.py +15 -18
iam_validator/checks/service_wildcard.py +8 -14
iam_validator/checks/set_operator_validation.py +21 -28
iam_validator/checks/sid_uniqueness.py +16 -42
iam_validator/checks/trust_policy_validation.py +506 -0
iam_validator/checks/utils/sensitive_action_matcher.py +26 -26
iam_validator/checks/utils/wildcard_expansion.py +2 -2
iam_validator/checks/wildcard_action.py +9 -13
iam_validator/checks/wildcard_resource.py +9 -13
iam_validator/commands/cache.py +4 -3
iam_validator/commands/validate.py +15 -9
iam_validator/core/__init__.py +2 -3
iam_validator/core/access_analyzer.py +1 -1
iam_validator/core/access_analyzer_report.py +2 -2
iam_validator/core/aws_fetcher.py +24 -1028
iam_validator/core/aws_service/__init__.py +21 -0
iam_validator/core/aws_service/cache.py +108 -0
iam_validator/core/aws_service/client.py +205 -0
iam_validator/core/aws_service/fetcher.py +612 -0
iam_validator/core/aws_service/parsers.py +149 -0
iam_validator/core/aws_service/patterns.py +51 -0
iam_validator/core/aws_service/storage.py +291 -0
iam_validator/core/aws_service/validators.py +379 -0
iam_validator/core/check_registry.py +165 -93
iam_validator/core/config/condition_requirements.py +69 -17
iam_validator/core/config/defaults.py +58 -52
iam_validator/core/config/service_principals.py +40 -3
iam_validator/core/constants.py +17 -0
iam_validator/core/ignore_patterns.py +297 -0
iam_validator/core/models.py +15 -5
iam_validator/core/policy_checks.py +38 -475
iam_validator/core/policy_loader.py +27 -4
iam_validator/sdk/__init__.py +1 -1
iam_validator/sdk/context.py +1 -1
iam_validator/sdk/helpers.py +1 -1
iam_policy_validator-1.7.2.dist-info/RECORD +0 -84
{iam_policy_validator-1.7.2.dist-info → iam_policy_validator-1.9.0.dist-info}/WHEEL +0 -0
{iam_policy_validator-1.7.2.dist-info → iam_policy_validator-1.9.0.dist-info}/entry_points.txt +0 -0
{iam_policy_validator-1.7.2.dist-info → iam_policy_validator-1.9.0.dist-info}/licenses/LICENSE +0 -0

iam_validator/checks/action_condition_enforcement.py CHANGED Viewed

@@ -1,11 +1,23 @@
 """
-Action-Specific Condition Enforcement Check (Unified)
+Action-Specific Condition Enforcement Check
-This built-in check ensures that specific actions have required conditions.
+This check ensures that specific actions have required conditions.
 Supports ALL types of conditions: MFA, IP, VPC, time, tags, encryption, etc.
-Supports advanced "all_of" and "any_of" logic for both actions and conditions.
-Supports both STATEMENT-LEVEL and POLICY-LEVEL enforcement.
+The entire policy is scanned once, checking all statements for matching actions.
+ACTION MATCHING MODES:
+- Simple list: Checks each statement for any of the specified actions
+  Example: actions: ["iam:PassRole", "iam:CreateUser"]
+- any_of: Finds statements that contain ANY of the specified actions
+  Example: actions: {any_of: ["iam:CreateUser", "iam:AttachUserPolicy"]}
+- all_of: Finds statements that contain ALL specified actions (overly permissive detection)
+  Example: actions: {all_of: ["iam:CreateAccessKey", "iam:UpdateAccessKey"]}
+- none_of: Flags statements that contain forbidden actions
+  Example: actions: {none_of: ["iam:DeleteUser", "s3:DeleteBucket"]}
 Common use cases:
 - iam:PassRole must have iam:PassedToService condition
@@ -13,17 +25,17 @@ Common use cases:
 - Actions must have source IP restrictions
 - Resources must have required tags
 - Combine multiple conditions (MFA + IP + Tags)
-- Policy-level: Ensure ALL statements granting certain actions have MFA
+- Detect overly permissive statements (all_of)
+- Ensure privilege escalation combinations are protected
 Configuration in iam-validator.yaml:
     checks:
       action_condition_enforcement:
         enabled: true
-        severity: error
+        severity: high
         description: "Enforce specific conditions for specific actions"
-        # STATEMENT-LEVEL: Check individual statements (default)
         action_condition_requirements:
           # BASIC: Simple action with required condition
           - actions:
@@ -87,56 +99,38 @@ Configuration in iam-validator.yaml:
                   expected_value: false
                   description: "Ensure insecure transport is never allowed"
-          # none_of for actions: Flag if forbidden actions are present
-          - actions:
-              none_of:
-                - "iam:*"
-                - "s3:DeleteBucket"
-            description: "These dangerous actions should never be used"
-        # POLICY-LEVEL: Scan entire policy and enforce conditions across all matching statements
-        policy_level_requirements:
-          # Example: If ANY statement grants privilege escalation actions,
-          # then ALL such statements must have MFA
+          # any_of for actions: If ANY statement grants privilege escalation actions, require MFA
           - actions:
               any_of:
                 - "iam:CreateUser"
                 - "iam:AttachUserPolicy"
                 - "iam:PutUserPolicy"
-            scope: "policy"
             required_conditions:
               - condition_key: "aws:MultiFactorAuthPresent"
                 expected_value: true
-            description: "Privilege escalation actions require MFA across entire policy"
+            description: "Privilege escalation actions require MFA"
             severity: "critical"
-          # Example: All admin actions across the policy must have MFA
-          - actions:
-              any_of:
-                - "iam:*"
-                - "s3:*"
-            scope: "policy"
-            required_conditions:
-              all_of:
-                - condition_key: "aws:MultiFactorAuthPresent"
-                  expected_value: true
-                - condition_key: "aws:SourceIp"
-            apply_to: "all_matching_statements"
-          # Example: Ensure no statement in the policy allows dangerous combinations
+          # all_of for actions: Flag statements that contain BOTH dangerous actions (overly permissive)
           - actions:
               all_of:
                 - "iam:CreateAccessKey"
                 - "iam:UpdateAccessKey"
-            scope: "policy"
             severity: "critical"
-            description: "Dangerous combination of actions detected in policy"
+            description: "Statement grants both CreateAccessKey and UpdateAccessKey - too permissive"
+          # none_of for actions: Flag if forbidden actions are present
+          - actions:
+              none_of:
+                - "iam:DeleteUser"
+                - "s3:DeleteBucket"
+            description: "These dangerous actions should never be used"
 """
 import re
-from typing import TYPE_CHECKING, Any
+from typing import TYPE_CHECKING, Any, ClassVar
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
@@ -147,204 +141,526 @@ if TYPE_CHECKING:
 class ActionConditionEnforcementCheck(PolicyCheck):
     """Enforces specific condition requirements for specific actions with all_of/any_of support."""
-    @property
-    def check_id(self) -> str:
-        return "action_condition_enforcement"
+    check_id: ClassVar[str] = "action_condition_enforcement"
+    description: ClassVar[str] = (
+        "Enforces conditions (MFA, IP, tags, etc.) for specific actions (supports all_of/any_of)"
+    )
+    default_severity: ClassVar[str] = "error"
-    @property
-    def description(self) -> str:
-        return "Enforces conditions (MFA, IP, tags, etc.) for specific actions (supports all_of/any_of)"
+    async def execute_policy(
+        self,
+        policy: "IAMPolicy",
+        policy_file: str,
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+        **kwargs,
+    ) -> list[ValidationIssue]:
+        """
+        Execute policy-wide condition enforcement check.
+        This method scans the entire policy once and enforces conditions based on action matching:
+        - Simple list: Checks each statement for matching actions
+        - all_of: Finds statements that contain ALL specified actions (overly permissive detection)
+        - any_of: Finds statements that contain ANY of the specified actions
+        - none_of: Flags statements that contain forbidden actions
+        Example use cases:
+        - any_of: "If ANY statement grants iam:CreateUser, iam:AttachUserPolicy,
+          or iam:PutUserPolicy, then ALL such statements must have MFA condition."
+        - all_of: "Flag statements that grant BOTH iam:CreateAccessKey AND
+          iam:UpdateAccessKey (overly permissive)"
+        Args:
+            policy: The complete IAM policy to check
+            policy_file: Path to the policy file (for context/reporting)
+            fetcher: AWS service fetcher for validation against AWS APIs
+            config: CheckConfig: Configuration for this check instance
+            **kwargs: Additional context (policy_type, etc.)
-    @property
-    def default_severity(self) -> str:
-        return "error"
+        Returns:
+            List of ValidationIssue objects found by this check
+        """
+        del policy_file, kwargs  # Not used in current implementation
+        issues = []
-    async def execute(
+        # Get action condition requirements from config
+        # Support both old (policy_level_requirements) and new (action_condition_requirements) keys
+        requirements = config.config.get(
+            "action_condition_requirements",
+            config.config.get("policy_level_requirements", []),
+        )
+        if not requirements:
+            return issues
+        # Process each requirement
+        for requirement in requirements:
+            # Check if actions use all_of/any_of/none_of (policy-wide) or simple list (per-statement)
+            actions_config = requirement.get("actions", [])
+            uses_logical_operators = isinstance(actions_config, dict) and any(
+                key in actions_config for key in ("all_of", "any_of", "none_of")
+            )
+            if uses_logical_operators:
+                # Policy-wide detection (all_of/any_of/none_of)
+                policy_issues = await self._check_policy_wide(policy, requirement, fetcher, config)
+                issues.extend(policy_issues)
+            else:
+                # Per-statement check (simple list)
+                statement_issues = await self._check_per_statement(
+                    policy, requirement, fetcher, config
+                )
+                issues.extend(statement_issues)
+        return issues
+    async def _check_policy_wide(
         self,
-        statement: Statement,
-        statement_idx: int,
+        policy: "IAMPolicy",
+        requirement: dict[str, Any],
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """
+        Check actions across the entire policy using all_of/any_of/none_of logic.
+        This enables policy-wide detection patterns:
+        - all_of: ALL required actions must exist somewhere in the policy
+        - any_of: At least ONE required action must exist somewhere in the policy
+        - none_of: NONE of the forbidden actions should exist in the policy
+        """
+        issues = []
+        actions_config = requirement.get("actions", {})
+        all_of = actions_config.get("all_of", [])
+        any_of = actions_config.get("any_of", [])
+        none_of = actions_config.get("none_of", [])
+        # Collect all actions across the entire policy
+        policy_wide_actions: set[str] = set()
+        statements_by_action: dict[str, list[tuple[int, Statement]]] = {}
+        for idx, statement in enumerate(policy.statement or []):
+            if statement.effect != "Allow":
+                continue
+            statement_actions = statement.get_actions()
+            policy_wide_actions.update(statement_actions)
+            # Track which statements grant which actions
+            for action in statement_actions:
+                if action not in statements_by_action:
+                    statements_by_action[action] = []
+                statements_by_action[action].append((idx, statement))
+        # Check all_of: ALL required actions must exist in policy
+        if all_of:
+            all_of_result = await self._check_all_of_policy_wide(
+                all_of,
+                policy_wide_actions,
+                statements_by_action,
+                requirement,
+                fetcher,
+                config,
+            )
+            issues.extend(all_of_result)
+        # Check any_of: At least ONE required action must exist in policy
+        if any_of:
+            any_of_result = await self._check_any_of_policy_wide(
+                any_of,
+                policy_wide_actions,
+                statements_by_action,
+                requirement,
+                fetcher,
+                config,
+            )
+            issues.extend(any_of_result)
+        # Check none_of: NONE of the forbidden actions should exist in policy
+        if none_of:
+            none_of_result = await self._check_none_of_policy_wide(
+                none_of,
+                policy_wide_actions,
+                statements_by_action,
+                requirement,
+                config,
+                fetcher,
+            )
+            issues.extend(none_of_result)
+        return issues
+    async def _check_all_of_policy_wide(
+        self,
+        all_of_actions: list[str],
+        policy_wide_actions: set[str],
+        statements_by_action: dict[str, list[tuple[int, Statement]]],
+        requirement: dict[str, Any],
         fetcher: AWSServiceFetcher,
         config: CheckConfig,
     ) -> list[ValidationIssue]:
-        """Execute statement-level condition enforcement check."""
+        """
+        Check if ALL required actions exist anywhere in the policy.
+        For all_of, we report ONLY statements that contain ALL the required actions,
+        not statements that contain just some of them. This is useful for detecting
+        overly permissive individual statements.
+        """
         issues = []
-        # Only check Allow statements
-        if statement.effect != "Allow":
+        # First, check if ALL required actions exist somewhere in the policy
+        found_actions_mapping: dict[str, str] = {}  # req_action -> matched_policy_action
+        missing_actions: list[str] = []
+        for req_action in all_of_actions:
+            action_found = False
+            for policy_action in policy_wide_actions:
+                if await self._action_matches(
+                    policy_action, req_action, requirement.get("action_patterns", []), fetcher
+                ):
+                    action_found = True
+                    found_actions_mapping[req_action] = policy_action
+                    break
+            if not action_found:
+                missing_actions.append(req_action)
+        # If not all actions exist in the policy, no issue
+        if missing_actions:
             return issues
-        # Get action condition requirements from config
-        action_condition_requirements = config.config.get("action_condition_requirements", [])
-        if not action_condition_requirements:
+        # ALL required actions exist in the policy
+        # Now find statements that have ALL of them (not just some)
+        statements_with_all_actions: list[tuple[int, Statement, list[str]]] = []
+        # Check each statement to see if it contains ALL required actions
+        for statement in statements_by_action.get(list(found_actions_mapping.values())[0], []):
+            stmt_idx, stmt = statement
+            stmt_actions = stmt.get_actions()
+            # Check if this statement has ALL required actions
+            has_all_actions = True
+            matched_actions = []
+            for req_action in all_of_actions:
+                req_action_found = False
+                for stmt_action in stmt_actions:
+                    if await self._action_matches(
+                        stmt_action, req_action, requirement.get("action_patterns", []), fetcher
+                    ):
+                        req_action_found = True
+                        if stmt_action not in matched_actions:
+                            matched_actions.append(stmt_action)
+                        break
+                if not req_action_found:
+                    has_all_actions = False
+                    break
+            if has_all_actions:
+                statements_with_all_actions.append((stmt_idx, stmt, matched_actions))
+        # Also check other statements not in the first action's list
+        checked_indices = {s[0] for s in statements_with_all_actions}
+        for policy_action, stmt_list in statements_by_action.items():
+            for stmt_idx, stmt in stmt_list:
+                if stmt_idx in checked_indices:
+                    continue
+                stmt_actions = stmt.get_actions()
+                # Check if this statement has ALL required actions
+                has_all_actions = True
+                matched_actions = []
+                for req_action in all_of_actions:
+                    req_action_found = False
+                    for stmt_action in stmt_actions:
+                        if await self._action_matches(
+                            stmt_action, req_action, requirement.get("action_patterns", []), fetcher
+                        ):
+                            req_action_found = True
+                            if stmt_action not in matched_actions:
+                                matched_actions.append(stmt_action)
+                            break
+                    if not req_action_found:
+                        has_all_actions = False
+                        break
+                if has_all_actions:
+                    statements_with_all_actions.append((stmt_idx, stmt, matched_actions))
+                    checked_indices.add(stmt_idx)
+        # If no statements have ALL actions, no issue to report
+        if not statements_with_all_actions:
             return issues
-        statement_actions = statement.get_actions()
+        # Report statements that have ALL the dangerous actions
+        return self._generate_policy_wide_issues(
+            statements_with_all_actions,
+            list(found_actions_mapping.values()),
+            requirement,
+            config,
+            "all_of",
+        )
-        # Check each requirement rule
-        for requirement in action_condition_requirements:
-            # Check if this requirement applies to the statement's actions
-            actions_match, matching_actions = await self._check_action_match(
-                statement_actions, requirement, fetcher
-            )
+    async def _check_any_of_policy_wide(
+        self,
+        any_of_actions: list[str],
+        policy_wide_actions: set[str],
+        statements_by_action: dict[str, list[tuple[int, Statement]]],
+        requirement: dict[str, Any],
+        fetcher: AWSServiceFetcher,
+        config: CheckConfig,
+    ) -> list[ValidationIssue]:
+        """Check if at least ONE required action exists anywhere in the policy."""
+        issues = []
+        found_actions: list[str] = []
+        statements_with_required_actions: list[tuple[int, Statement, list[str]]] = []
+        for req_action in any_of_actions:
+            for policy_action in policy_wide_actions:
+                if await self._action_matches(
+                    policy_action, req_action, requirement.get("action_patterns", []), fetcher
+                ):
+                    found_actions.append(policy_action)
+                    # Track statements that have this action
+                    if policy_action in statements_by_action:
+                        for stmt_idx, stmt in statements_by_action[policy_action]:
+                            existing = next(
+                                (s for s in statements_with_required_actions if s[0] == stmt_idx),
+                                None,
+                            )
+                            if existing:
+                                if policy_action not in existing[2]:
+                                    existing[2].append(policy_action)
+                            else:
+                                statements_with_required_actions.append(
+                                    (stmt_idx, stmt, [policy_action])
+                                )
+        # If no actions found, no issue
+        if not found_actions:
+            return issues
-            if not actions_match:
-                continue
+        # At least one action found - validate conditions
+        return self._generate_policy_wide_issues(
+            statements_with_required_actions,
+            found_actions,
+            requirement,
+            config,
+            "any_of",
+        )
-            # Check if this is a none_of action rule (forbidden actions)
-            actions_config = requirement.get("actions", [])
-            if isinstance(actions_config, dict) and "none_of" in actions_config:
-                # This is a forbidden action rule - flag it
-                description = requirement.get("description", "These actions should not be used")
-                # Use per-requirement severity if specified, else use global
-                severity = requirement.get("severity", self.get_severity(config))
-                issues.append(
-                    ValidationIssue(
-                        severity=severity,
-                        statement_sid=statement.sid,
-                        statement_index=statement_idx,
-                        issue_type="forbidden_action_present",
-                        message=f"FORBIDDEN: Actions {matching_actions} should not be used. {description}",
-                        action=", ".join(matching_actions),
-                        suggestion=f"Remove these forbidden actions from the statement: {', '.join(matching_actions)}. {description}",
-                        line_number=statement.line_number,
-                    )
+    async def _check_none_of_policy_wide(
+        self,
+        none_of_actions: list[str],
+        policy_wide_actions: set[str],
+        statements_by_action: dict[str, list[tuple[int, Statement]]],
+        requirement: dict[str, Any],
+        config: CheckConfig,
+        fetcher: AWSServiceFetcher,
+    ) -> list[ValidationIssue]:
+        """Check if any forbidden actions exist in the policy."""
+        issues = []
+        forbidden_found: list[str] = []
+        statements_with_forbidden: list[tuple[int, Statement, list[str]]] = []
+        for forbidden_action in none_of_actions:
+            for policy_action in policy_wide_actions:
+                if await self._action_matches(
+                    policy_action, forbidden_action, requirement.get("action_patterns", []), fetcher
+                ):
+                    forbidden_found.append(policy_action)
+                    # Track statements with forbidden actions
+                    if policy_action in statements_by_action:
+                        for stmt_idx, stmt in statements_by_action[policy_action]:
+                            existing = next(
+                                (s for s in statements_with_forbidden if s[0] == stmt_idx), None
+                            )
+                            if existing:
+                                if policy_action not in existing[2]:
+                                    existing[2].append(policy_action)
+                            else:
+                                statements_with_forbidden.append((stmt_idx, stmt, [policy_action]))
+        # If forbidden actions found, create issues
+        if not forbidden_found:
+            return issues
+        description = requirement.get("description", "These actions should not be used")
+        severity = requirement.get("severity", self.get_severity(config))
+        for stmt_idx, stmt, actions in statements_with_forbidden:
+            actions_formatted = ", ".join(f"`{a}`" for a in actions)
+            statement_refs = [
+                f"Statement #{idx + 1}{' (SID: ' + s.sid + ')' if s.sid else ''}"
+                for idx, s, _ in statements_with_forbidden
+            ]
+            issues.append(
+                ValidationIssue(
+                    severity=severity,
+                    statement_sid=stmt.sid,
+                    statement_index=stmt_idx,
+                    issue_type="forbidden_action",
+                    message=f"Forbidden actions {actions_formatted} found. {description}",
+                    action=", ".join(actions),
+                    suggestion=f"Remove these forbidden actions. Found in: {', '.join(statement_refs)}. {description}",
+                    line_number=stmt.line_number,
                 )
-                continue
+            )
-            # Actions match - now validate required conditions
-            required_conditions_config = requirement.get("required_conditions", [])
-            if not required_conditions_config:
-                continue
+        return issues
-            # Check if conditions are in all_of/any_of/none_of format or simple list
+    def _generate_policy_wide_issues(
+        self,
+        statements_with_actions: list[tuple[int, Statement, list[str]]],
+        found_actions: list[str],
+        requirement: dict[str, Any],
+        config: CheckConfig,
+        operator_type: str,
+    ) -> list[ValidationIssue]:
+        """Generate validation issues for policy-wide checks."""
+        issues = []
+        required_conditions_config = requirement.get("required_conditions", [])
+        description = requirement.get("description", "")
+        severity = requirement.get("severity", self.get_severity(config))
+        if not required_conditions_config:
+            # No conditions specified, just report that actions were found
+            all_actions_formatted = ", ".join(f"`{a}`" for a in sorted(set(found_actions)))
+            statement_refs = [
+                f"Statement #{idx + 1}{' (SID: ' + stmt.sid + ')' if stmt.sid else ''}"
+                for idx, stmt, _ in statements_with_actions
+            ]
+            first_idx, first_stmt, _ = statements_with_actions[0]
+            issues.append(
+                ValidationIssue(
+                    severity=severity,
+                    statement_sid=first_stmt.sid,
+                    statement_index=first_idx,
+                    issue_type="action_detected",
+                    message=f"Actions {all_actions_formatted} found across {len(statements_with_actions)} statement(s) ({operator_type}). {description}",
+                    action=", ".join(sorted(set(found_actions))),
+                    suggestion=f"Review these statements: {', '.join(statement_refs)}. {description}",
+                    line_number=first_stmt.line_number,
+                )
+            )
+            return issues
+        # Validate conditions for each statement
+        for idx, statement, matching_actions in statements_with_actions:
             condition_issues = self._validate_conditions(
                 statement,
-                statement_idx,
+                idx,
                 required_conditions_config,
                 matching_actions,
                 config,
-                requirement,  # Pass the full requirement for severity override
+                requirement,
             )
+            # Add context
+            for issue in condition_issues:
+                issue.suggestion = (
+                    f"{issue.suggestion}\n\n"
+                    f"Note: Found {len(statements_with_actions)} statement(s) with these actions in the policy ({operator_type})."
+                )
             issues.extend(condition_issues)
         return issues
-    async def execute_policy(
+    async def _check_per_statement(
         self,
         policy: "IAMPolicy",
-        policy_file: str,
+        requirement: dict[str, Any],
         fetcher: AWSServiceFetcher,
         config: CheckConfig,
-        **kwargs,
     ) -> list[ValidationIssue]:
         """
-        Execute policy-level condition enforcement check.
-        This method scans the entire policy and enforces that ALL statements granting
-        certain actions must have specific conditions. This is useful for ensuring
-        consistent security controls across the entire policy.
-        Example use case:
-        - "If ANY statement in the policy grants iam:CreateUser, iam:AttachUserPolicy,
-          or iam:PutUserPolicy, then ALL such statements must have MFA condition."
-        Args:
-            policy: The complete IAM policy to check
-            policy_file: Path to the policy file (for context/reporting)
-            fetcher: AWS service fetcher for validation against AWS APIs
-            config: Configuration for this check instance
-            **kwargs: Additional context (policy_type, etc.)
+        Check each statement individually for matching actions (simple list format).
-        Returns:
-            List of ValidationIssue objects found by this check
+        Used when actions are specified as a simple list (not using all_of/any_of/none_of).
         """
-        del policy_file, kwargs  # Not used in current implementation
         issues = []
+        matching_statements: list[tuple[int, Statement, list[str]]] = []
-        # Get policy-level requirements from config
-        policy_level_requirements = config.config.get("policy_level_requirements", [])
-        if not policy_level_requirements:
-            return issues
-        # Process each policy-level requirement
-        for requirement in policy_level_requirements:
-            # Collect all statements that match the action criteria
-            matching_statements: list[tuple[int, Statement, list[str]]] = []
-            for idx, statement in enumerate(policy.statement):
-                # Only check Allow statements
-                if statement.effect != "Allow":
-                    continue
+        for idx, statement in enumerate(policy.statement or []):
+            # Only check Allow statements
+            if statement.effect != "Allow":
+                continue
-                statement_actions = statement.get_actions()
+            statement_actions = statement.get_actions()
-                # Check if this statement matches the action requirement
-                actions_match, matching_actions = await self._check_action_match(
-                    statement_actions, requirement, fetcher
-                )
+            # Check if this statement matches the action requirement
+            actions_match, matching_actions = await self._check_action_match(
+                statement_actions, requirement, fetcher
+            )
-                if actions_match and matching_actions:
-                    matching_statements.append((idx, statement, matching_actions))
+            if actions_match and matching_actions:
+                matching_statements.append((idx, statement, matching_actions))
-            # If no statements match, skip this requirement
-            if not matching_statements:
-                continue
+        # If no statements match, skip this requirement
+        if not matching_statements:
+            return issues
-            # Now validate that ALL matching statements have the required conditions
-            required_conditions_config = requirement.get("required_conditions", [])
-            if not required_conditions_config:
-                # No conditions specified, just report that actions were found
-                description = requirement.get("description", "")
-                severity = requirement.get("severity", self.get_severity(config))
-                # Create a summary issue for all matching statements
-                all_actions = set()
-                statement_refs = []
-                for idx, stmt, actions in matching_statements:
-                    all_actions.update(actions)
-                    sid_info = f" (SID: {stmt.sid})" if stmt.sid else ""
-                    statement_refs.append(f"Statement #{idx + 1}{sid_info}")
-                # Use the first matching statement's index for the issue
-                first_idx, first_stmt, _ = matching_statements[0]
-                issues.append(
-                    ValidationIssue(
-                        severity=severity,
-                        statement_sid=first_stmt.sid,
-                        statement_index=first_idx,
-                        issue_type="policy_level_action_detected",
-                        message=f"POLICY-LEVEL: Actions {sorted(all_actions)} found in {len(matching_statements)} statement(s). {description}",
-                        action=", ".join(sorted(all_actions)),
-                        suggestion=f"Review these statements: {', '.join(statement_refs)}. {description}",
-                        line_number=first_stmt.line_number,
-                    )
+        # Now validate that ALL matching statements have the required conditions
+        required_conditions_config = requirement.get("required_conditions", [])
+        if not required_conditions_config:
+            # No conditions specified, just report that actions were found
+            description = requirement.get("description", "")
+            severity = requirement.get("severity", self.get_severity(config))
+            # Create a summary issue for all matching statements
+            all_actions = set()
+            statement_refs = []
+            for idx, stmt, actions in matching_statements:
+                all_actions.update(actions)
+                sid_info = f" (SID: {stmt.sid})" if stmt.sid else ""
+                statement_refs.append(f"Statement #{idx + 1}{sid_info}")
+            # Use the first matching statement's index for the issue
+            first_idx, first_stmt, _ = matching_statements[0]
+            all_actions_formatted = ", ".join(f"`{a}`" for a in sorted(all_actions))
+            issues.append(
+                ValidationIssue(
+                    severity=severity,
+                    statement_sid=first_stmt.sid,
+                    statement_index=first_idx,
+                    issue_type="action_detected",
+                    message=f"Actions {all_actions_formatted} found in {len(matching_statements)} statement(s). {description}",
+                    action=", ".join(sorted(all_actions)),
+                    suggestion=f"Review these statements: {', '.join(statement_refs)}. {description}",
+                    line_number=first_stmt.line_number,
                 )
-                continue
+            )
+            return issues
-            # Validate conditions for each matching statement
-            for idx, statement, matching_actions in matching_statements:
-                condition_issues = self._validate_conditions(
-                    statement,
-                    idx,
-                    required_conditions_config,
-                    matching_actions,
-                    config,
-                    requirement,
-                )
+        # Validate conditions for each matching statement
+        for idx, statement, matching_actions in matching_statements:
+            condition_issues = self._validate_conditions(
+                statement,
+                idx,
+                required_conditions_config,
+                matching_actions,
+                config,
+                requirement,
+            )
-                # Add policy-level context to each issue
-                for issue in condition_issues:
-                    # Modify the message to indicate this is part of policy-level enforcement
-                    issue.message = f"POLICY-LEVEL: {issue.message}"
-                    issue.suggestion = (
-                        f"{issue.suggestion}\n\n"
-                        f"Note: This is enforced at the policy level. "
-                        f"Found {len(matching_statements)} statement(s) with these actions in the policy."
-                    )
+            # Add context to each issue
+            for issue in condition_issues:
+                issue.suggestion = (
+                    f"{issue.suggestion}\n\n"
+                    f"Note: Found {len(matching_statements)} statement(s) with these actions in the policy."
+                )
-                issues.extend(condition_issues)
+            issues.extend(condition_issues)
         return issues
@@ -530,7 +846,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                     available_actions = list(service_detail.actions.keys())
                     # Find which actual AWS actions the wildcard would grant
-                    _, granted_actions = fetcher._match_wildcard_action(
+                    _, granted_actions = fetcher.match_wildcard_action(
                         statement_action.split(":", 1)[1],  # Just the action part (e.g., "C*")
                         available_actions,
                     )
@@ -545,7 +861,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                             except re.error:
                                 continue
-                except (ValueError, Exception):
+                except (ValueError, Exception):  # pylint: disable=broad-exception-caught
                     # If we can't fetch the service or parse the action, fall back to prefix matching
                     stmt_prefix = statement_action.rstrip("*")
                     for pattern in patterns:
@@ -627,7 +943,20 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                 if not any_present:
                     # Create a combined error for any_of
-                    condition_keys = [cond.get("condition_key", "unknown") for cond in any_of]
+                    # Handle both simple conditions and nested all_of
+                    condition_keys = []
+                    for cond in any_of:
+                        if "all_of" in cond:
+                            # Nested all_of - collect all condition keys
+                            nested_keys = [
+                                c.get("condition_key", "unknown") for c in cond["all_of"]
+                            ]
+                            condition_keys.append(f"({' + '.join(f'`{k}`' for k in nested_keys)})")
+                        else:
+                            # Simple condition
+                            condition_keys.append(f"`{cond.get('condition_key', 'unknown')}`")
+                    condition_keys_formatted = " OR ".join(condition_keys)
+                    matching_actions_formatted = ", ".join(f"`{a}`" for a in matching_actions)
                     issues.append(
                         ValidationIssue(
                             severity=self.get_severity(config),
@@ -635,8 +964,8 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                             statement_index=statement_idx,
                             issue_type="missing_required_condition_any_of",
                             message=(
-                                f"Actions {matching_actions} require at least ONE of these conditions: "
-                                f"{', '.join(condition_keys)}"
+                                f"Actions `{matching_actions_formatted}` require at least ONE of these conditions: "
+                                f"{condition_keys_formatted}"
                             ),
                             action=", ".join(matching_actions),
                             suggestion=self._build_any_of_suggestion(any_of),
@@ -773,12 +1102,13 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             condition_key, description, example, expected_value, operator
         )
+        matching_actions_str = ", ".join(f"`{a}`" for a in matching_actions)
         return ValidationIssue(
             severity=severity,
             statement_sid=statement.sid,
             statement_index=statement_idx,
             issue_type="missing_required_condition",
-            message=f"{message_prefix} Action(s) {matching_actions} require condition '{condition_key}'",
+            message=f"{message_prefix} Action(s) `{matching_actions_str}` require condition `{condition_key}`",
             action=", ".join(matching_actions),
             condition_key=condition_key,
             suggestion=suggestion_text,
@@ -799,7 +1129,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         Returns:
             Tuple of (suggestion_text, example_code)
         """
-        suggestion = description if description else f"Add condition: {condition_key}"
+        suggestion = description if description else f"Add condition: `{condition_key}`"
         # Build example based on condition key type
         if example:
@@ -843,15 +1173,38 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         suggestions.append("Add at least ONE of these conditions:")
         for i, cond in enumerate(any_of_conditions, 1):
-            condition_key = cond.get("condition_key", "unknown")
-            description = cond.get("description", "")
-            expected_value = cond.get("expected_value")
+            # Handle nested all_of blocks
+            if "all_of" in cond:
+                # Nested all_of - show all required conditions together
+                all_of_list = cond["all_of"]
+                condition_keys = [c.get("condition_key", "unknown") for c in all_of_list]
+                condition_keys_formatted = " + ".join(f"`{k}`" for k in condition_keys)
+                option = f"\n- **Option {i}**: {condition_keys_formatted} (both required)"
+                # Use description from first condition or combine them
+                descriptions = [
+                    c.get("description", "") for c in all_of_list if c.get("description")
+                ]
+                if descriptions:
+                    option += f" - {descriptions[0]}"
+                # Show example from first condition that has one
+                for c in all_of_list:
+                    if c.get("example"):
+                        # Example will be shown separately, just note it's available
+                        break
+            else:
+                # Simple condition (original behavior)
+                condition_key = cond.get("condition_key", "unknown")
+                description = cond.get("description", "")
+                expected_value = cond.get("expected_value")
-            option = f"\nOption {i}: {condition_key}"
-            if description:
-                option += f" - {description}"
-            if expected_value is not None:
-                option += f" (value: {expected_value})"
+                option = f"\n- **Option {i}**: `{condition_key}`"
+                if description:
+                    option += f" - {description}"
+                if expected_value is not None:
+                    option += f" (value: `{expected_value}`)"
             suggestions.append(option)
@@ -870,13 +1223,12 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         description = condition_requirement.get("description", "")
         expected_value = condition_requirement.get("expected_value")
-        message = (
-            f"FORBIDDEN: Action(s) {matching_actions} must NOT have condition '{condition_key}'"
-        )
+        matching_actions_str = ", ".join(f"`{a}`" for a in matching_actions)
+        message = f"FORBIDDEN: Action(s) `{matching_actions_str}` must NOT have condition `{condition_key}`"
         if expected_value is not None:
-            message += f" with value '{expected_value}'"
+            message += f" with value `{expected_value}`"
-        suggestion = f"Remove the '{condition_key}' condition from the statement"
+        suggestion = f"Remove the `{condition_key}` condition from the statement"
         if description:
             suggestion += f". {description}"

iam-policy-validator 1.7.2__py3-none-any.whl → 1.9.0__py3-none-any.whl

iam-policy-validator 1.7.2py3-none-any.whl → 1.9.0py3-none-any.whl