iam-policy-validator 1.7.2__py3-none-any.whl → 1.9.0__py3-none-any.whl

iam_validator/checks/resource_validation.py

@@ -1,8 +1,9 @@
 """Resource validation check - validates ARN formats."""
 
 import re
+from typing import ClassVar
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.constants import DEFAULT_ARN_VALIDATION_PATTERN, MAX_ARN_LENGTH
 from iam_validator.core.models import Statement, ValidationIssue
@@ -15,17 +16,9 @@ from iam_validator.sdk.arn_matching import (
 class ResourceValidationCheck(PolicyCheck):
     """Validates ARN format for resources."""
 
-    @property
-    def check_id(self) -> str:
-        return "resource_validation"
-
-    @property
-    def description(self) -> str:
-        return "Validates ARN format for resources"
-
-    @property
-    def default_severity(self) -> str:
-        return "error"
+    check_id: ClassVar[str] = "resource_validation"
+    description: ClassVar[str] = "Validates ARN format for resources"
+    default_severity: ClassVar[str] = "error"
 
     async def execute(
         self,
@@ -75,7 +68,7 @@ class ResourceValidationCheck(PolicyCheck):
                         issue_type="invalid_resource",
                         message=f"Resource ARN exceeds maximum length ({len(resource)} > {MAX_ARN_LENGTH}): {resource[:100]}...",
                         resource=resource[:100] + "...",
-                        suggestion="ARN is too long and may be invalid",
+                        suggestion="`ARN` is too long and may be invalid",
                         line_number=line_number,
                     )
                 )
@@ -101,9 +94,9 @@ class ResourceValidationCheck(PolicyCheck):
                                 statement_sid=statement_sid,
                                 statement_index=statement_idx,
                                 issue_type="invalid_resource",
-                                message=f"Invalid ARN format even after normalizing template variables: {resource}",
+                                message=f"Invalid `ARN` format even after normalizing template variables: `{resource}`",
                                 resource=resource,
-                                suggestion="ARN should follow format: arn:partition:service:region:account-id:resource (template variables like ${aws_account_id} are supported)",
+                                suggestion="`ARN` should follow format: `arn:partition:service:region:account-id:resource` (template variables like `${aws_account_id}` are supported)",
                                 line_number=line_number,
                             )
                         )
@@ -114,13 +107,13 @@ class ResourceValidationCheck(PolicyCheck):
                                 statement_sid=statement_sid,
                                 statement_index=statement_idx,
                                 issue_type="invalid_resource",
-                                message=f"Invalid ARN format: {resource}",
+                                message=f"Invalid `ARN` format: `{resource}`",
                                 resource=resource,
-                                suggestion="ARN should follow format: arn:partition:service:region:account-id:resource",
+                                suggestion="`ARN` should follow format: `arn:partition:service:region:account-id:resource`",
                                 line_number=line_number,
                             )
                         )
-            except Exception:
+            except Exception:  # pylint: disable=broad-exception-caught
                 # If regex matching fails (shouldn't happen with length check), treat as invalid
                 issues.append(
                     ValidationIssue(
@@ -128,9 +121,9 @@ class ResourceValidationCheck(PolicyCheck):
                         statement_sid=statement_sid,
                         statement_index=statement_idx,
                         issue_type="invalid_resource",
-                        message=f"Could not validate ARN format: {resource}",
+                        message=f"Could not validate `ARN` format: `{resource}`",
                         resource=resource,
-                        suggestion="ARN validation failed - may contain unexpected characters",
+                        suggestion="`ARN` validation failed - may contain unexpected characters",
                         line_number=line_number,
                     )
                 )

iam_validator/checks/sensitive_action.py

@@ -1,6 +1,6 @@
 """Sensitive action check - detects sensitive actions without IAM conditions."""
 
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, ClassVar
 
 from iam_validator.checks.utils.policy_level_checks import check_policy_level_actions
 from iam_validator.checks.utils.sensitive_action_matcher import (
@@ -8,7 +8,7 @@ from iam_validator.checks.utils.sensitive_action_matcher import (
     check_sensitive_actions,
 )
 from iam_validator.checks.utils.wildcard_expansion import expand_wildcard_actions
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.config.sensitive_actions import get_category_for_action
 from iam_validator.core.models import Statement, ValidationIssue
@@ -20,17 +20,9 @@ if TYPE_CHECKING:
 class SensitiveActionCheck(PolicyCheck):
     """Checks for sensitive actions without IAM conditions to limit their use."""
 
-    @property
-    def check_id(self) -> str:
-        return "sensitive_action"
-
-    @property
-    def description(self) -> str:
-        return "Checks for sensitive actions without conditions"
-
-    @property
-    def default_severity(self) -> str:
-        return "medium"
+    check_id: ClassVar[str] = "sensitive_action"
+    description: ClassVar[str] = "Checks for sensitive actions without conditions"
+    default_severity: ClassVar[str] = "medium"
 
     def _get_severity_for_action(self, action: str, config: CheckConfig) -> str:
         """
@@ -85,9 +77,10 @@ class SensitiveActionCheck(PolicyCheck):
         # Generic ABAC fallback for uncategorized actions
         return (
             "Add IAM conditions to limit when this action can be used. Use ABAC for scalability:\n"
-            "• Match principal tags to resource tags (aws:PrincipalTag/<tag-name> = aws:ResourceTag/<tag-name>)\n"
-            "• Require MFA (aws:MultiFactorAuthPresent = true)\n"
-            "• Restrict by IP (aws:SourceIp) or VPC (aws:SourceVpc)",
+            "• Match principal tags to resource tags (`aws:PrincipalTag/<tag-name>` = `aws:ResourceTag/<tag-name>`)\n"
+            "• Match organization principal tags to resource tags (`aws:PrincipalOrgID` = `aws:ResourceOrgID`)\n"
+            "• Require MFA (`aws:MultiFactorAuthPresent` = `true`)\n"
+            "• Restrict by IP (`aws:SourceIp`) or VPC (`aws:SourceVpc`)",
             '"Condition": {\n'
             '  "StringEquals": {\n'
             '    "aws:PrincipalTag/owner": "${aws:ResourceTag/owner}"\n'
@@ -125,14 +118,14 @@ class SensitiveActionCheck(PolicyCheck):
             if len(matched_actions) == 1:
                 message_template = config.config.get(
                     "message_single",
-                    "Sensitive action '{action}' should have conditions to limit when it can be used",
+                    "Sensitive action `{action}` should have conditions to limit when it can be used",
                 )
                 message = message_template.format(action=matched_actions[0])
             else:
                 action_list = "', '".join(matched_actions)
                 message_template = config.config.get(
                     "message_multiple",
-                    "Sensitive actions '{actions}' should have conditions to limit when they can be used",
+                    "Sensitive actions `{actions}` should have conditions to limit when they can be used",
                 )
                 message = message_template.format(actions=action_list)
 
@@ -192,6 +185,10 @@ class SensitiveActionCheck(PolicyCheck):
         del policy_file, fetcher  # Not used in current implementation
         issues = []
 
+        # Handle policies with no statements
+        if not policy.statement:
+            return []
+
         # Collect all actions from all Allow statements across the entire policy
         all_actions: set[str] = set()
         statement_map: dict[

iam_validator/checks/service_wildcard.py

@@ -1,6 +1,8 @@
 """Service wildcard check - detects service-level wildcards like 'iam:*', 's3:*'."""
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
@@ -8,17 +10,9 @@ from iam_validator.core.models import Statement, ValidationIssue
 class ServiceWildcardCheck(PolicyCheck):
     """Checks for service-level wildcards (e.g., 'iam:*', 's3:*') which grant all permissions for a service."""
 
-    @property
-    def check_id(self) -> str:
-        return "service_wildcard"
-
-    @property
-    def description(self) -> str:
-        return "Checks for service-level wildcards (e.g., 'iam:*', 's3:*')"
-
-    @property
-    def default_severity(self) -> str:
-        return "high"
+    check_id: ClassVar[str] = "service_wildcard"
+    description: ClassVar[str] = "Checks for service-level wildcards (e.g., 'iam:*', 's3:*')"
+    default_severity: ClassVar[str] = "high"
 
     async def execute(
         self,
@@ -51,11 +45,11 @@ class ServiceWildcardCheck(PolicyCheck):
                     # Get message template and replace placeholders
                     message_template = config.config.get(
                         "message",
-                        "Service-level wildcard '{action}' grants all permissions for {service} service",
+                        "Service-level wildcard `{action}` grants all permissions for `{service}` service",
                     )
                     suggestion_template = config.config.get(
                         "suggestion",
-                        "Consider specifying explicit actions instead of '{action}'. If you need multiple actions, list them individually or use more specific wildcards like '{service}:Get*' or '{service}:List*'.",
+                        "Consider specifying explicit actions instead of `{action}`. If you need multiple actions, list them individually or use more specific wildcards like `{service}:Get*` or `{service}:List*`.",
                     )
                     example_template = config.config.get("example", "")
 

iam_validator/checks/set_operator_validation.py

@@ -6,7 +6,9 @@ Based on AWS IAM best practices:
 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html
 """
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.condition_validators import (
     is_multivalued_context_key,
@@ -18,20 +20,11 @@ from iam_validator.core.models import Statement, ValidationIssue
 class SetOperatorValidationCheck(PolicyCheck):
     """Check for proper usage of ForAllValues and ForAnyValue set operators."""
 
-    @property
-    def check_id(self) -> str:
-        """Unique identifier for this check."""
-        return "set_operator_validation"
-
-    @property
-    def description(self) -> str:
-        """Description of what this check does."""
-        return "Validates proper usage of ForAllValues and ForAnyValue set operators"
-
-    @property
-    def default_severity(self) -> str:
-        """Default severity level for issues found by this check."""
-        return "error"
+    check_id: ClassVar[str] = "set_operator_validation"
+    description: ClassVar[str] = (
+        "Validates proper usage of ForAllValues and ForAnyValue set operators"
+    )
+    default_severity: ClassVar[str] = "error"
 
     async def execute(
         self,
@@ -73,7 +66,7 @@ class SetOperatorValidationCheck(PolicyCheck):
 
         # First pass: Identify set operators and Null checks
         for operator, conditions in statement.condition.items():
-            base_operator, operator_type, set_prefix = normalize_operator(operator)
+            base_operator, _operator_type, set_prefix = normalize_operator(operator)
 
             # Track Null checks
             if base_operator == "Null":
@@ -87,22 +80,22 @@ class SetOperatorValidationCheck(PolicyCheck):
 
         # Second pass: Validate set operator usage
         for operator, conditions in statement.condition.items():
-            base_operator, operator_type, set_prefix = normalize_operator(operator)
+            base_operator, _operator_type, set_prefix = normalize_operator(operator)
 
             if not set_prefix:
                 continue
 
             # Check each condition key used with a set operator
-            for condition_key, condition_values in conditions.items():
+            for condition_key, _condition_values in conditions.items():
                 # Issue 1: Set operator used with single-valued context key (anti-pattern)
                 if not is_multivalued_context_key(condition_key):
                     issues.append(
                         ValidationIssue(
                             severity=self.get_severity(config),
                             message=(
-                                f"Set operator '{set_prefix}' should not be used with single-valued "
-                                f"condition key '{condition_key}'. This can lead to overly permissive policies. "
-                                f"Set operators are designed for multivalued context keys like 'aws:TagKeys'. "
+                                f"Set operator `{set_prefix}` should not be used with single-valued "
+                                f"condition key `{condition_key}`. This can lead to overly permissive policies. "
+                                f"Set operators are designed for multivalued context keys like `aws:TagKeys`. "
                                 f"See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html"
                             ),
                             statement_sid=statement_sid,
@@ -120,9 +113,9 @@ class SetOperatorValidationCheck(PolicyCheck):
                             ValidationIssue(
                                 severity="warning",
                                 message=(
-                                    f"Security risk: ForAllValues with Allow effect on '{condition_key}' "
-                                    f"should include a Null condition check. Without it, requests with missing "
-                                    f'\'{condition_key}\' will be granted access. Add: \'"Null": {{"{condition_key}": "false"}}\'. '
+                                    f"Security risk: `ForAllValues` with `Allow` effect on `{condition_key}` "
+                                    f"should include a `Null` condition check. Without it, requests with missing "
+                                    f'`{condition_key}` will be granted access. Add: `"Null": {{"{condition_key}": "false"}}`. '
                                     f"See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html"
                                 ),
                                 statement_sid=statement_sid,
@@ -140,10 +133,10 @@ class SetOperatorValidationCheck(PolicyCheck):
                             ValidationIssue(
                                 severity="warning",
                                 message=(
-                                    f"Unpredictable behavior: ForAnyValue with Deny effect on '{condition_key}' "
-                                    f"should include a Null condition check. Without it, requests with missing "
-                                    f"'{condition_key}' will evaluate to 'No match' instead of denying access. "
-                                    f'Add: \'"Null": {{"{condition_key}": "false"}}\'. '
+                                    f"Unpredictable behavior: `ForAnyValue` with `Deny` effect on `{condition_key}` "
+                                    f"should include a `Null` condition check. Without it, requests with missing "
+                                    f"`{condition_key}` will evaluate to `No match` instead of denying access. "
+                                    f'Add: `"Null": {{"{condition_key}": "false"}}`. '
                                     f"See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html"
                                 ),
                                 statement_sid=statement_sid,

iam_validator/checks/sid_uniqueness.py

@@ -13,10 +13,11 @@ statement, examining all statements in the policy to find duplicates and format
 
 import re
 from collections import Counter
+from typing import ClassVar
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
-from iam_validator.core.models import IAMPolicy, Statement, ValidationIssue
+from iam_validator.core.models import IAMPolicy, ValidationIssue
 
 
 def _check_sid_uniqueness_impl(policy: IAMPolicy, severity: str) -> list[ValidationIssue]:
@@ -35,6 +36,10 @@ def _check_sid_uniqueness_impl(policy: IAMPolicy, severity: str) -> list[Validat
     # No spaces allowed
     sid_pattern = re.compile(r"^[a-zA-Z0-9_-]+$")
 
+    # Handle policies with no statements
+    if not policy.statement:
+        return []
+
     # Collect all SIDs (ignoring None/empty values) and check format
     sids_with_indices: list[tuple[str, int]] = []
     for idx, statement in enumerate(policy.statement):
@@ -43,15 +48,15 @@ def _check_sid_uniqueness_impl(policy: IAMPolicy, severity: str) -> list[Validat
             if not sid_pattern.match(statement.sid):
                 # Identify the issue
                 if " " in statement.sid:
-                    issue_msg = f"Statement ID '{statement.sid}' contains spaces, which are not allowed by AWS"
+                    issue_msg = f"Statement ID `{statement.sid}` contains spaces, which are not allowed by AWS"
                     suggestion = (
-                        f"Remove spaces from the SID. Example: '{statement.sid.replace(' ', '')}'"
+                        f"Remove spaces from the SID. Example: `{statement.sid.replace(' ', '')}`"
                     )
                 else:
                     invalid_chars = "".join(
                         set(c for c in statement.sid if not c.isalnum() and c not in "_-")
                     )
-                    issue_msg = f"Statement ID '{statement.sid}' contains invalid characters: {invalid_chars}"
+                    issue_msg = f"Statement ID `{statement.sid}` contains invalid characters: `{invalid_chars}`"
                     suggestion = (
                         "SIDs must contain only alphanumeric characters, hyphens, and underscores"
                     )
@@ -91,7 +96,7 @@ def _check_sid_uniqueness_impl(policy: IAMPolicy, severity: str) -> list[Validat
                     statement_sid=duplicate_sid,
                     statement_index=idx,
                     issue_type="duplicate_sid",
-                    message=f"Statement ID `{duplicate_sid}` is used **{count} times** in this policy (found in statements {statement_numbers})",
+                    message=f"Statement ID `{duplicate_sid}` is used **{count} times** in this policy (found in statements `{statement_numbers}`)",
                     suggestion="Change this SID to a unique value. Statement IDs help identify and reference specific statements, so duplicates can cause confusion.",
                     line_number=statement.line_number,
                 )
@@ -107,42 +112,11 @@ class SidUniquenessCheck(PolicyCheck):
     It only runs once when processing the first statement to avoid duplicate work.
     """
 
-    @property
-    def check_id(self) -> str:
-        return "sid_uniqueness"
-
-    @property
-    def description(self) -> str:
-        return "Validates that Statement IDs (Sids) are unique and follow AWS naming requirements (no spaces)"
-
-    @property
-    def default_severity(self) -> str:
-        return "warning"
-
-    async def execute(
-        self,
-        statement: Statement,
-        statement_idx: int,
-        fetcher: AWSServiceFetcher,
-        config: CheckConfig,
-    ) -> list[ValidationIssue]:
-        """Execute the SID uniqueness check at statement level.
-
-        This is a policy-level check, so statement-level execution returns empty.
-        The actual check runs in execute_policy() which has access to all statements.
-
-        Args:
-            statement: The IAM policy statement (unused)
-            statement_idx: Index of the statement in the policy (unused)
-            fetcher: AWS service fetcher (unused for this check)
-            config: Configuration for this check instance (unused)
-
-        Returns:
-            Empty list (actual check runs in execute_policy())
-        """
-        del statement, statement_idx, fetcher, config  # Unused
-        # This is a policy-level check - execution happens in execute_policy()
-        return []
+    check_id: ClassVar[str] = "sid_uniqueness"
+    description: ClassVar[str] = (
+        "Validates that Statement IDs (Sids) are unique and follow AWS naming requirements (no spaces)"
+    )
+    default_severity: ClassVar[str] = "warning"
 
     async def execute_policy(
         self,