iam-policy-validator 1.8.0__py3-none-any.whl → 1.9.0__py3-none-any.whl

iam_validator/checks/sensitive_action.py

@@ -1,6 +1,6 @@
 """Sensitive action check - detects sensitive actions without IAM conditions."""
 
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, ClassVar
 
 from iam_validator.checks.utils.policy_level_checks import check_policy_level_actions
 from iam_validator.checks.utils.sensitive_action_matcher import (
@@ -8,7 +8,7 @@ from iam_validator.checks.utils.sensitive_action_matcher import (
     check_sensitive_actions,
 )
 from iam_validator.checks.utils.wildcard_expansion import expand_wildcard_actions
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.config.sensitive_actions import get_category_for_action
 from iam_validator.core.models import Statement, ValidationIssue
@@ -20,17 +20,9 @@ if TYPE_CHECKING:
 class SensitiveActionCheck(PolicyCheck):
     """Checks for sensitive actions without IAM conditions to limit their use."""
 
-    @property
-    def check_id(self) -> str:
-        return "sensitive_action"
-
-    @property
-    def description(self) -> str:
-        return "Checks for sensitive actions without conditions"
-
-    @property
-    def default_severity(self) -> str:
-        return "medium"
+    check_id: ClassVar[str] = "sensitive_action"
+    description: ClassVar[str] = "Checks for sensitive actions without conditions"
+    default_severity: ClassVar[str] = "medium"
 
     def _get_severity_for_action(self, action: str, config: CheckConfig) -> str:
         """
@@ -86,6 +78,7 @@ class SensitiveActionCheck(PolicyCheck):
         return (
             "Add IAM conditions to limit when this action can be used. Use ABAC for scalability:\n"
             "• Match principal tags to resource tags (`aws:PrincipalTag/<tag-name>` = `aws:ResourceTag/<tag-name>`)\n"
+            "• Match organization principal tags to resource tags (`aws:PrincipalOrgID` = `aws:ResourceOrgID`)\n"
             "• Require MFA (`aws:MultiFactorAuthPresent` = `true`)\n"
             "• Restrict by IP (`aws:SourceIp`) or VPC (`aws:SourceVpc`)",
             '"Condition": {\n'
@@ -125,14 +118,14 @@ class SensitiveActionCheck(PolicyCheck):
             if len(matched_actions) == 1:
                 message_template = config.config.get(
                     "message_single",
-                    "Sensitive action '{action}' should have conditions to limit when it can be used",
+                    "Sensitive action `{action}` should have conditions to limit when it can be used",
                 )
                 message = message_template.format(action=matched_actions[0])
             else:
                 action_list = "', '".join(matched_actions)
                 message_template = config.config.get(
                     "message_multiple",
-                    "Sensitive actions '{actions}' should have conditions to limit when they can be used",
+                    "Sensitive actions `{actions}` should have conditions to limit when they can be used",
                 )
                 message = message_template.format(actions=action_list)
 

iam_validator/checks/service_wildcard.py

@@ -1,6 +1,8 @@
 """Service wildcard check - detects service-level wildcards like 'iam:*', 's3:*'."""
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
@@ -8,17 +10,9 @@ from iam_validator.core.models import Statement, ValidationIssue
 class ServiceWildcardCheck(PolicyCheck):
     """Checks for service-level wildcards (e.g., 'iam:*', 's3:*') which grant all permissions for a service."""
 
-    @property
-    def check_id(self) -> str:
-        return "service_wildcard"
-
-    @property
-    def description(self) -> str:
-        return "Checks for service-level wildcards (e.g., 'iam:*', 's3:*')"
-
-    @property
-    def default_severity(self) -> str:
-        return "high"
+    check_id: ClassVar[str] = "service_wildcard"
+    description: ClassVar[str] = "Checks for service-level wildcards (e.g., 'iam:*', 's3:*')"
+    default_severity: ClassVar[str] = "high"
 
     async def execute(
         self,

iam_validator/checks/set_operator_validation.py

@@ -6,7 +6,9 @@ Based on AWS IAM best practices:
 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html
 """
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.condition_validators import (
     is_multivalued_context_key,
@@ -18,20 +20,11 @@ from iam_validator.core.models import Statement, ValidationIssue
 class SetOperatorValidationCheck(PolicyCheck):
     """Check for proper usage of ForAllValues and ForAnyValue set operators."""
 
-    @property
-    def check_id(self) -> str:
-        """Unique identifier for this check."""
-        return "set_operator_validation"
-
-    @property
-    def description(self) -> str:
-        """Description of what this check does."""
-        return "Validates proper usage of ForAllValues and ForAnyValue set operators"
-
-    @property
-    def default_severity(self) -> str:
-        """Default severity level for issues found by this check."""
-        return "error"
+    check_id: ClassVar[str] = "set_operator_validation"
+    description: ClassVar[str] = (
+        "Validates proper usage of ForAllValues and ForAnyValue set operators"
+    )
+    default_severity: ClassVar[str] = "error"
 
     async def execute(
         self,
@@ -120,8 +113,8 @@ class SetOperatorValidationCheck(PolicyCheck):
                             ValidationIssue(
                                 severity="warning",
                                 message=(
-                                    f"Security risk: ForAllValues with Allow effect on `{condition_key}` "
-                                    f"should include a Null condition check. Without it, requests with missing "
+                                    f"Security risk: `ForAllValues` with `Allow` effect on `{condition_key}` "
+                                    f"should include a `Null` condition check. Without it, requests with missing "
                                     f'`{condition_key}` will be granted access. Add: `"Null": {{"{condition_key}": "false"}}`. '
                                     f"See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html"
                                 ),
@@ -141,7 +134,7 @@ class SetOperatorValidationCheck(PolicyCheck):
                                 severity="warning",
                                 message=(
                                     f"Unpredictable behavior: `ForAnyValue` with `Deny` effect on `{condition_key}` "
-                                    f"should include a Null condition check. Without it, requests with missing "
+                                    f"should include a `Null` condition check. Without it, requests with missing "
                                     f"`{condition_key}` will evaluate to `No match` instead of denying access. "
                                     f'Add: `"Null": {{"{condition_key}": "false"}}`. '
                                     f"See: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-single-vs-multi-valued-context-keys.html"

iam_validator/checks/sid_uniqueness.py

@@ -13,10 +13,11 @@ statement, examining all statements in the policy to find duplicates and format
 
 import re
 from collections import Counter
+from typing import ClassVar
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
-from iam_validator.core.models import IAMPolicy, Statement, ValidationIssue
+from iam_validator.core.models import IAMPolicy, ValidationIssue
 
 
 def _check_sid_uniqueness_impl(policy: IAMPolicy, severity: str) -> list[ValidationIssue]:
@@ -111,42 +112,11 @@ class SidUniquenessCheck(PolicyCheck):
     It only runs once when processing the first statement to avoid duplicate work.
     """
 
-    @property
-    def check_id(self) -> str:
-        return "sid_uniqueness"
-
-    @property
-    def description(self) -> str:
-        return "Validates that Statement IDs (Sids) are unique and follow AWS naming requirements (no spaces)"
-
-    @property
-    def default_severity(self) -> str:
-        return "warning"
-
-    async def execute(
-        self,
-        statement: Statement,
-        statement_idx: int,
-        fetcher: AWSServiceFetcher,
-        config: CheckConfig,
-    ) -> list[ValidationIssue]:
-        """Execute the SID uniqueness check at statement level.
-
-        This is a policy-level check, so statement-level execution returns empty.
-        The actual check runs in execute_policy() which has access to all statements.
-
-        Args:
-            statement: The IAM policy statement (unused)
-            statement_idx: Index of the statement in the policy (unused)
-            fetcher: AWS service fetcher (unused for this check)
-            config: Configuration for this check instance (unused)
-
-        Returns:
-            Empty list (actual check runs in execute_policy())
-        """
-        del statement, statement_idx, fetcher, config  # Unused
-        # This is a policy-level check - execution happens in execute_policy()
-        return []
+    check_id: ClassVar[str] = "sid_uniqueness"
+    description: ClassVar[str] = (
+        "Validates that Statement IDs (Sids) are unique and follow AWS naming requirements (no spaces)"
+    )
+    default_severity: ClassVar[str] = "warning"
 
     async def execute_policy(
         self,

iam_validator/checks/trust_policy_validation.py

@@ -34,9 +34,9 @@ This check is DISABLED by default. Enable it for trust policy validation:
 """
 
 import re
-from typing import TYPE_CHECKING, Any
+from typing import TYPE_CHECKING, Any, ClassVar
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
@@ -79,17 +79,11 @@ class TrustPolicyValidationCheck(PolicyCheck):
         },
     }
 
-    @property
-    def check_id(self) -> str:
-        return "trust_policy_validation"
-
-    @property
-    def description(self) -> str:
-        return "Validates trust policies for role assumption security and action-principal coupling"
-
-    @property
-    def default_severity(self) -> str:
-        return "high"
+    check_id: ClassVar[str] = "trust_policy_validation"
+    description: ClassVar[str] = (
+        "Validates trust policies for role assumption security and action-principal coupling"
+    )
+    default_severity: ClassVar[str] = "high"
 
     async def execute(
         self,
@@ -256,7 +250,7 @@ class TrustPolicyValidationCheck(PolicyCheck):
                     ValidationIssue(
                         severity=self.get_severity(config),
                         issue_type="invalid_principal_type_for_assume_action",
-                        message=f"Action `{action}` should not use Principal type `{principal_type}`. "
+                        message=f"Action `{action}` should not use `Principal` type `{principal_type}`. "
                         f"Expected principal types: {allowed_list}",
                         statement_index=statement_idx,
                         statement_sid=statement.sid,

iam_validator/checks/utils/wildcard_expansion.py

@@ -7,7 +7,7 @@ to their actual action names using the AWS Service Reference API.
 import re
 from functools import lru_cache
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 
 
 # Global cache for compiled wildcard patterns (shared across checks)

iam_validator/checks/wildcard_action.py

@@ -1,6 +1,8 @@
 """Wildcard action check - detects Action: '*' in IAM policies."""
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
@@ -8,17 +10,9 @@ from iam_validator.core.models import Statement, ValidationIssue
 class WildcardActionCheck(PolicyCheck):
     """Checks for wildcard actions (Action: '*') which grant all permissions."""
 
-    @property
-    def check_id(self) -> str:
-        return "wildcard_action"
-
-    @property
-    def description(self) -> str:
-        return "Checks for wildcard actions (*)"
-
-    @property
-    def default_severity(self) -> str:
-        return "medium"
+    check_id: ClassVar[str] = "wildcard_action"
+    description: ClassVar[str] = "Checks for wildcard actions (*)"
+    default_severity: ClassVar[str] = "medium"
 
     async def execute(
         self,

iam_validator/checks/wildcard_resource.py

@@ -1,7 +1,9 @@
 """Wildcard resource check - detects Resource: '*' in IAM policies."""
 
+from typing import ClassVar
+
 from iam_validator.checks.utils.wildcard_expansion import expand_wildcard_actions
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
@@ -9,17 +11,9 @@ from iam_validator.core.models import Statement, ValidationIssue
 class WildcardResourceCheck(PolicyCheck):
     """Checks for wildcard resources (Resource: '*') which grant access to all resources."""
 
-    @property
-    def check_id(self) -> str:
-        return "wildcard_resource"
-
-    @property
-    def description(self) -> str:
-        return "Checks for wildcard resources (*)"
-
-    @property
-    def default_severity(self) -> str:
-        return "medium"
+    check_id: ClassVar[str] = "wildcard_resource"
+    description: ClassVar[str] = "Checks for wildcard resources (*)"
+    default_severity: ClassVar[str] = "medium"
 
     async def execute(
         self,

iam_validator/commands/cache.py

@@ -8,7 +8,8 @@ from rich.console import Console
 from rich.table import Table
 
 from iam_validator.commands.base import Command
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
+from iam_validator.core.aws_service.storage import ServiceFileStorage
 from iam_validator.core.config.config_loader import ConfigLoader
 
 logger = logging.getLogger(__name__)
@@ -130,7 +131,7 @@ Examples:
         cache_ttl_seconds = cache_ttl_hours * 3600
 
         # Get cache directory (even if caching is disabled, for info purposes)
-        cache_dir = AWSServiceFetcher._get_cache_directory(cache_directory)
+        cache_dir = ServiceFileStorage.get_cache_directory(cache_directory)
 
         action = args.cache_action
 
@@ -226,7 +227,7 @@ Examples:
             services.append({"name": name, "size": size, "file": f.name, "mtime": mtime})
 
         # Sort by service name
-        services.sort(key=lambda x: x["name"])
+        services.sort(key=lambda x: str(x["name"]))
 
         if output_format == "table":
             self._print_services_table(services)

iam_validator/commands/validate.py

@@ -44,6 +44,9 @@ Examples:
   # Use custom checks from a directory
   iam-validator validate --path ./policies/ --custom-checks-dir ./my-checks
 
+  # Use offline mode with pre-downloaded AWS service definitions
+  iam-validator validate --path ./policies/ --aws-services-dir ./aws_services
+
   # Generate JSON output
   iam-validator validate --path ./policies/ --format json --output report.json
 
@@ -163,6 +166,13 @@ Examples:
             help="Path to directory containing custom checks for auto-discovery",
         )
 
+        parser.add_argument(
+            "--aws-services-dir",
+            help="Path to directory containing pre-downloaded AWS service definitions "
+            "(enables offline mode, avoids API rate limiting). "
+            "Use 'iam-validator download-services' to create this directory.",
+        )
+
         parser.add_argument(
             "--stream",
             action="store_true",
@@ -242,12 +252,14 @@ Examples:
         # Validate policies
         config_path = getattr(args, "config", None)
         custom_checks_dir = getattr(args, "custom_checks_dir", None)
+        aws_services_dir = getattr(args, "aws_services_dir", None)
         policy_type = cast(PolicyType, getattr(args, "policy_type", "IDENTITY_POLICY"))
         results = await validate_policies(
             policies,
             config_path=config_path,
             custom_checks_dir=custom_checks_dir,
             policy_type=policy_type,
+            aws_services_dir=aws_services_dir,
         )
 
         # Generate report (include parsing errors if any)

iam_validator/core/__init__.py

@@ -1,6 +1,6 @@
 """Core validation modules."""
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.policy_checks import validate_policies
 from iam_validator.core.policy_loader import PolicyLoader
 from iam_validator.core.report import ReportGenerator