# IAM Policy Validator
> **Catch IAM policy errors before they reach production** - A comprehensive security and validation tool for AWS IAM policies that combines AWS's official Access Analyzer with powerful custom security checks.
[](https://github.com/marketplace/actions/iam-policy-validator)
[](https://www.python.org/downloads/)
[](LICENSE)
## 🚀 Why IAM Policy Validator?
**IAM policy errors are costly and dangerous.** A single misconfigured policy can:
- ❌ Grant unintended admin access (privilege escalation)
- ❌ Expose sensitive data to the public
- ❌ Break production deployments with invalid syntax
- ❌ Create security vulnerabilities that persist for months
**This tool prevents these issues** by:
- ✅ **Validating early** - Catch errors in PRs before merge
- ✅ **Comprehensive checks** - AWS Access Analyzer + 15+ security checks
- ✅ **Smart filtering** - Auto-detects IAM policies from mixed JSON/YAML files
- ✅ **Developer-friendly** - Clear error messages with fix suggestions
- ✅ **Zero setup** - Works as a GitHub Action out of the box
## ✨ Key Features
### 🔍 Multi-Layer Validation
- **AWS IAM Access Analyzer** - Official AWS validation (syntax, permissions, security)
- **Custom Security Checks** - 15+ specialized checks for best practices
- **Policy Comparison** - Detect new permissions vs baseline (prevent scope creep)
- **Public Access Detection** - Check 29+ AWS resource types for public exposure
- **Privilege Escalation Detection** - Identify dangerous action combinations
### 🎯 Smart & Efficient
- **Automatic IAM Policy Detection** - Scans mixed repos, filters non-IAM files automatically
- **Wildcard Expansion** - Expands `s3:Get*` patterns to validate specific actions
- **Offline Validation** - Download AWS service definitions for air-gapped environments
- **JSON + YAML Support** - Native support for both formats
- **Streaming Mode** - Memory-efficient processing for large policy sets
### ⚡ Performance Optimized
- **Service Pre-fetching** - Common AWS services cached at startup (faster validation)
- **LRU Memory Cache** - Recently accessed services cached with TTL
- **Request Coalescing** - Duplicate API requests automatically deduplicated
- **Parallel Execution** - Multiple checks run concurrently
- **HTTP/2 Support** - Multiplexed connections for better API performance
### 📊 Output Formats
- **Console** (default) - Clean terminal output with colors and tables
- **Enhanced** - Modern visual output with progress bars and tree structure
- **JSON** - Structured format for programmatic processing
- **Markdown** - GitHub-flavored markdown for PR comments
- **SARIF** - GitHub code scanning integration format
- **CSV** - Spreadsheet-compatible for analysis
- **HTML** - Interactive reports with filtering and search
### 🔌 Extensibility
- **Plugin System** - Easy-to-add custom validation checks
- **Configuration-Driven** - YAML-based configuration for all aspects
- **CI/CD Ready** - GitHub Actions, GitLab CI, Jenkins, CircleCI
## 📈 Real-World Impact
### Common IAM Policy Issues This Tool Catches
**Before IAM Policy Validator:**
```json
{
"Statement": [{
"Effect": "Allow",
"Action": "s3:*", // ❌ Too permissive
"Resource": "*" // ❌ All buckets!
}]
}
```
**Issue:** Grants full S3 access to ALL buckets (data breach risk)
**After IAM Policy Validator:**
```
❌ MEDIUM: Statement applies to all resources (*)
❌ HIGH: Wildcard action 's3:*' with resource '*' is overly permissive
💡 Suggestion: Specify exact actions and bucket ARNs
```
### Privilege Escalation Detection
**Dangerous combination across multiple statements:**
```json
{
"Statement": [
{"Action": "iam:CreateUser"}, // Seems innocent
{"Action": "iam:AttachUserPolicy"} // Also seems innocent
]
}
```
**What the validator catches:**
```
🚨 CRITICAL: Privilege escalation risk detected!
Actions ['iam:CreateUser', 'iam:AttachUserPolicy'] allow:
1. Create new IAM user
2. Attach AdministratorAccess policy to that user
3. Gain full AWS account access
💡 Add conditions or separate these permissions
```
### Public Access Prevention
**Before merge:**
```json
{
"Principal": "*", // ❌ Anyone on the internet!
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-private-data/*"
}
```
**Blocked by validator:**
```
🛑 CRITICAL: Resource policy allows public access
29 resource types checked: AWS::S3::Bucket
Principal "*" grants internet-wide access to private data
💡 Use specific AWS principals or add IP restrictions
```
## Quick Start
### As a GitHub Action (Recommended) ⭐
The IAM Policy Validator is available as **both** a standalone GitHub Action and a Python module. Choose the approach that best fits your needs:
#### **Option A: Standalone GitHub Action** (Recommended - Zero Setup)
Use the published action directly - it handles all setup automatically:
Create `.github/workflows/iam-policy-validator.yml`:
```yaml
name: IAM Policy Validation
on:
pull_request:
paths:
- 'policies/**/*.json'
jobs:
validate:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Validate IAM Policies
uses: boogy/iam-policy-validator@v1
with:
path: policies/
post-comment: true
create-review: true
fail-on-warnings: true
```
**Benefits:**
- ✅ Zero setup - action handles Python, uv, and dependencies
- ✅ Automatic dependency caching
- ✅ Simple, declarative configuration
- ✅ Perfect for CI/CD workflows
#### With AWS Access Analyzer (Standalone Action)
Use AWS's official policy validation service:
```yaml
name: IAM Policy Validation with Access Analyzer
on:
pull_request:
paths:
- 'policies/**/*.json'
jobs:
validate:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
id-token: write # Required for AWS OIDC
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsRole
aws-region: us-east-1
- name: Validate with Access Analyzer
uses: boogy/iam-policy-validator@v1
with:
path: policies/
use-access-analyzer: true
run-all-checks: true
post-comment: true
create-review: true
fail-on-warnings: true
```
#### **Option B: As Python Module/CLI Tool**
For advanced use cases or when you need more control:
```yaml
name: IAM Policy Validation (CLI)
on:
pull_request:
paths:
- 'policies/**/*.json'
jobs:
validate:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install uv
uses: astral-sh/setup-uv@v3
- name: Install dependencies
run: uv sync
- name: Validate IAM Policies
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
uv run iam-validator validate \
--path ./policies/ \
--github-comment \
--github-review \
--fail-on-warnings \
--log-level info
```
**Use this when you need:**
- Advanced CLI options (e.g., `--log-level`, `--custom-checks-dir`, `--stream`)
- Full control over the Python environment
- Integration with existing Python workflows
- Multiple validation commands in sequence
#### Custom Policy Checks (Standalone Action)
Enforce specific security requirements:
```yaml
name: IAM Policy Security Validation
on:
pull_request:
paths:
- 'policies/**/*.json'
jobs:
validate-security:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: us-east-1
# Prevent dangerous actions
- name: Check for Dangerous Actions
uses: boogy/iam-policy-validator@v1
with:
path: policies/
use-access-analyzer: true
check-access-not-granted: "s3:DeleteBucket iam:CreateAccessKey iam:AttachUserPolicy"
post-comment: true
fail-on-warnings: true
# Check S3 bucket policies for public access
- name: Check S3 Public Access
uses: boogy/iam-policy-validator@v1
with:
path: s3-policies/
use-access-analyzer: true
policy-type: RESOURCE_POLICY
check-no-public-access: true
public-access-resource-type: "AWS::S3::Bucket"
post-comment: true
fail-on-warnings: true
# Compare against baseline to prevent new permissions
- name: Checkout baseline from main
uses: actions/checkout@v5
with:
ref: main
path: baseline
- name: Check for New Access
uses: boogy/iam-policy-validator@v1
with:
path: policies/role-policy.json
use-access-analyzer: true
check-no-new-access: baseline/policies/role-policy.json
post-comment: true
fail-on-warnings: true
```
---
### Choosing the Right Approach
| Feature | Standalone Action | Python Module/CLI |
| --------------------- | ------------------------ | ------------------------------------------------------------------------ |
| Setup Required | None - fully automated | Manual (Python, uv, dependencies) |
| Configuration | YAML inputs | CLI arguments |
| Advanced Options | Limited to action inputs | Full CLI access (`--log-level`, `--custom-checks-dir`, `--stream`, etc.) |
| Custom Checks | Via config file only | Via config file or `--custom-checks-dir` |
| Best For | CI/CD, simple workflows | Development, advanced workflows, testing |
| Dependency Management | Automatic | Manual |
**Recommendation:** Use the **Standalone Action** for production CI/CD workflows, and the **Python Module/CLI** for development, testing, or when you need advanced features.
#### Multiple Paths (Standalone Action)
Validate policies across multiple directories:
```yaml
- name: Validate Multiple Paths
uses: boogy/iam-policy-validator@v1
with:
path: |
iam/
s3-policies/
lambda-policies/special-policy.json
post-comment: true
fail-on-warnings: true
```
#### Custom Configuration
Use a custom configuration file to customize validation rules:
```yaml
name: IAM Policy Validation with Custom Config
on:
pull_request:
paths:
- 'policies/**/*.json'
- '.iam-validator.yaml'
jobs:
validate:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Validate with Custom Config
uses: boogy/iam-policy-validator@v1
with:
path: policies/
config-file: .iam-validator.yaml
post-comment: true
create-review: true
fail-on-warnings: true
```
**Example `.iam-validator.yaml`:**
```yaml
settings:
fail_fast: false
enable_builtin_checks: true
# Custom check configurations
security_best_practices_check:
enabled: true
wildcard_action_check:
enabled: true
severity: high
action_condition_enforcement_check:
enabled: true
severity: critical
action_condition_requirements:
- actions:
- "iam:PassRole"
severity: critical
required_conditions:
- condition_key: "iam:PassedToService"
```
See [default-config.yaml](default-config.yaml) for a complete configuration example.
### GitHub Action Inputs
#### Core Options
| Input | Description | Required | Default |
| ------------------ | ----------------------------------------------------------- | -------- | ------- |
| `path` | Path(s) to IAM policy file or directory (newline-separated) | Yes | - |
| `config-file` | Path to custom configuration file (.yaml) | No | `""` |
| `fail-on-warnings` | Fail validation if warnings are found | No | `false` |
| `recursive` | Recursively search directories for policy files | No | `true` |
#### GitHub Integration
| Input | Description | Required | Default |
| --------------- | ------------------------------------------ | -------- | ------- |
| `post-comment` | Post validation results as PR comment | No | `true` |
| `create-review` | Create line-specific review comments on PR | No | `true` |
#### Output Options
| Input | Description | Required | Default |
| ------------- | -------------------------------------------------------------------------------- | -------- | --------- |
| `format` | Output format: `console`, `enhanced`, `json`, `markdown`, `sarif`, `csv`, `html` | No | `console` |
| `output-file` | Path to save output file (for non-console formats) | No | `""` |
#### AWS Access Analyzer
| Input | Description | Required | Default |
| ------------------------ | --------------------------------------------------------------------------- | -------- | ----------------- |
| `use-access-analyzer` | Use AWS IAM Access Analyzer for validation | No | `false` |
| `access-analyzer-region` | AWS region for Access Analyzer | No | `us-east-1` |
| `policy-type` | Policy type: `IDENTITY_POLICY`, `RESOURCE_POLICY`, `SERVICE_CONTROL_POLICY` | No | `IDENTITY_POLICY` |
| `run-all-checks` | Run custom checks after Access Analyzer (sequential mode) | No | `false` |
#### Custom Policy Checks (Access Analyzer)
| Input | Description | Required | Default |
| ----------------------------- | --------------------------------------------------------------------------- | -------- | ----------------- |
| `check-access-not-granted` | Actions that should NOT be granted (space-separated, max 100) | No | `""` |
| `check-access-resources` | Resources to check with check-access-not-granted (space-separated, max 100) | No | `""` |
| `check-no-new-access` | Path to baseline policy to compare against (detect new permissions) | No | `""` |
| `check-no-public-access` | Check that resource policies do not allow public access | No | `false` |
| `public-access-resource-type` | Resource type(s) for public access check (29+ types supported, or `all`) | No | `AWS::S3::Bucket` |
#### Advanced Options
| Input | Description | Required | Default |
| ------------------- | -------------------------------------------------------------- | -------- | --------- |
| `custom-checks-dir` | Path to directory containing custom validation checks | No | `""` |
| `log-level` | Logging level: `debug`, `info`, `warning`, `error`, `critical` | No | `warning` |
**💡 Pro Tips:**
- Use `custom-checks-dir` to add organization-specific validation rules
- Set `log-level: debug` when troubleshooting workflow issues
- Configure `aws-services-dir` in your config file for offline validation
- The action automatically filters IAM policies from mixed JSON/YAML files
See [examples/github-actions/](examples/github-actions/) for 8 ready-to-use workflow examples.
### As a CLI Tool
Install and use locally for development:
```bash
# Install from PyPI
pip install iam-policy-validator
# Or install with pipx (recommended for CLI tools)
pipx install iam-policy-validator
# Validate a single policy
iam-validator validate --path policy.json
# Validate all policies in a directory
iam-validator validate --path ./policies/
# Validate multiple paths
iam-validator validate --path policy1.json --path ./policies/ --path ./more-policies/
# Generate JSON output
iam-validator validate --path ./policies/ --format json --output report.json
# Validate with AWS IAM Access Analyzer
iam-validator analyze --path policy.json
# Analyze with specific region and profile
iam-validator analyze --path policy.json --region us-west-2 --profile my-profile
# Sequential validation: Access Analyzer → Custom Checks
iam-validator analyze \
--path policy.json \
--github-comment \
--run-all-checks \
--github-review
```
### Custom Policy Checks
AWS IAM Access Analyzer provides specialized checks to validate policies against specific security requirements:
#### 1. CheckAccessNotGranted - Prevent Dangerous Actions
Verify that policies do NOT grant specific actions (max 100 actions, 100 resources per check):
```bash
# Check that policies don't grant dangerous S3 actions
iam-validator analyze \
--path ./policies/ \
--check-access-not-granted s3:DeleteBucket s3:DeleteObject
# Scope to specific resources
iam-validator analyze \
--path ./policies/ \
--check-access-not-granted s3:PutObject \
--check-access-resources "arn:aws:s3:::production-bucket/*"
# Prevent privilege escalation
iam-validator analyze \
--path ./policies/ \
--check-access-not-granted \
iam:CreateAccessKey \
iam:AttachUserPolicy \
iam:PutUserPolicy
```
**Supported:** IDENTITY_POLICY, RESOURCE_POLICY
#### 2. CheckNoNewAccess - Validate Policy Updates
Ensure policy changes don't grant new permissions:
```bash
# Compare updated policy against baseline
iam-validator analyze \
--path ./new-policy.json \
--check-no-new-access ./old-policy.json
# In CI/CD - compare against main branch
git show main:policies/policy.json > baseline-policy.json
iam-validator analyze \
--path policies/policy.json \
--check-no-new-access baseline-policy.json
```
**Supported:** IDENTITY_POLICY, RESOURCE_POLICY
#### 3. CheckNoPublicAccess - Prevent Public Exposure
Validate that resource policies don't allow public access (29+ resource types):
```bash
# Check S3 bucket policies
iam-validator analyze \
--path ./bucket-policy.json \
--policy-type RESOURCE_POLICY \
--check-no-public-access \
--public-access-resource-type "AWS::S3::Bucket"
# Check multiple resource types
iam-validator analyze \
--path ./resource-policies/ \
--policy-type RESOURCE_POLICY \
--check-no-public-access \
--public-access-resource-type "AWS::S3::Bucket" "AWS::Lambda::Function" "AWS::SNS::Topic"
# Check ALL 29 resource types
iam-validator analyze \
--path ./resource-policies/ \
--policy-type RESOURCE_POLICY \
--check-no-public-access \
--public-access-resource-type all
```
**Supported Resource Types** (29 total, or use `all`):
- **Storage**: S3 Bucket, S3 Access Point, S3 Express, S3 Glacier, S3 Outposts, S3 Tables, EFS
- **Database**: DynamoDB Table/Stream, OpenSearch Domain
- **Messaging**: Kinesis Stream, SNS Topic, SQS Queue
- **Security**: KMS Key, Secrets Manager Secret, IAM Assume Role Policy
- **Compute**: Lambda Function
- **API**: API Gateway REST API
- **DevOps**: CodeArtifact Domain, Backup Vault, CloudTrail
See [docs/custom-policy-checks.md](docs/custom-policy-checks.md) for complete documentation.
### As a Python Package
Use as a library in your Python applications:
```python
import asyncio
from iam_validator.core import PolicyLoader, validate_policies, ReportGenerator
async def main():
# Load policies
loader = PolicyLoader()
policies = loader.load_from_path("./policies")
# Validate
results = await validate_policies(policies)
# Generate report
generator = ReportGenerator()
report = generator.generate_report(results)
generator.print_console_report(report)
asyncio.run(main())
```
## Validation Checks
### 1. Action Validation
Verifies that IAM actions exist in AWS services:
```json
{
"Effect": "Allow",
"Action": "s3:GetObject", // ✅ Valid
"Resource": "*"
}
```
```json
{
"Effect": "Allow",
"Action": "s3:InvalidAction", // ❌ Invalid - action doesn't exist
"Resource": "*"
}
```
### 2. Condition Key Validation
Checks that condition keys are valid for the specified actions:
```json
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-east-1" // ✅ Valid global condition key
}
}
}
```
### 3. Resource ARN Validation
Ensures ARNs follow proper AWS format:
```json
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*" // ✅ Valid ARN
}
```
```json
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "not-a-valid-arn" // ❌ Invalid ARN format
}
```
### 4. Security Best Practices
Identifies potential security risks:
- Overly permissive wildcard usage (`*` for both Action and Resource)
- Sensitive actions without conditions
- Administrative permissions without restrictions
## GitHub Integration Features
### Smart PR Comment Management
The validator intelligently manages PR comments to keep your PRs clean:
**Comment Lifecycle:**
1. **Old Comments Cleanup**: Automatically removes outdated bot comments from previous runs
2. **Summary Comment**: Updates existing summary (no duplicates)
3. **Review Comments**: Posts line-specific issues
4. **Streaming Mode**: Progressive comments appear as files are validated
**Behavior:**
- ✅ **No Duplicates**: Summary comments are updated, not duplicated
- ✅ **Clean PR**: Old review comments automatically deleted before new validation
- ✅ **Identifiable**: All bot comments tagged with `🤖 IAM Policy Validator`
- ✅ **Progressive**: In streaming mode, comments appear file-by-file
**Example:**
```
Run 1: Finds 5 issues → Posts 5 review comments + 1 summary
Run 2: Finds 3 issues → Deletes old 5 comments → Posts 3 new comments + updates summary
Result: PR always shows current state, no stale comments
```
## Example Output
### Console Output
```
╭─────────────────── Validation Summary ───────────────────╮
│ Total Policies: 3 │
│ Valid: 2 Invalid: 1 │
│ Total Issues: 5 │
╰──────────────────────────────────────────────────────────╯
❌ policies/invalid_policy.json
ERROR invalid_action Statement 0: Action 's3:InvalidAction' not found
WARNING overly_permissive Statement 1: Statement allows all actions (*)
ERROR security_risk Statement 1: Statement allows all actions on all resources
```
### GitHub PR Comment
```markdown
## ❌ IAM Policy Validation Failed
### Summary
| Metric | Count |
| ---------------- | ----- |
| Total Policies | 3 |
| Valid Policies | 2 ✅ |
| Invalid Policies | 1 ❌ |
| Total Issues | 5 |
### Detailed Findings
#### `policies/invalid_policy.json`
**Errors:**
- **Statement 0**: Action 's3:InvalidAction' not found in service 's3'
- Action: `s3:InvalidAction`
**Warnings:**
- **Statement 1**: Statement allows all actions on all resources - CRITICAL SECURITY RISK
- 💡 Suggestion: This grants full administrative access. Restrict to specific actions and resources.
```
## 📚 Documentation
**[📖 Complete Documentation →](DOCS.md)**
The comprehensive [DOCS.md](DOCS.md) file contains everything you need:
- Installation & Quick Start
- GitHub Actions Integration
- CLI Reference & Examples
- Custom Policy Checks (CheckAccessNotGranted, CheckNoNewAccess, CheckNoPublicAccess)
- Configuration Guide
- Creating Custom Validation Rules
- Performance Optimization
- Troubleshooting
**Additional Resources:**
- **[Examples Directory](examples/)** - Real-world examples:
- [GitHub Actions Workflows](examples/github-actions/)
- [Custom Checks](examples/custom_checks/)
- [Configuration Files](examples/configs/)
- [Test IAM Policies](examples/iam-test-policies/)
- **[AWS Services Backup Guide](docs/aws-services-backup.md)** - Offline validation
- **[Contributing Guide](CONTRIBUTING.md)** - Contribution guidelines
- **[Publishing Guide](docs/development/PUBLISHING.md)** - Release process
## 🤝 Contributing
Contributions are welcome! We appreciate your help in making this project better.
### How to Contribute
1. **Read the [Contributing Guide](CONTRIBUTING.md)** - Comprehensive guide for contributors
2. **Check [existing issues](https://github.com/boogy/iam-policy-validator/issues)** - Find something to work on
3. **Fork the repository** - Create your own copy
4. **Make your changes** - Follow our code quality standards
5. **Submit a Pull Request** - We'll review and merge
### Development Setup
```bash
# Clone your fork
git clone https://github.com/YOUR-USERNAME/iam-policy-validator.git
cd iam-policy-validator
# Install dependencies
uv sync --extra dev
# Run tests
uv run pytest
# Run linting
uv run ruff check .
```
See [CONTRIBUTING.md](CONTRIBUTING.md) for detailed instructions.
## 📄 License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
## 🆘 Support
- **Documentation**: Check the [docs/](docs/) directory
- **Issues**: Report bugs or request features via [GitHub Issues](https://github.com/boogy/iam-policy-validator/issues)
- **Questions**: Ask questions in [GitHub Discussions](https://github.com/boogy/iam-policy-validator/discussions)
Raw data
{
"_id": null,
"home_page": null,
"name": "iam-policy-validator",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.10",
"maintainer_email": null,
"keywords": "aws, github-action, iam, policy, security, validation",
"author": null,
"author_email": "boogy <0xboogy@gmail.com>",
"download_url": "https://files.pythonhosted.org/packages/a8/cb/7249cba35817599a23874f59b4fee76fc8df6563c7ab4d231f974c9c61e3/iam_policy_validator-1.3.0.tar.gz",
"platform": null,
"description": "# IAM Policy Validator\n\n> **Catch IAM policy errors before they reach production** - A comprehensive security and validation tool for AWS IAM policies that combines AWS's official Access Analyzer with powerful custom security checks.\n\n[](https://github.com/marketplace/actions/iam-policy-validator)\n[](https://www.python.org/downloads/)\n[](LICENSE)\n\n## \ud83d\ude80 Why IAM Policy Validator?\n\n**IAM policy errors are costly and dangerous.** A single misconfigured policy can:\n- \u274c Grant unintended admin access (privilege escalation)\n- \u274c Expose sensitive data to the public\n- \u274c Break production deployments with invalid syntax\n- \u274c Create security vulnerabilities that persist for months\n\n**This tool prevents these issues** by:\n- \u2705 **Validating early** - Catch errors in PRs before merge\n- \u2705 **Comprehensive checks** - AWS Access Analyzer + 15+ security checks\n- \u2705 **Smart filtering** - Auto-detects IAM policies from mixed JSON/YAML files\n- \u2705 **Developer-friendly** - Clear error messages with fix suggestions\n- \u2705 **Zero setup** - Works as a GitHub Action out of the box\n\n## \u2728 Key Features\n\n### \ud83d\udd0d Multi-Layer Validation\n- **AWS IAM Access Analyzer** - Official AWS validation (syntax, permissions, security)\n- **Custom Security Checks** - 15+ specialized checks for best practices\n- **Policy Comparison** - Detect new permissions vs baseline (prevent scope creep)\n- **Public Access Detection** - Check 29+ AWS resource types for public exposure\n- **Privilege Escalation Detection** - Identify dangerous action combinations\n\n### \ud83c\udfaf Smart & Efficient\n- **Automatic IAM Policy Detection** - Scans mixed repos, filters non-IAM files automatically\n- **Wildcard Expansion** - Expands `s3:Get*` patterns to validate specific actions\n- **Offline Validation** - Download AWS service definitions for air-gapped environments\n- **JSON + YAML Support** - Native support for both formats\n- **Streaming Mode** - Memory-efficient processing for large policy sets\n\n### \u26a1 Performance Optimized\n- **Service Pre-fetching** - Common AWS services cached at startup (faster validation)\n- **LRU Memory Cache** - Recently accessed services cached with TTL\n- **Request Coalescing** - Duplicate API requests automatically deduplicated\n- **Parallel Execution** - Multiple checks run concurrently\n- **HTTP/2 Support** - Multiplexed connections for better API performance\n\n### \ud83d\udcca Output Formats\n- **Console** (default) - Clean terminal output with colors and tables\n- **Enhanced** - Modern visual output with progress bars and tree structure\n- **JSON** - Structured format for programmatic processing\n- **Markdown** - GitHub-flavored markdown for PR comments\n- **SARIF** - GitHub code scanning integration format\n- **CSV** - Spreadsheet-compatible for analysis\n- **HTML** - Interactive reports with filtering and search\n\n### \ud83d\udd0c Extensibility\n- **Plugin System** - Easy-to-add custom validation checks\n- **Configuration-Driven** - YAML-based configuration for all aspects\n- **CI/CD Ready** - GitHub Actions, GitLab CI, Jenkins, CircleCI\n\n## \ud83d\udcc8 Real-World Impact\n\n### Common IAM Policy Issues This Tool Catches\n\n**Before IAM Policy Validator:**\n```json\n{\n \"Statement\": [{\n \"Effect\": \"Allow\",\n \"Action\": \"s3:*\", // \u274c Too permissive\n \"Resource\": \"*\" // \u274c All buckets!\n }]\n}\n```\n**Issue:** Grants full S3 access to ALL buckets (data breach risk)\n\n**After IAM Policy Validator:**\n```\n\u274c MEDIUM: Statement applies to all resources (*)\n\u274c HIGH: Wildcard action 's3:*' with resource '*' is overly permissive\n\ud83d\udca1 Suggestion: Specify exact actions and bucket ARNs\n```\n\n### Privilege Escalation Detection\n\n**Dangerous combination across multiple statements:**\n```json\n{\n \"Statement\": [\n {\"Action\": \"iam:CreateUser\"}, // Seems innocent\n {\"Action\": \"iam:AttachUserPolicy\"} // Also seems innocent\n ]\n}\n```\n\n**What the validator catches:**\n```\n\ud83d\udea8 CRITICAL: Privilege escalation risk detected!\nActions ['iam:CreateUser', 'iam:AttachUserPolicy'] allow:\n 1. Create new IAM user\n 2. Attach AdministratorAccess policy to that user\n 3. Gain full AWS account access\n\n\ud83d\udca1 Add conditions or separate these permissions\n```\n\n### Public Access Prevention\n\n**Before merge:**\n```json\n{\n \"Principal\": \"*\", // \u274c Anyone on the internet!\n \"Action\": \"s3:GetObject\",\n \"Resource\": \"arn:aws:s3:::my-private-data/*\"\n}\n```\n\n**Blocked by validator:**\n```\n\ud83d\uded1 CRITICAL: Resource policy allows public access\n29 resource types checked: AWS::S3::Bucket\nPrincipal \"*\" grants internet-wide access to private data\n\n\ud83d\udca1 Use specific AWS principals or add IP restrictions\n```\n\n## Quick Start\n\n### As a GitHub Action (Recommended) \u2b50\n\nThe IAM Policy Validator is available as **both** a standalone GitHub Action and a Python module. Choose the approach that best fits your needs:\n\n#### **Option A: Standalone GitHub Action** (Recommended - Zero Setup)\n\nUse the published action directly - it handles all setup automatically:\n\nCreate `.github/workflows/iam-policy-validator.yml`:\n\n```yaml\nname: IAM Policy Validation\n\non:\n pull_request:\n paths:\n - 'policies/**/*.json'\n\njobs:\n validate:\n runs-on: ubuntu-latest\n permissions:\n contents: read\n pull-requests: write\n\n steps:\n - name: Checkout code\n uses: actions/checkout@v5\n\n - name: Validate IAM Policies\n uses: boogy/iam-policy-validator@v1\n with:\n path: policies/\n post-comment: true\n create-review: true\n fail-on-warnings: true\n```\n\n**Benefits:**\n- \u2705 Zero setup - action handles Python, uv, and dependencies\n- \u2705 Automatic dependency caching\n- \u2705 Simple, declarative configuration\n- \u2705 Perfect for CI/CD workflows\n\n#### With AWS Access Analyzer (Standalone Action)\n\nUse AWS's official policy validation service:\n\n```yaml\nname: IAM Policy Validation with Access Analyzer\n\non:\n pull_request:\n paths:\n - 'policies/**/*.json'\n\njobs:\n validate:\n runs-on: ubuntu-latest\n permissions:\n contents: read\n pull-requests: write\n id-token: write # Required for AWS OIDC\n\n steps:\n - name: Checkout code\n uses: actions/checkout@v5\n\n - name: Configure AWS Credentials\n uses: aws-actions/configure-aws-credentials@v4\n with:\n role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsRole\n aws-region: us-east-1\n\n - name: Validate with Access Analyzer\n uses: boogy/iam-policy-validator@v1\n with:\n path: policies/\n use-access-analyzer: true\n run-all-checks: true\n post-comment: true\n create-review: true\n fail-on-warnings: true\n```\n\n#### **Option B: As Python Module/CLI Tool**\n\nFor advanced use cases or when you need more control:\n\n```yaml\nname: IAM Policy Validation (CLI)\n\non:\n pull_request:\n paths:\n - 'policies/**/*.json'\n\njobs:\n validate:\n runs-on: ubuntu-latest\n permissions:\n contents: read\n pull-requests: write\n\n steps:\n - name: Checkout code\n uses: actions/checkout@v5\n\n - name: Set up Python\n uses: actions/setup-python@v5\n with:\n python-version: '3.12'\n\n - name: Install uv\n uses: astral-sh/setup-uv@v3\n\n - name: Install dependencies\n run: uv sync\n\n - name: Validate IAM Policies\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n GITHUB_REPOSITORY: ${{ github.repository }}\n GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}\n run: |\n uv run iam-validator validate \\\n --path ./policies/ \\\n --github-comment \\\n --github-review \\\n --fail-on-warnings \\\n --log-level info\n```\n\n**Use this when you need:**\n- Advanced CLI options (e.g., `--log-level`, `--custom-checks-dir`, `--stream`)\n- Full control over the Python environment\n- Integration with existing Python workflows\n- Multiple validation commands in sequence\n\n#### Custom Policy Checks (Standalone Action)\n\nEnforce specific security requirements:\n\n```yaml\nname: IAM Policy Security Validation\n\non:\n pull_request:\n paths:\n - 'policies/**/*.json'\n\njobs:\n validate-security:\n runs-on: ubuntu-latest\n permissions:\n contents: read\n pull-requests: write\n id-token: write\n\n steps:\n - name: Checkout code\n uses: actions/checkout@v5\n\n - name: Configure AWS Credentials\n uses: aws-actions/configure-aws-credentials@v4\n with:\n role-to-assume: ${{ secrets.AWS_ROLE_ARN }}\n aws-region: us-east-1\n\n # Prevent dangerous actions\n - name: Check for Dangerous Actions\n uses: boogy/iam-policy-validator@v1\n with:\n path: policies/\n use-access-analyzer: true\n check-access-not-granted: \"s3:DeleteBucket iam:CreateAccessKey iam:AttachUserPolicy\"\n post-comment: true\n fail-on-warnings: true\n\n # Check S3 bucket policies for public access\n - name: Check S3 Public Access\n uses: boogy/iam-policy-validator@v1\n with:\n path: s3-policies/\n use-access-analyzer: true\n policy-type: RESOURCE_POLICY\n check-no-public-access: true\n public-access-resource-type: \"AWS::S3::Bucket\"\n post-comment: true\n fail-on-warnings: true\n\n # Compare against baseline to prevent new permissions\n - name: Checkout baseline from main\n uses: actions/checkout@v5\n with:\n ref: main\n path: baseline\n\n - name: Check for New Access\n uses: boogy/iam-policy-validator@v1\n with:\n path: policies/role-policy.json\n use-access-analyzer: true\n check-no-new-access: baseline/policies/role-policy.json\n post-comment: true\n fail-on-warnings: true\n```\n\n---\n\n### Choosing the Right Approach\n\n| Feature | Standalone Action | Python Module/CLI |\n| --------------------- | ------------------------ | ------------------------------------------------------------------------ |\n| Setup Required | None - fully automated | Manual (Python, uv, dependencies) |\n| Configuration | YAML inputs | CLI arguments |\n| Advanced Options | Limited to action inputs | Full CLI access (`--log-level`, `--custom-checks-dir`, `--stream`, etc.) |\n| Custom Checks | Via config file only | Via config file or `--custom-checks-dir` |\n| Best For | CI/CD, simple workflows | Development, advanced workflows, testing |\n| Dependency Management | Automatic | Manual |\n\n**Recommendation:** Use the **Standalone Action** for production CI/CD workflows, and the **Python Module/CLI** for development, testing, or when you need advanced features.\n\n#### Multiple Paths (Standalone Action)\n\nValidate policies across multiple directories:\n\n```yaml\n- name: Validate Multiple Paths\n uses: boogy/iam-policy-validator@v1\n with:\n path: |\n iam/\n s3-policies/\n lambda-policies/special-policy.json\n post-comment: true\n fail-on-warnings: true\n```\n\n#### Custom Configuration\n\nUse a custom configuration file to customize validation rules:\n\n```yaml\nname: IAM Policy Validation with Custom Config\n\non:\n pull_request:\n paths:\n - 'policies/**/*.json'\n - '.iam-validator.yaml'\n\njobs:\n validate:\n runs-on: ubuntu-latest\n permissions:\n contents: read\n pull-requests: write\n\n steps:\n - name: Checkout code\n uses: actions/checkout@v5\n\n - name: Validate with Custom Config\n uses: boogy/iam-policy-validator@v1\n with:\n path: policies/\n config-file: .iam-validator.yaml\n post-comment: true\n create-review: true\n fail-on-warnings: true\n```\n\n**Example `.iam-validator.yaml`:**\n```yaml\nsettings:\n fail_fast: false\n enable_builtin_checks: true\n\n# Custom check configurations\nsecurity_best_practices_check:\n enabled: true\n wildcard_action_check:\n enabled: true\n severity: high\n\naction_condition_enforcement_check:\n enabled: true\n severity: critical\n action_condition_requirements:\n - actions:\n - \"iam:PassRole\"\n severity: critical\n required_conditions:\n - condition_key: \"iam:PassedToService\"\n```\n\nSee [default-config.yaml](default-config.yaml) for a complete configuration example.\n\n### GitHub Action Inputs\n\n#### Core Options\n| Input | Description | Required | Default |\n| ------------------ | ----------------------------------------------------------- | -------- | ------- |\n| `path` | Path(s) to IAM policy file or directory (newline-separated) | Yes | - |\n| `config-file` | Path to custom configuration file (.yaml) | No | `\"\"` |\n| `fail-on-warnings` | Fail validation if warnings are found | No | `false` |\n| `recursive` | Recursively search directories for policy files | No | `true` |\n\n#### GitHub Integration\n| Input | Description | Required | Default |\n| --------------- | ------------------------------------------ | -------- | ------- |\n| `post-comment` | Post validation results as PR comment | No | `true` |\n| `create-review` | Create line-specific review comments on PR | No | `true` |\n\n#### Output Options\n| Input | Description | Required | Default |\n| ------------- | -------------------------------------------------------------------------------- | -------- | --------- |\n| `format` | Output format: `console`, `enhanced`, `json`, `markdown`, `sarif`, `csv`, `html` | No | `console` |\n| `output-file` | Path to save output file (for non-console formats) | No | `\"\"` |\n\n#### AWS Access Analyzer\n| Input | Description | Required | Default |\n| ------------------------ | --------------------------------------------------------------------------- | -------- | ----------------- |\n| `use-access-analyzer` | Use AWS IAM Access Analyzer for validation | No | `false` |\n| `access-analyzer-region` | AWS region for Access Analyzer | No | `us-east-1` |\n| `policy-type` | Policy type: `IDENTITY_POLICY`, `RESOURCE_POLICY`, `SERVICE_CONTROL_POLICY` | No | `IDENTITY_POLICY` |\n| `run-all-checks` | Run custom checks after Access Analyzer (sequential mode) | No | `false` |\n\n#### Custom Policy Checks (Access Analyzer)\n| Input | Description | Required | Default |\n| ----------------------------- | --------------------------------------------------------------------------- | -------- | ----------------- |\n| `check-access-not-granted` | Actions that should NOT be granted (space-separated, max 100) | No | `\"\"` |\n| `check-access-resources` | Resources to check with check-access-not-granted (space-separated, max 100) | No | `\"\"` |\n| `check-no-new-access` | Path to baseline policy to compare against (detect new permissions) | No | `\"\"` |\n| `check-no-public-access` | Check that resource policies do not allow public access | No | `false` |\n| `public-access-resource-type` | Resource type(s) for public access check (29+ types supported, or `all`) | No | `AWS::S3::Bucket` |\n\n#### Advanced Options\n| Input | Description | Required | Default |\n| ------------------- | -------------------------------------------------------------- | -------- | --------- |\n| `custom-checks-dir` | Path to directory containing custom validation checks | No | `\"\"` |\n| `log-level` | Logging level: `debug`, `info`, `warning`, `error`, `critical` | No | `warning` |\n\n**\ud83d\udca1 Pro Tips:**\n- Use `custom-checks-dir` to add organization-specific validation rules\n- Set `log-level: debug` when troubleshooting workflow issues\n- Configure `aws-services-dir` in your config file for offline validation\n- The action automatically filters IAM policies from mixed JSON/YAML files\n\nSee [examples/github-actions/](examples/github-actions/) for 8 ready-to-use workflow examples.\n\n### As a CLI Tool\n\nInstall and use locally for development:\n\n```bash\n# Install from PyPI\npip install iam-policy-validator\n\n# Or install with pipx (recommended for CLI tools)\npipx install iam-policy-validator\n\n# Validate a single policy\niam-validator validate --path policy.json\n\n# Validate all policies in a directory\niam-validator validate --path ./policies/\n\n# Validate multiple paths\niam-validator validate --path policy1.json --path ./policies/ --path ./more-policies/\n\n# Generate JSON output\niam-validator validate --path ./policies/ --format json --output report.json\n\n# Validate with AWS IAM Access Analyzer\niam-validator analyze --path policy.json\n\n# Analyze with specific region and profile\niam-validator analyze --path policy.json --region us-west-2 --profile my-profile\n\n# Sequential validation: Access Analyzer \u2192 Custom Checks\niam-validator analyze \\\n --path policy.json \\\n --github-comment \\\n --run-all-checks \\\n --github-review\n```\n\n### Custom Policy Checks\n\nAWS IAM Access Analyzer provides specialized checks to validate policies against specific security requirements:\n\n#### 1. CheckAccessNotGranted - Prevent Dangerous Actions\n\nVerify that policies do NOT grant specific actions (max 100 actions, 100 resources per check):\n\n```bash\n# Check that policies don't grant dangerous S3 actions\niam-validator analyze \\\n --path ./policies/ \\\n --check-access-not-granted s3:DeleteBucket s3:DeleteObject\n\n# Scope to specific resources\niam-validator analyze \\\n --path ./policies/ \\\n --check-access-not-granted s3:PutObject \\\n --check-access-resources \"arn:aws:s3:::production-bucket/*\"\n\n# Prevent privilege escalation\niam-validator analyze \\\n --path ./policies/ \\\n --check-access-not-granted \\\n iam:CreateAccessKey \\\n iam:AttachUserPolicy \\\n iam:PutUserPolicy\n```\n\n**Supported:** IDENTITY_POLICY, RESOURCE_POLICY\n\n#### 2. CheckNoNewAccess - Validate Policy Updates\n\nEnsure policy changes don't grant new permissions:\n\n```bash\n# Compare updated policy against baseline\niam-validator analyze \\\n --path ./new-policy.json \\\n --check-no-new-access ./old-policy.json\n\n# In CI/CD - compare against main branch\ngit show main:policies/policy.json > baseline-policy.json\niam-validator analyze \\\n --path policies/policy.json \\\n --check-no-new-access baseline-policy.json\n```\n\n**Supported:** IDENTITY_POLICY, RESOURCE_POLICY\n\n#### 3. CheckNoPublicAccess - Prevent Public Exposure\n\nValidate that resource policies don't allow public access (29+ resource types):\n\n```bash\n# Check S3 bucket policies\niam-validator analyze \\\n --path ./bucket-policy.json \\\n --policy-type RESOURCE_POLICY \\\n --check-no-public-access \\\n --public-access-resource-type \"AWS::S3::Bucket\"\n\n# Check multiple resource types\niam-validator analyze \\\n --path ./resource-policies/ \\\n --policy-type RESOURCE_POLICY \\\n --check-no-public-access \\\n --public-access-resource-type \"AWS::S3::Bucket\" \"AWS::Lambda::Function\" \"AWS::SNS::Topic\"\n\n# Check ALL 29 resource types\niam-validator analyze \\\n --path ./resource-policies/ \\\n --policy-type RESOURCE_POLICY \\\n --check-no-public-access \\\n --public-access-resource-type all\n```\n\n**Supported Resource Types** (29 total, or use `all`):\n- **Storage**: S3 Bucket, S3 Access Point, S3 Express, S3 Glacier, S3 Outposts, S3 Tables, EFS\n- **Database**: DynamoDB Table/Stream, OpenSearch Domain\n- **Messaging**: Kinesis Stream, SNS Topic, SQS Queue\n- **Security**: KMS Key, Secrets Manager Secret, IAM Assume Role Policy\n- **Compute**: Lambda Function\n- **API**: API Gateway REST API\n- **DevOps**: CodeArtifact Domain, Backup Vault, CloudTrail\n\nSee [docs/custom-policy-checks.md](docs/custom-policy-checks.md) for complete documentation.\n\n### As a Python Package\n\nUse as a library in your Python applications:\n\n```python\nimport asyncio\nfrom iam_validator.core import PolicyLoader, validate_policies, ReportGenerator\n\nasync def main():\n # Load policies\n loader = PolicyLoader()\n policies = loader.load_from_path(\"./policies\")\n\n # Validate\n results = await validate_policies(policies)\n\n # Generate report\n generator = ReportGenerator()\n report = generator.generate_report(results)\n generator.print_console_report(report)\n\nasyncio.run(main())\n```\n\n## Validation Checks\n\n### 1. Action Validation\n\nVerifies that IAM actions exist in AWS services:\n\n```json\n{\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetObject\", // \u2705 Valid\n \"Resource\": \"*\"\n}\n```\n\n```json\n{\n \"Effect\": \"Allow\",\n \"Action\": \"s3:InvalidAction\", // \u274c Invalid - action doesn't exist\n \"Resource\": \"*\"\n}\n```\n\n### 2. Condition Key Validation\n\nChecks that condition keys are valid for the specified actions:\n\n```json\n{\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetObject\",\n \"Resource\": \"*\",\n \"Condition\": {\n \"StringEquals\": {\n \"aws:RequestedRegion\": \"us-east-1\" // \u2705 Valid global condition key\n }\n }\n}\n```\n\n### 3. Resource ARN Validation\n\nEnsures ARNs follow proper AWS format:\n\n```json\n{\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetObject\",\n \"Resource\": \"arn:aws:s3:::my-bucket/*\" // \u2705 Valid ARN\n}\n```\n\n```json\n{\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetObject\",\n \"Resource\": \"not-a-valid-arn\" // \u274c Invalid ARN format\n}\n```\n\n### 4. Security Best Practices\n\nIdentifies potential security risks:\n\n- Overly permissive wildcard usage (`*` for both Action and Resource)\n- Sensitive actions without conditions\n- Administrative permissions without restrictions\n\n## GitHub Integration Features\n\n### Smart PR Comment Management\n\nThe validator intelligently manages PR comments to keep your PRs clean:\n\n**Comment Lifecycle:**\n1. **Old Comments Cleanup**: Automatically removes outdated bot comments from previous runs\n2. **Summary Comment**: Updates existing summary (no duplicates)\n3. **Review Comments**: Posts line-specific issues\n4. **Streaming Mode**: Progressive comments appear as files are validated\n\n**Behavior:**\n- \u2705 **No Duplicates**: Summary comments are updated, not duplicated\n- \u2705 **Clean PR**: Old review comments automatically deleted before new validation\n- \u2705 **Identifiable**: All bot comments tagged with `\ud83e\udd16 IAM Policy Validator`\n- \u2705 **Progressive**: In streaming mode, comments appear file-by-file\n\n**Example:**\n```\nRun 1: Finds 5 issues \u2192 Posts 5 review comments + 1 summary\nRun 2: Finds 3 issues \u2192 Deletes old 5 comments \u2192 Posts 3 new comments + updates summary\nResult: PR always shows current state, no stale comments\n```\n\n## Example Output\n\n### Console Output\n\n```\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 Validation Summary \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 Total Policies: 3 \u2502\n\u2502 Valid: 2 Invalid: 1 \u2502\n\u2502 Total Issues: 5 \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n\n\u274c policies/invalid_policy.json\n ERROR invalid_action Statement 0: Action 's3:InvalidAction' not found\n WARNING overly_permissive Statement 1: Statement allows all actions (*)\n ERROR security_risk Statement 1: Statement allows all actions on all resources\n```\n\n### GitHub PR Comment\n\n```markdown\n## \u274c IAM Policy Validation Failed\n\n### Summary\n| Metric | Count |\n| ---------------- | ----- |\n| Total Policies | 3 |\n| Valid Policies | 2 \u2705 |\n| Invalid Policies | 1 \u274c |\n| Total Issues | 5 |\n\n### Detailed Findings\n\n#### `policies/invalid_policy.json`\n\n**Errors:**\n- **Statement 0**: Action 's3:InvalidAction' not found in service 's3'\n - Action: `s3:InvalidAction`\n\n**Warnings:**\n- **Statement 1**: Statement allows all actions on all resources - CRITICAL SECURITY RISK\n - \ud83d\udca1 Suggestion: This grants full administrative access. Restrict to specific actions and resources.\n```\n\n## \ud83d\udcda Documentation\n\n**[\ud83d\udcd6 Complete Documentation \u2192](DOCS.md)**\n\nThe comprehensive [DOCS.md](DOCS.md) file contains everything you need:\n- Installation & Quick Start\n- GitHub Actions Integration\n- CLI Reference & Examples\n- Custom Policy Checks (CheckAccessNotGranted, CheckNoNewAccess, CheckNoPublicAccess)\n- Configuration Guide\n- Creating Custom Validation Rules\n- Performance Optimization\n- Troubleshooting\n\n**Additional Resources:**\n- **[Examples Directory](examples/)** - Real-world examples:\n - [GitHub Actions Workflows](examples/github-actions/)\n - [Custom Checks](examples/custom_checks/)\n - [Configuration Files](examples/configs/)\n - [Test IAM Policies](examples/iam-test-policies/)\n- **[AWS Services Backup Guide](docs/aws-services-backup.md)** - Offline validation\n- **[Contributing Guide](CONTRIBUTING.md)** - Contribution guidelines\n- **[Publishing Guide](docs/development/PUBLISHING.md)** - Release process\n\n## \ud83e\udd1d Contributing\n\nContributions are welcome! We appreciate your help in making this project better.\n\n### How to Contribute\n\n1. **Read the [Contributing Guide](CONTRIBUTING.md)** - Comprehensive guide for contributors\n2. **Check [existing issues](https://github.com/boogy/iam-policy-validator/issues)** - Find something to work on\n3. **Fork the repository** - Create your own copy\n4. **Make your changes** - Follow our code quality standards\n5. **Submit a Pull Request** - We'll review and merge\n\n### Development Setup\n\n```bash\n# Clone your fork\ngit clone https://github.com/YOUR-USERNAME/iam-policy-validator.git\ncd iam-policy-validator\n\n# Install dependencies\nuv sync --extra dev\n\n# Run tests\nuv run pytest\n\n# Run linting\nuv run ruff check .\n```\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for detailed instructions.\n\n## \ud83d\udcc4 License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n## \ud83c\udd98 Support\n\n- **Documentation**: Check the [docs/](docs/) directory\n- **Issues**: Report bugs or request features via [GitHub Issues](https://github.com/boogy/iam-policy-validator/issues)\n- **Questions**: Ask questions in [GitHub Discussions](https://github.com/boogy/iam-policy-validator/discussions)\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Validate AWS IAM policies for correctness and security using AWS Service Reference API",
"version": "1.3.0",
"project_urls": {
"Changelog": "https://github.com/boogy/iam-policy-validator/blob/main/docs/CHANGELOG.md",
"Documentation": "https://github.com/boogy/iam-policy-validator/tree/main/docs",
"Homepage": "https://github.com/boogy/iam-policy-validator",
"Issues": "https://github.com/boogy/iam-policy-validator/issues",
"Repository": "https://github.com/boogy/iam-policy-validator"
},
"split_keywords": [
"aws",
" github-action",
" iam",
" policy",
" security",
" validation"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "5e5999cbd05b13984ee4352f780df69e970107c4d9f936f9edee5f5ca04eb9b3",
"md5": "110f2d5d449185d9d7c2a910e08e7836",
"sha256": "00fae217b9c2ad5ac7404800b7e7e4637630415f8fff4f10db56e2e81ac78a86"
},
"downloads": -1,
"filename": "iam_policy_validator-1.3.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "110f2d5d449185d9d7c2a910e08e7836",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.10",
"size": 137899,
"upload_time": "2025-10-30T00:50:09",
"upload_time_iso_8601": "2025-10-30T00:50:09.021318Z",
"url": "https://files.pythonhosted.org/packages/5e/59/99cbd05b13984ee4352f780df69e970107c4d9f936f9edee5f5ca04eb9b3/iam_policy_validator-1.3.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "a8cb7249cba35817599a23874f59b4fee76fc8df6563c7ab4d231f974c9c61e3",
"md5": "d6c1b537a0b24712aa8ae02a5a3d1f9d",
"sha256": "b67c37973ee6d3cffed66901331a5a3792f2d9cd44b6af8c8790e84b06caaf40"
},
"downloads": -1,
"filename": "iam_policy_validator-1.3.0.tar.gz",
"has_sig": false,
"md5_digest": "d6c1b537a0b24712aa8ae02a5a3d1f9d",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.10",
"size": 609203,
"upload_time": "2025-10-30T00:50:10",
"upload_time_iso_8601": "2025-10-30T00:50:10.627052Z",
"url": "https://files.pythonhosted.org/packages/a8/cb/7249cba35817599a23874f59b4fee76fc8df6563c7ab4d231f974c9c61e3/iam_policy_validator-1.3.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-10-30 00:50:10",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "boogy",
"github_project": "iam-policy-validator",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "iam-policy-validator"
}
JSON
