Validation Checks¶
IAM Policy Validator includes 21 built-in checks across three categories.
Check Categories¶
-
AWS Validation (10)
Ensure policies comply with AWS IAM rules
-
Security Checks (8)
Detect security risks and best practice violations
-
Advanced Checks (3)
Condition enforcement, trust policy, and policy type validation
Quick Reference¶
AWS Validation Checks¶
| Check ID | Severity | Description |
|---|---|---|
action_validation |
error | Actions exist in AWS |
condition_key_validation |
error | Condition keys are valid |
condition_type_mismatch |
error | Operator-value type match + format validation |
resource_validation |
error | Resource ARN format |
policy_structure |
error | Required fields, valid values, version check |
policy_size |
error | Character size limits (including SCP) |
sid_uniqueness |
warning | Unique SIDs |
set_operator_validation |
error | ForAllValues/ForAnyValue usage |
ifexists_condition_usage |
warning | IfExists condition validation |
not_principal_validation |
warning | NotPrincipal usage patterns |
Security Checks¶
| Check ID | Severity | Description |
|---|---|---|
wildcard_action |
medium | Action: "*" detection |
wildcard_resource |
medium | Resource: "*" detection |
full_wildcard |
critical | Both Action and Resource wildcards |
service_wildcard |
high | s3:* style wildcards |
sensitive_action |
medium | Privilege escalation actions |
not_action_not_resource |
high | Dangerous NotAction/NotResource patterns |
principal_validation |
high | Principal format validation |
mfa_condition_antipattern |
warning | MFA anti-patterns |
Advanced Checks¶
| Check ID | Severity | Description |
|---|---|---|
action_condition_enforcement |
error | Required conditions |
action_resource_matching |
medium | Action-resource compatibility |
trust_policy_validation |
high | Trust policy structure + confused deputy |
Severity Levels¶
| Level | Meaning | Default Action |
|---|---|---|
| critical | Severe security risk | Block deployment |
| high | Security concern | Fix before merge |
| medium | Best practice violation | Address soon |
| low | Minor improvement | Optional |
| error | AWS will reject policy | Must fix |
| warning | Potential issue | Review |
| info | Informational | Optional |
Configuring Checks¶
Disable a Check¶
policy_size:
enabled: false
Change Severity¶
wildcard_action:
severity: critical
Custom Messages¶
full_wildcard:
message: "Full wildcard violates SEC-001"
suggestion: "Contact security team for approved patterns"