iam-policy-validator 1.7.1__py3-none-any.whl → 1.7.2__py3-none-any.whl

{iam_policy_validator-1.7.1.dist-info → iam_policy_validator-1.7.2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.7.1
+Version: 1.7.2
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs
@@ -426,4 +426,3 @@ MIT License - see [LICENSE](LICENSE) file for details.
 ## 🆘 Support
 
 - **Issues**: [GitHub Issues](https://github.com/boogy/iam-policy-validator/issues)
-- **Discussions**: [GitHub Discussions](https://github.com/boogy/iam-policy-validator/discussions)

{iam_policy_validator-1.7.1.dist-info → iam_policy_validator-1.7.2.dist-info}/RECORD

@@ -1,24 +1,24 @@
 iam_validator/__init__.py,sha256=APnMR3Fu4fHhxfsHBvUM2dJIwazgvLKQbfOsSgFPidg,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=hhtguX-fvQWNuUzOdKMFXPyDTbhXhMm7VQgXxQD2xCQ,206
+iam_validator/__version__.py,sha256=0niAY6KgsXeeyFV5nTmvfvem16X3OTrO_DItEqsW74A,361
 iam_validator/checks/__init__.py,sha256=eDiDlVon0CwWGSBnZgM-arn1i5R5ZSG89pgR-ifETxE,1782
-iam_validator/checks/action_condition_enforcement.py,sha256=n-F7NEmQm76Hs-Aj5qxgXney3MpkzbWElZUu1Ig73pw,36723
-iam_validator/checks/action_resource_matching.py,sha256=X9dqWy1s_-h1rA81wZRLOxAVLmUHlGVPjxMo0WKIlwM,17433
+iam_validator/checks/action_condition_enforcement.py,sha256=VhFEGbkcgkRwNRRuslvat5uib2tlH2Nr6sltbAQTs6I,36834
+iam_validator/checks/action_resource_matching.py,sha256=sk67jcDF1WzW4tPgcRSdTj4UBe2stALdwHx5ViVA9dU,19207
 iam_validator/checks/action_validation.py,sha256=IpxtTsk58f2zEZ-xzAoyHw4QK8BCRV43OffP-8ydf9E,2578
-iam_validator/checks/condition_key_validation.py,sha256=E-doe2QjvKSkyjXZO9TBp0QS7M0Fv2oYYQQ9738QNxg,3918
-iam_validator/checks/condition_type_mismatch.py,sha256=qAbP6pP_vM1aBvIBRHji56XLH_5cQI4cDhpMQe19CHM,10588
-iam_validator/checks/full_wildcard.py,sha256=0_F6h4goWlc3DuZwo1F9YGw5hvpnkfZxYSDxhXXK50I,2449
-iam_validator/checks/mfa_condition_check.py,sha256=s7K2r9hxlJI1KWk8qXl-JOWE6jLIhpxooK26Pr7acKs,4915
+iam_validator/checks/condition_key_validation.py,sha256=10XxTwIcr887CbgmN90jfRZabj5RHo08dGa8csM50Fo,3980
+iam_validator/checks/condition_type_mismatch.py,sha256=JyiAOyUZShzXZI8dgycL4oqwRkpJYUPwoGX4zigsi5I,10613
+iam_validator/checks/full_wildcard.py,sha256=ywD762BOV8WxFuTTARkaGMJn27f3ZZVuZUjKo8URnTc,2281
+iam_validator/checks/mfa_condition_check.py,sha256=YCBX3tFTQRmVTAed_W-Tu1b6WqD2LBYyom53P7lBjh4,4935
 iam_validator/checks/policy_size.py,sha256=ibgmrErpkz6OfUAN6bFuHe1KHzpzzra9gHwNtVAkPWc,5729
 iam_validator/checks/policy_type_validation.py,sha256=9qmrA8CXwsVpCU4rT0RrqDXgVOzNamMEpdg3cXWAtBI,15213
-iam_validator/checks/principal_validation.py,sha256=Bm4pH6eiJLDa9ID7UyM63phgffh-P5DpPpSBUbYyVn8,29851
+iam_validator/checks/principal_validation.py,sha256=gTv_TqJDspGEX3iJkHXrw3DyKMJeyE33uQakZ0PjNoo,29969
 iam_validator/checks/resource_validation.py,sha256=fGi9QuX-lIHDtLm8xB3VReFFhbZpQ2Yub-FKRafQCkw,5984
-iam_validator/checks/sensitive_action.py,sha256=mdl4g67HBioYTvAvar9CaTjxfaPvpYkNo9phL4E1c1w,9794
-iam_validator/checks/service_wildcard.py,sha256=CiQQoti06nqVgvH-HpBIjoW23tnTJqDU4S-ZnM1DwsA,4218
+iam_validator/checks/sensitive_action.py,sha256=0vuhF1UkAH_vxhfHsC8xk68aJXHvI7c9KTLcJFNlnHM,9652
+iam_validator/checks/service_wildcard.py,sha256=1ynXLG6_82SIH8aHP88qQojJf38ZH0agnSmHp0VkZ98,4010
 iam_validator/checks/set_operator_validation.py,sha256=1XjOdf-xk-m6m1bODuHsELZccriGqOJTDI-HCcuId80,7464
-iam_validator/checks/sid_uniqueness.py,sha256=1Ux9W1hPPhzgdCzfxwxvD-nSBRo1SyrxFWlnTXDcOys,6887
-iam_validator/checks/wildcard_action.py,sha256=XAVuk5L9dQqiWPgd3HJXGNmYr2bh2szJMVVcHSBXb_8,2140
-iam_validator/checks/wildcard_resource.py,sha256=IEpyoU4mA3t2kRxSwVavtROYIyF0Bq1xZJAL9P7XbVQ,5582
+iam_validator/checks/sid_uniqueness.py,sha256=yWNHyy002aIHxJKtHeYpYds7bKgreL0BvQmRkI2UwvQ,6891
+iam_validator/checks/wildcard_action.py,sha256=f1QZ68eHzQwCTeYY_9UiYaMxUaq7XYia6DaBjIspZ2A,1972
+iam_validator/checks/wildcard_resource.py,sha256=GNpbk7WDExHG6Yqu4_gxeRCK6NUEL8TFjgbvaHgg7V0,5414
 iam_validator/checks/utils/__init__.py,sha256=j0X4ibUB6RGx2a-kNoJnlVZwHfoEvzZsIeTmJIAoFzA,45
 iam_validator/checks/utils/policy_level_checks.py,sha256=2V60C0zhKfsFPjQ-NMlD3EemtwA9S6-4no8nETgXdQE,5274
 iam_validator/checks/utils/sensitive_action_matcher.py,sha256=tcWK4nImpSVNia0FUsN2uLK9LM5EnzjRFtaPQLHZaLw,10667
@@ -29,42 +29,42 @@ iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gz
 iam_validator/commands/cache.py,sha256=p4ucRVuh42sbK3Lk0b610L3ofAR5TnUreF00fpO6VFg,14219
 iam_validator/commands/download_services.py,sha256=KKz3ybMLT8DQUf9aFZ0tilJ-o1b6PE8Pf1pC4K6cT8I,9175
 iam_validator/commands/post_to_pr.py,sha256=CvUXs2xvO-UhluxdfNM6F0TCWD8hDBEOiYw60fm1Dms,2363
-iam_validator/commands/validate.py,sha256=Eik-w613zCnX7hUHziBq4k5la3e3qJ0CO1__7aw-gBk,23554
+iam_validator/commands/validate.py,sha256=2v91ogbEzKfjk2u6Y4NO0yvsCOwxi9jXoqD7acBbVTE,23624
 iam_validator/core/__init__.py,sha256=1FvJPMrbzJfS9YbRUJCshJLd5gzWwR9Fd_slS0Aq9c8,416
 iam_validator/core/access_analyzer.py,sha256=8GgkR-vCkCtSxtXGywvQNBPYq-rvDLexUuLSyflq0V4,24520
 iam_validator/core/access_analyzer_report.py,sha256=O17gagknvkNMTTlq7BrLM68FjlCEm4LjIKD9oqxEbPg,24860
-iam_validator/core/aws_fetcher.py,sha256=cZFo5JMSoNLx1tpM6NzYr2cnq8Bvc2KQx2nJDmo69lc,36504
+iam_validator/core/aws_fetcher.py,sha256=obTzxHD9pMsWo-SojSOeWyw2s2_St-LNgbmh5BGEM9c,41215
 iam_validator/core/check_registry.py,sha256=cMjtJROkZOLzXxl-mTdLYHdxyajNnOsaHGs-EeaSZ7k,21741
 iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
 iam_validator/core/condition_validators.py,sha256=7zBjlcf2xGFKGbcFrXSLvWT5tFhWxoqwzhsJqS2E8uY,21524
-iam_validator/core/constants.py,sha256=oblMWsjoroIhwjYgZdcyLxaATsGeR99zQwRg6h59Nlo,3145
-iam_validator/core/models.py,sha256=59yqvHoX3nCSJyQDmWCuEsQzNz9PNiF7um7A1wti-2w,12176
-iam_validator/core/policy_checks.py,sha256=Uz2yCsqRaoIja31F4ZM-39a1pHv51yZqKyWWkGUZKNY,26489
-iam_validator/core/policy_loader.py,sha256=TR7SpzlRG3TwH4HBGEFUuhNOmxIR8Cud2SQ-AmHWBpM,14040
+iam_validator/core/constants.py,sha256=H3eH0yddn5Dk-xZxJWtuvluRIpuXKYGiiteBSHPpJoI,5560
+iam_validator/core/models.py,sha256=55BCSqqJiAN96SFwK3tiTy6fhu6YBL6avKo8VpCpy2A,12766
+iam_validator/core/policy_checks.py,sha256=3UMLl8SQ4oJLTU1kwscvh7c7gpT5QtjITk_bJCJ_rzs,26616
+iam_validator/core/policy_loader.py,sha256=HVEnaXhQwrb9WbXpu0tn8SJBvHNW9UgDO6w4zLjLsu0,16776
 iam_validator/core/pr_commenter.py,sha256=MU-t7SfdHUpSc6BDbh8_dNAbxDiG-bZBCry-jUXivAc,15066
-iam_validator/core/report.py,sha256=j6uWlFL6Xavl4BnpaQtQoxFOEgKEiuY0IYBq8I9DH5Q,34134
+iam_validator/core/report.py,sha256=kzSeWnT1LqWZVA5pqKKz-maVowXVj0djdoShfRhhpz4,35899
 iam_validator/core/config/__init__.py,sha256=CWSyIA7kEyzrskEenjYbs9Iih10BXRpiY9H2dHg61rU,2671
 iam_validator/core/config/aws_api.py,sha256=HLIzOItQ0A37wxHcgWck6ZFO0wmNY8JNTiWMMK6JKYU,1248
 iam_validator/core/config/aws_global_conditions.py,sha256=gdmMxXGBy95B3uYUG-J7rnM6Ixgc6L7Y9Pcd2XAMb60,7170
 iam_validator/core/config/category_suggestions.py,sha256=QlrYi4BTkxDSTlL7NZGE9BWN-atWetZ6XjkI9F_7YzI,4370
 iam_validator/core/config/condition_requirements.py,sha256=1PuADTB9pLqh-kNUGC7kSU6LMLtXMSc003tvI7qKeAY,5170
-iam_validator/core/config/config_loader.py,sha256=7YkuPnroR-Up5CUTQOXIyS_b732WrzNn8o1EH9O6lyI,17730
-iam_validator/core/config/defaults.py,sha256=w5ievxkqki3zYr7NaREoWtVx5rTfxBpZlgoNdovcILs,27112
+iam_validator/core/config/config_loader.py,sha256=qKD8aR8YAswaFf68pnYJLFNwKznvcc6lNxSQWU3i6SY,17713
+iam_validator/core/config/defaults.py,sha256=mCOr_YgiRQp6fThtxrcjMtm-LPdZQbd6AS16gLzV17c,27589
 iam_validator/core/config/principal_requirements.py,sha256=VCX7fBDgeDTJQyoz7_x7GI7Kf9O1Eu-sbihoHOrKv6o,15105
 iam_validator/core/config/sensitive_actions.py,sha256=uATDIp_TD3OQQlsYTZp79qd1mSK2Bf9hJ0JwcqLBr84,25344
 iam_validator/core/config/service_principals.py,sha256=gQSROsxUWBD6P2F9qP320UZV4lHGlsyvHSkMyy0njrU,2685
 iam_validator/core/config/wildcards.py,sha256=H_v6hb-rZ0UUz4cul9lxkVI39e6knaK4Y-MbWz2Ebpw,3228
 iam_validator/core/formatters/__init__.py,sha256=fnCKAEBXItnOf2m4rhVs7zwMaTxbG6ESh3CF8V5j5ec,868
 iam_validator/core/formatters/base.py,sha256=SShDeDiy5mYQnS6BpA8xYg91N-KX1EObkOtlrVHqx1Q,4451
-iam_validator/core/formatters/console.py,sha256=lX4Yp4bTW61fxe0fCiHuO6bCZtC_6cjCwqDNQ55nT_8,1937
-iam_validator/core/formatters/csv.py,sha256=2FaN6Y_0TPMFOb3A3tNtj0-9bkEc5P-6eZ7eLROIqFE,5899
-iam_validator/core/formatters/enhanced.py,sha256=S0UgYKFOgILfOqwnBC8-WFab3F1CiEko33g0nbaswtk,17085
+iam_validator/core/formatters/console.py,sha256=FdTp7AzeILCWrUynSvSew8QJKGOMJaAA9_YiQJd-uco,2196
+iam_validator/core/formatters/csv.py,sha256=pPqgvGh4KtD5Qm36xnMaDAavXYR6MlQhs4zbcrxT550,5941
+iam_validator/core/formatters/enhanced.py,sha256=TVtkcTIow8NGoLhG45-5ms-_PTxyxMcAHxf_uPMyKAc,18155
 iam_validator/core/formatters/html.py,sha256=j4sQi-wXiD9kCHldW5JCzbJe0frhiP5uQI9KlH3Sj_g,22994
 iam_validator/core/formatters/json.py,sha256=A7gZ8P32GEdbDvrSn6v56yQ4fOP_kyMaoFVXG2bgnew,939
-iam_validator/core/formatters/markdown.py,sha256=aPAY6FpZBHsVBDag3FAsB_X9CZzznFjX9dQr0ysDrTE,2251
+iam_validator/core/formatters/markdown.py,sha256=dk4STeY-tOEZsVrlmolIEqZvWYP9JhRtygxxNA49DEE,2293
 iam_validator/core/formatters/sarif.py,sha256=O3pn7whqFq5xxk-tuoqSb2k4Fk5ai_A2SKX_ph8GLV4,10469
 iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
-iam_validator/integrations/github_integration.py,sha256=QoPkaxdRDQTzmHN4cKEXoGcn8BRv37JW4IvD2W5jEtc,26474
+iam_validator/integrations/github_integration.py,sha256=EnrolMq3uZbKWPxUMhYnqcKAfic6Fb8qJzieDruKqsc,26485
 iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
 iam_validator/sdk/__init__.py,sha256=fRDSXAclGmCU3KDft4StL8JUcpAsdzwIRf8mVj461q0,5306
 iam_validator/sdk/arn_matching.py,sha256=HSDpLltOYISq-SoPebAlM89mKOaUaghq_04urchEFDA,12778
@@ -73,11 +73,12 @@ iam_validator/sdk/exceptions.py,sha256=tm91TxIwU157U_UHN7w5qICf_OhU11agj6pV5W_YP
 iam_validator/sdk/helpers.py,sha256=OVBg4xrW95LT74wXCg1LQkba9kw5RfFqeCLuTqhgL-A,5697
 iam_validator/sdk/policy_utils.py,sha256=CZS1OGSdiWsd2lsCwg0BDcUNWa61tUwgvn-P5rKqeN8,12987
 iam_validator/sdk/shortcuts.py,sha256=EVNSYV7rv4TFH03ulsZ3mS1UVmTSp2jKpc2AXs4j1q4,8531
-iam_validator/utils/__init__.py,sha256=V8u-SSdnL4a7NwF-yg9x0JRl5epKAXEs2f5RiwK2qPo,856
+iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYuCs,1021
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
 iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
-iam_policy_validator-1.7.1.dist-info/METADATA,sha256=WCjnDcJ38j-LRUz2EwdT2b2lX2IOTkW3xT1SLtCxiWY,15343
-iam_policy_validator-1.7.1.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-iam_policy_validator-1.7.1.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.7.1.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.7.1.dist-info/RECORD,,
+iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
+iam_policy_validator-1.7.2.dist-info/METADATA,sha256=fwySi0xxZPeiRTXyYfmp8YZPNyphy8HylBzhSXkNNG0,15244
+iam_policy_validator-1.7.2.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.7.2.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.7.2.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.7.2.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,5 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.7.1"
-__version_info__ = tuple(int(part) for part in __version__.split("."))
+__version__ = "1.7.2"
+# Parse version, handling pre-release suffixes like -rc, -alpha, -beta
+_version_base = __version__.split("-")[0]  # Remove pre-release suffix if present
+__version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/checks/action_condition_enforcement.py

@@ -349,7 +349,10 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         return issues
 
     async def _check_action_match(
-        self, statement_actions: list[str], requirement: dict[str, Any], fetcher: AWSServiceFetcher
+        self,
+        statement_actions: list[str],
+        requirement: dict[str, Any],
+        fetcher: AWSServiceFetcher,
     ) -> tuple[bool, list[str]]:
         """
         Check if statement actions match the requirement.
@@ -766,6 +769,10 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             or self.get_severity(config)  # Global check severity
         )
 
+        suggestion_text, example_code = self._build_suggestion(
+            condition_key, description, example, expected_value, operator
+        )
+
         return ValidationIssue(
             severity=severity,
             statement_sid=statement.sid,
@@ -774,9 +781,8 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             message=f"{message_prefix} Action(s) {matching_actions} require condition '{condition_key}'",
             action=", ".join(matching_actions),
             condition_key=condition_key,
-            suggestion=self._build_suggestion(
-                condition_key, description, example, expected_value, operator
-            ),
+            suggestion=suggestion_text,
+            example=example_code,
             line_number=statement.line_number,
         )
 
@@ -787,19 +793,20 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         example: str,
         expected_value: Any = None,
         operator: str = "StringEquals",
-    ) -> str:
-        """Build a helpful suggestion for adding the missing condition."""
-        parts = []
+    ) -> tuple[str, str]:
+        """Build suggestion and example for adding the missing condition.
 
-        if description:
-            parts.append(description)
+        Returns:
+            Tuple of (suggestion_text, example_code)
+        """
+        suggestion = description if description else f"Add condition: {condition_key}"
 
         # Build example based on condition key type
         if example:
-            parts.append(f"Example:\n```json\n{example}\n```")
+            example_code = example
         else:
             # Auto-generate example
-            example_lines = ['Add to "Condition" block:', f'  "{operator}": {{']
+            example_lines = [f'  "{operator}": {{']
 
             if isinstance(expected_value, list):
                 value_str = (
@@ -826,9 +833,9 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             example_lines.append(f'    "{condition_key}": {value_str}')
             example_lines.append("  }")
 
-            parts.append("\n".join(example_lines))
+            example_code = "\n".join(example_lines)
 
-        return ". ".join(parts) if parts else f"Add condition: {condition_key}"
+        return suggestion, example_code
 
     def _build_any_of_suggestion(self, any_of_conditions: list[dict[str, Any]]) -> str:
         """Build suggestion for any_of conditions."""

iam_validator/checks/action_resource_matching.py

@@ -21,6 +21,8 @@ Example:
     This check will report: s3:GetObject requires arn:aws:s3:::mybucket/*
 """
 
+import re
+
 from iam_validator.core.aws_fetcher import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
@@ -231,18 +233,23 @@ class ActionResourceMatchingCheck(PolicyCheck):
         if reason:
             message = reason
         elif all_required_formats and len(all_required_formats) > 1:
-            types = ", ".join(f["type"] for f in all_required_formats)
+            types = ", ".join(f"`{f['type']}`" for f in all_required_formats)
             message = (
-                f"No resources match for action '{action}'. This action requires one of: {types}"
+                f"No resources match for action `{action}`. This action requires one of: {types}"
             )
         else:
             message = (
-                f"No resources match for action '{action}'. "
-                f"This action requires resource type: {required_type}"
+                f"No resources match for action `{action}`. "
+                f"This action requires resource type: `{required_type}`"
             )
 
         # Build suggestion with examples
-        suggestion = self._get_suggestion(action, required_format, provided_resources)
+        suggestion = self._get_suggestion(
+            action=action,
+            required_format=required_format,
+            provided_resources=provided_resources,
+            all_required_formats=all_required_formats,
+        )
 
         return ValidationIssue(
             severity=self.get_severity(config),
@@ -265,6 +272,7 @@ class ActionResourceMatchingCheck(PolicyCheck):
         action: str,
         required_format: str,
         provided_resources: list[str],
+        all_required_formats: list[dict] | None = None,
     ) -> str:
         """
         Generate helpful suggestion for fixing the mismatch.
@@ -281,44 +289,75 @@ class ActionResourceMatchingCheck(PolicyCheck):
         # Special case: Wildcard resource
         if required_format == "*":
             return (
-                f'Action {action} can only use Resource: "*" (wildcard).\n'
+                f'Action `{action}` can only use Resource: "*" (wildcard).\n'
                 f"  This action does not support resource-level permissions.\n"
                 f'  Example: "Resource": "*"'
             )
 
-        # Extract resource type from ARN pattern
-        # Pattern format: arn:${Partition}:service:${Region}:${Account}:resourceType/...
-        # Examples:
-        #   arn:${Partition}:s3:::${BucketName}/${ObjectName} -> object
-        #   arn:${Partition}:iam::${Account}:user/${UserName} -> user
-        resource_type = self._extract_resource_type_from_pattern(required_format)
-
-        # Build service-specific suggestion
+        # Build service-specific suggestion with proper markdown formatting
         suggestion_parts = []
 
-        # Add action description
-        suggestion_parts.append(f"Action {action} requires {resource_type} resource type.")
+        # If multiple resource types are valid, show all of them
+        if all_required_formats and len(all_required_formats) > 1:
+            resource_types = [fmt["type"] for fmt in all_required_formats]
+            suggestion_parts.append(
+                f"Action `{action}` requires one of these resource types: {', '.join(f'`{t}`' for t in resource_types)}"
+            )
+            suggestion_parts.append("")
 
-        # Add expected format
-        suggestion_parts.append(f"  Expected format: {required_format}")
+            # Show format and example for each resource type
+            for fmt in all_required_formats:
+                resource_type = fmt["type"]
+                arn_format = fmt["format"]
 
-        # Add practical example based on the pattern
-        example = self._generate_example_arn(required_format)
-        if example:
-            suggestion_parts.append(f"  Example: {example}")
+                suggestion_parts.append(
+                    f"**Option {all_required_formats.index(fmt) + 1}: `{resource_type}` resource**"
+                )
+                suggestion_parts.append("```")
+                suggestion_parts.append(arn_format)
+                suggestion_parts.append("```")
 
-        # Add helpful context for common patterns
-        context = self._get_resource_context(action_name, resource_type, required_format)
-        if context:
-            suggestion_parts.append(f"  {context}")
+                # Add practical example
+                example = self._generate_example_arn(arn_format)
+                if example:
+                    suggestion_parts.append(f"Example: `{example}`")
 
-        suggestion = "\n".join(suggestion_parts)
+                suggestion_parts.append("")
+        else:
+            # Single resource type - show detailed info
+            # Extract resource type from ARN pattern
+            # Pattern format: arn:${Partition}:service:${Region}:${Account}:resourceType/...
+            # Examples:
+            #   arn:${Partition}:s3:::${BucketName}/${ObjectName} -> object
+            #   arn:${Partition}:iam::${Account}:user/${UserName} -> user
+            resource_type = self._extract_resource_type_from_pattern(required_format)
+
+            # Add action description
+            suggestion_parts.append(f"Action `{action}` requires `{resource_type}` resource type.")
+            suggestion_parts.append("")
+
+            # Add expected format in code block
+            suggestion_parts.append("**Expected format:**")
+            suggestion_parts.append(f"```\n{required_format}\n```")
+
+            # Add practical example based on the pattern
+            example = self._generate_example_arn(required_format)
+            if example:
+                suggestion_parts.append("**Example:**")
+                suggestion_parts.append(f"```\n{example}\n```")
+
+            # Add helpful context for common patterns
+            context = self._get_resource_context(action_name, resource_type, required_format)
+            if context:
+                suggestion_parts.append(f"**Note:** {context}")
 
         # Add current resources to help user understand the mismatch
         if provided_resources and len(provided_resources) <= 3:
-            current = ", ".join(provided_resources)
-            suggestion += f"\n  Current resources: {current}"
+            suggestion_parts.append("**Current resources:**")
+            for resource in provided_resources:
+                suggestion_parts.append(f"- `{resource}`")
 
+        suggestion = "\n".join(suggestion_parts)
         return suggestion
 
     def _extract_resource_type_from_pattern(self, pattern: str) -> str:
@@ -340,17 +379,14 @@ class ActionResourceMatchingCheck(PolicyCheck):
 
         # Extract resource type (part before / or entire string)
         if "/" in resource_part:
-            resource_type = resource_part.split("/")[0]
+            resource_type = resource_part.split("/", maxsplit=1)[0]
         elif ":" in resource_part:
-            resource_type = resource_part.split(":")[0]
+            resource_type = resource_part.split(":", maxsplit=1)[0]
         else:
             resource_type = resource_part
 
         # Remove template variables like ${...}
-        import re
-
         resource_type = re.sub(r"\$\{[^}]+\}", "", resource_type)
-
         return resource_type.strip() or "resource"
 
     def _generate_example_arn(self, pattern: str) -> str:
@@ -359,8 +395,6 @@ class ActionResourceMatchingCheck(PolicyCheck):
 
         Converts AWS template variables to realistic examples.
         """
-        import re
-
         example = pattern
 
         # Common substitutions

iam_validator/checks/condition_key_validation.py

@@ -52,26 +52,26 @@ class ConditionKeyValidationCheck(PolicyCheck):
                         continue
 
                     # Validate against action and resource types
-                    is_valid, error_msg, warning_msg = await fetcher.validate_condition_key(
-                        action, condition_key, resources
-                    )
+                    result = await fetcher.validate_condition_key(action, condition_key, resources)
 
-                    if not is_valid:
+                    if not result.is_valid:
                         issues.append(
                             ValidationIssue(
                                 severity=self.get_severity(config),
                                 statement_sid=statement_sid,
                                 statement_index=statement_idx,
                                 issue_type="invalid_condition_key",
-                                message=error_msg or f"Invalid condition key: {condition_key}",
+                                message=result.error_message
+                                or f"Invalid condition key: {condition_key}",
                                 action=action,
                                 condition_key=condition_key,
                                 line_number=line_number,
+                                suggestion=result.suggestion,
                             )
                         )
                         # Only report once per condition key (not per action)
                         break
-                    elif warning_msg and warn_on_global_keys:
+                    elif result.warning_message and warn_on_global_keys:
                         # Add warning for global condition keys with action-specific keys
                         # Only if warn_on_global_condition_keys is enabled
                         issues.append(
@@ -80,7 +80,7 @@ class ConditionKeyValidationCheck(PolicyCheck):
                                 statement_sid=statement_sid,
                                 statement_index=statement_idx,
                                 issue_type="global_condition_key_with_action_specific",
-                                message=warning_msg,
+                                message=result.warning_message,
                                 action=action,
                                 condition_key=condition_key,
                                 line_number=line_number,

iam_validator/checks/condition_type_mismatch.py

@@ -107,8 +107,8 @@ class ConditionTypeMismatchCheck(PolicyCheck):
                         ValidationIssue(
                             severity="warning",
                             message=(
-                                f"Type mismatch (usable but not recommended): Operator '{operator}' expects "
-                                f"{operator_type} values, but condition key '{condition_key}' is type {key_type}. "
+                                f"Type mismatch (usable but not recommended): Operator `{operator}` expects "
+                                f"{operator_type} values, but condition key `{condition_key}` is type {key_type}. "
                                 f"Consider using an ARN-specific operator like ArnEquals or ArnLike instead."
                             ),
                             statement_sid=statement_sid,
@@ -123,8 +123,8 @@ class ConditionTypeMismatchCheck(PolicyCheck):
                         ValidationIssue(
                             severity=self.get_severity(config),
                             message=(
-                                f"Type mismatch: Operator '{operator}' expects {operator_type} values, "
-                                f"but condition key '{condition_key}' is type {key_type}."
+                                f"Type mismatch: Operator `{operator}` expects {operator_type} values, "
+                                f"but condition key `{condition_key}` is type {key_type}."
                             ),
                             statement_sid=statement_sid,
                             statement_index=statement_idx,
@@ -141,7 +141,7 @@ class ConditionTypeMismatchCheck(PolicyCheck):
                         ValidationIssue(
                             severity=self.get_severity(config),
                             message=(
-                                f"Invalid value format for condition key '{condition_key}': {error_msg}"
+                                f"Invalid value format for condition key `{condition_key}`: {error_msg}"
                             ),
                             statement_sid=statement_sid,
                             statement_index=statement_idx,
@@ -172,7 +172,9 @@ class ConditionTypeMismatchCheck(PolicyCheck):
         Returns:
             Type string or None if not found
         """
-        from iam_validator.core.config.aws_global_conditions import get_global_conditions
+        from iam_validator.core.config.aws_global_conditions import (
+            get_global_conditions,
+        )
 
         # Check if it's a global condition key
         global_conditions = get_global_conditions()

iam_validator/checks/full_wildcard.py

@@ -43,19 +43,12 @@ class FullWildcardCheck(PolicyCheck):
                 "message",
                 "Statement allows all actions on all resources - CRITICAL SECURITY RISK",
             )
-            suggestion_text = config.config.get(
+            suggestion = config.config.get(
                 "suggestion",
                 "This grants full administrative access. Replace both wildcards with specific actions and resources to follow least-privilege principle",
             )
             example = config.config.get("example", "")
 
-            # Combine suggestion + example
-            suggestion = (
-                f"{suggestion_text}\nExample:\n```json\n{example}\n```"
-                if example
-                else suggestion_text
-            )
-
             issues.append(
                 ValidationIssue(
                     severity=self.get_severity(config),
@@ -64,6 +57,7 @@ class FullWildcardCheck(PolicyCheck):
                     issue_type="security_risk",
                     message=message,
                     suggestion=suggestion,
+                    example=example if example else None,
                     line_number=statement.line_number,
                 )
             )

iam_validator/checks/mfa_condition_check.py

@@ -70,11 +70,11 @@ class MFAConditionCheck(PolicyCheck):
                         ValidationIssue(
                             severity=self.get_severity(config),
                             message=(
-                                "Dangerous MFA condition pattern detected. "
-                                'Using {"Bool": {"aws:MultiFactorAuthPresent": "false"}} does not enforce MFA '
-                                "because aws:MultiFactorAuthPresent may not exist in the request context. "
-                                'Consider using {"Bool": {"aws:MultiFactorAuthPresent": "true"}} in an Allow statement, '
-                                "or use BoolIfExists in a Deny statement."
+                                "**Dangerous MFA condition pattern detected.** "
+                                'Using `{"Bool": {"aws:MultiFactorAuthPresent": "false"}}` does not enforce MFA '
+                                "because `aws:MultiFactorAuthPresent` may not exist in the request context. "
+                                'Consider using `{"Bool": {"aws:MultiFactorAuthPresent": "true"}}` in an Allow statement, '
+                                "or use `BoolIfExists` in a Deny statement."
                             ),
                             statement_sid=statement_sid,
                             statement_index=statement_idx,
@@ -97,10 +97,10 @@ class MFAConditionCheck(PolicyCheck):
                         ValidationIssue(
                             severity=self.get_severity(config),
                             message=(
-                                "Dangerous MFA condition pattern detected. "
-                                'Using {"Null": {"aws:MultiFactorAuthPresent": "false"}} only checks if the key exists, '
+                                "**Dangerous MFA condition pattern detected.** "
+                                'Using `{"Null": {"aws:MultiFactorAuthPresent": "false"}}` only checks if the key exists, '
                                 "not whether MFA was actually used. This does not enforce MFA. "
-                                'Consider using {"Bool": {"aws:MultiFactorAuthPresent": "true"}} in an Allow statement instead.'
+                                'Consider using `{"Bool": {"aws:MultiFactorAuthPresent": "true"}}` in an Allow statement instead.'
                             ),
                             statement_sid=statement_sid,
                             statement_index=statement_idx,