iam-policy-validator 1.7.1__py3-none-any.whl → 1.8.0__py3-none-any.whl

{iam_policy_validator-1.7.1.dist-info → iam_policy_validator-1.8.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.7.1
+Version: 1.8.0
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs
@@ -242,8 +242,13 @@ results = await validate_policies(policies)
 
 **All checks are fully configurable** - Enable/disable checks, adjust severity levels, add custom requirements, and define ignore patterns through the configuration file.
 
+### Core Checks (18 always-on + 1 opt-in)
+
+The validator includes **19 built-in checks** organized into three categories:
+
 ### AWS Correctness Checks (12)
 Validates policies against AWS IAM requirements:
+- **Policy structure** - Validates fundamental IAM policy grammar (Version, Effect, required fields, conflicts)
 - **Action validation** - Verify actions exist in AWS services
 - **Condition key validation** - Check condition keys are valid for actions
 - **Condition type matching** - Ensure condition values match expected types
@@ -255,7 +260,6 @@ Validates policies against AWS IAM requirements:
 - **MFA condition patterns** - Detect common MFA anti-patterns
 - **Policy type validation** - Enforce policy type requirements (RCP, SCP, etc.)
 - **Action-resource matching** - Detect impossible action-resource combinations
-- **Action-resource constraints** - Validate service-specific constraints
 
 ### Security Best Practices (6)
 Identifies security risks and overly permissive permissions:
@@ -266,6 +270,15 @@ Identifies security risks and overly permissive permissions:
 - **Sensitive actions** - ~490 actions across 4 risk categories requiring conditions
 - **Action condition enforcement** - Enforce required conditions (MFA, IP, SourceArn, etc.)
 
+### Trust Policy Validation (1 - Opt-in, Disabled by Default)
+Specialized validation for role assumption policies:
+- **Trust policy validation** - Validates action-principal coupling for assume role actions
+  - Ensures correct principal types (`AssumeRoleWithSAML` → Federated, etc.)
+  - Validates SAML/OIDC provider ARN formats
+  - Enforces required conditions (`SAML:aud`, OIDC audience, etc.)
+  - Use with `--policy-type TRUST_POLICY` flag
+  - See [Trust Policy Examples](examples/trust-policies/README.md)
+
 ### Configuration & Customization
 
 All checks can be customized via a yaml configuration file ex: `.iam-validator.yaml`:
@@ -325,10 +338,11 @@ ignore_patterns:
 ```
 
 **📖 Complete documentation:**
-- [Check Reference Guide](docs/check-reference.md) - All 18 checks with examples
+- [Check Reference Guide](docs/check-reference.md) - All 19 checks with examples
 - [Configuration Guide](docs/configuration.md) - Full configuration options
 - [Condition Requirements](docs/condition-requirements.md) - Action-specific requirements
 - [Privilege Escalation Detection](docs/privilege-escalation.md) - How privilege escalation works
+- [Trust Policy Validation](examples/trust-policies/README.md) - Trust policy examples and validation
 
 ## Output Formats & GitHub Integration
 
@@ -357,7 +371,7 @@ ignore_patterns:
 
 ## AWS Access Analyzer (Optional)
 
-In addition to the 18 built-in checks, optionally enable AWS Access Analyzer for additional validation capabilities that require AWS credentials:
+In addition to the 19 built-in checks, optionally enable AWS Access Analyzer for additional validation capabilities that require AWS credentials:
 
 ### Access Analyzer Capabilities
 
@@ -394,16 +408,18 @@ iam-validator analyze --path bucket-policy.json \
 ## 📚 Documentation
 
 **Guides:**
-- [Check Reference](docs/check-reference.md) - All 18 checks with examples
+- [Check Reference](docs/check-reference.md) - All 19 checks with examples
 - [Configuration Guide](docs/configuration.md) - Customize checks and behavior
 - [GitHub Actions Guide](docs/github-actions-workflows.md) - CI/CD integration
 - [Python Library Guide](docs/python-library-usage.md) - Use as Python package
+- [Trust Policy Guide](examples/trust-policies/README.md) - Trust policy validation
 - [Contributing Guide](CONTRIBUTING.md) - How to contribute
 
 **Examples:**
-- [Configuration Examples](examples/configs/) - 9 config file templates
+- [Configuration Examples](examples/configs/) - 9+ config file templates
 - [Workflow Examples](examples/github-actions/) - GitHub Actions workflows
 - [Custom Checks](examples/custom_checks/) - Add your own validation rules
+- [Trust Policies](examples/trust-policies/) - Trust policy examples
 
 ## 🤝 Contributing
 
@@ -426,4 +442,3 @@ MIT License - see [LICENSE](LICENSE) file for details.
 ## 🆘 Support
 
 - **Issues**: [GitHub Issues](https://github.com/boogy/iam-policy-validator/issues)
-- **Discussions**: [GitHub Discussions](https://github.com/boogy/iam-policy-validator/discussions)

iam_policy_validator-1.8.0.dist-info/RECORD

@@ -0,0 +1,87 @@
+iam_validator/__init__.py,sha256=APnMR3Fu4fHhxfsHBvUM2dJIwazgvLKQbfOsSgFPidg,693
+iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
+iam_validator/__version__.py,sha256=3gyLuIf6oV1A2rFZSmXco3rdq2hmgGAYEB2we_Su_TU,361
+iam_validator/checks/__init__.py,sha256=OTkPnmlelu4YjMO8krjhu2wXiTV72RzopA5u1SfPQA0,1990
+iam_validator/checks/action_condition_enforcement.py,sha256=XztLhckc3Xc5RwxlMM2U2M81TNyt9M5xgBwn5fqHK1M,39141
+iam_validator/checks/action_resource_matching.py,sha256=BTrweeD1SNy9hcsfIDEN4L1E7oLNiVLyg-yerlZ5eC0,19356
+iam_validator/checks/action_validation.py,sha256=t8JPbvLiQb0Lx7SF_gruxehVgy0WU5uWppDJhhsSnI0,2580
+iam_validator/checks/condition_key_validation.py,sha256=VaOo1CLrMVRi23oUE1nMlKAgzNY9_jrnnEfGbdfF53g,3982
+iam_validator/checks/condition_type_mismatch.py,sha256=VK7KxkdeX2FmKWJUaZwJXSFQUxqtnqGj5sigOuhGCWo,10707
+iam_validator/checks/full_wildcard.py,sha256=ywD762BOV8WxFuTTARkaGMJn27f3ZZVuZUjKo8URnTc,2281
+iam_validator/checks/mfa_condition_check.py,sha256=YCBX3tFTQRmVTAed_W-Tu1b6WqD2LBYyom53P7lBjh4,4935
+iam_validator/checks/policy_size.py,sha256=ibgmrErpkz6OfUAN6bFuHe1KHzpzzra9gHwNtVAkPWc,5729
+iam_validator/checks/policy_structure.py,sha256=CQh1FsqVOFENAQe7mbyRzlIntjMs0gAwv6wUUqsdXqc,22636
+iam_validator/checks/policy_type_validation.py,sha256=8wnaCmvFb_q4ToqPR8B1exwFdwwqXYEf-Dw8YUgnj0s,15873
+iam_validator/checks/principal_validation.py,sha256=HYxcUtTWDvWh9AZbqtUSWrZOJrNGALRu1jrDydNF3xk,27895
+iam_validator/checks/resource_validation.py,sha256=8FAVPxAsralAPlao5GeJNSutqKC7DLWYZaI7CHhLs_E,6052
+iam_validator/checks/sensitive_action.py,sha256=1-Bumsk_fPHTCW0iRmIHaqMaQY-1uYI5vH2uO3YGvf0,9765
+iam_validator/checks/service_wildcard.py,sha256=brdm4cm7bOgpHB8jyAzGEGPQzoytaFIy5CgfUVgamv8,4012
+iam_validator/checks/set_operator_validation.py,sha256=AnOC7Ywd3tk7zdqNkQXAAdtsiCxKwVQ6pGsbpsopZfY,7465
+iam_validator/checks/sid_uniqueness.py,sha256=ZScVKa1RROhrY2uSOUSeeIK4xXNVzfnp9hn5Jr-TVHk,6984
+iam_validator/checks/trust_policy_validation.py,sha256=q3YFqMk3MYa4pEr1CPCCPvMcbv8-6rzT74EfsgZ6k0k,17880
+iam_validator/checks/wildcard_action.py,sha256=-yS4o2SgDRMEp_SA_kcwmmf6do0gWppkP1rpg7IP9Zg,2023
+iam_validator/checks/wildcard_resource.py,sha256=zsz7nfvvqnOYLMUfM1w7E46267Y4SrBF4x1Nvgg-B7U,5467
+iam_validator/checks/utils/__init__.py,sha256=j0X4ibUB6RGx2a-kNoJnlVZwHfoEvzZsIeTmJIAoFzA,45
+iam_validator/checks/utils/policy_level_checks.py,sha256=2V60C0zhKfsFPjQ-NMlD3EemtwA9S6-4no8nETgXdQE,5274
+iam_validator/checks/utils/sensitive_action_matcher.py,sha256=qDXcJa_2sCJu9pBbjDlI7x5lPtLRc6jQCpKPMheCOJQ,11215
+iam_validator/checks/utils/wildcard_expansion.py,sha256=JK8iYcYpOzi5RN4IvIMBCbzkCEhVRJxZDKLZIKgD8nY,3131
+iam_validator/commands/__init__.py,sha256=M-5bo8w0TCWydK0cXgJyPD2fmk8bpQs-3b26YbgLzlc,565
+iam_validator/commands/analyze.py,sha256=rvLBJ5_A3HB530xtixhaIsC19QON68olEQnn8TievgI,20784
+iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gzs,1074
+iam_validator/commands/cache.py,sha256=p4ucRVuh42sbK3Lk0b610L3ofAR5TnUreF00fpO6VFg,14219
+iam_validator/commands/download_services.py,sha256=KKz3ybMLT8DQUf9aFZ0tilJ-o1b6PE8Pf1pC4K6cT8I,9175
+iam_validator/commands/post_to_pr.py,sha256=CvUXs2xvO-UhluxdfNM6F0TCWD8hDBEOiYw60fm1Dms,2363
+iam_validator/commands/validate.py,sha256=hau8oPCNGya8gAUrvbhQxAlR4fhaGKzl7MQSryBgQfQ,23381
+iam_validator/core/__init__.py,sha256=JyeUUjuVsXFPkxLjsZ9omLPAFudWR-lQ_8oBX9jTY70,376
+iam_validator/core/access_analyzer.py,sha256=mtMaY-FnKjKEVITky_9ywZe1FaCAm61ElRv5Z_ZeC7E,24562
+iam_validator/core/access_analyzer_report.py,sha256=UMm2RNGj2rAKav1zsCw_htQZZRwRC0jjayd2zvKma1A,24896
+iam_validator/core/aws_fetcher.py,sha256=U9aE1kJ6HqJYYFpT8bq90dAAKGvmy8wKV6v_1aQCno4,41741
+iam_validator/core/check_registry.py,sha256=5hmhKiF45cenLYviGMAEhb08_Fqvu9PFxXzBmLEQuqk,22639
+iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
+iam_validator/core/condition_validators.py,sha256=7zBjlcf2xGFKGbcFrXSLvWT5tFhWxoqwzhsJqS2E8uY,21524
+iam_validator/core/constants.py,sha256=H3eH0yddn5Dk-xZxJWtuvluRIpuXKYGiiteBSHPpJoI,5560
+iam_validator/core/ignore_patterns.py,sha256=pZqDJBtkbck-85QK5eFPM5ZOPEKs3McRh3avqiCT5z0,10398
+iam_validator/core/models.py,sha256=f5d9ovtO1xMSwhyBrKIgc2psEq0eugnd3S3ioqurqEE,13242
+iam_validator/core/policy_checks.py,sha256=le1ovFm3qcgq3JG-L336h4nCSfol0PzL65RC3Beslwk,8520
+iam_validator/core/policy_loader.py,sha256=2KJnXzGg3g9pDXWZHk3DO0xpZnZZ-wXWFEOdQ_naJ8s,17862
+iam_validator/core/pr_commenter.py,sha256=MU-t7SfdHUpSc6BDbh8_dNAbxDiG-bZBCry-jUXivAc,15066
+iam_validator/core/report.py,sha256=kzSeWnT1LqWZVA5pqKKz-maVowXVj0djdoShfRhhpz4,35899
+iam_validator/core/config/__init__.py,sha256=CWSyIA7kEyzrskEenjYbs9Iih10BXRpiY9H2dHg61rU,2671
+iam_validator/core/config/aws_api.py,sha256=HLIzOItQ0A37wxHcgWck6ZFO0wmNY8JNTiWMMK6JKYU,1248
+iam_validator/core/config/aws_global_conditions.py,sha256=gdmMxXGBy95B3uYUG-J7rnM6Ixgc6L7Y9Pcd2XAMb60,7170
+iam_validator/core/config/category_suggestions.py,sha256=QlrYi4BTkxDSTlL7NZGE9BWN-atWetZ6XjkI9F_7YzI,4370
+iam_validator/core/config/condition_requirements.py,sha256=qauIP73HFnOw1dchUeFpg1x7Y7QWkILo3GfxV_dxdQo,7696
+iam_validator/core/config/config_loader.py,sha256=qKD8aR8YAswaFf68pnYJLFNwKznvcc6lNxSQWU3i6SY,17713
+iam_validator/core/config/defaults.py,sha256=rWzDrlw0AAudtm_If6zjNFvruLg71jpLJEdRgKYSKMQ,27917
+iam_validator/core/config/principal_requirements.py,sha256=VCX7fBDgeDTJQyoz7_x7GI7Kf9O1Eu-sbihoHOrKv6o,15105
+iam_validator/core/config/sensitive_actions.py,sha256=uATDIp_TD3OQQlsYTZp79qd1mSK2Bf9hJ0JwcqLBr84,25344
+iam_validator/core/config/service_principals.py,sha256=8pys5H_yycVJ9KTyimAKFYBg83Aol2Iri53wiHjtnEM,3959
+iam_validator/core/config/wildcards.py,sha256=H_v6hb-rZ0UUz4cul9lxkVI39e6knaK4Y-MbWz2Ebpw,3228
+iam_validator/core/formatters/__init__.py,sha256=fnCKAEBXItnOf2m4rhVs7zwMaTxbG6ESh3CF8V5j5ec,868
+iam_validator/core/formatters/base.py,sha256=SShDeDiy5mYQnS6BpA8xYg91N-KX1EObkOtlrVHqx1Q,4451
+iam_validator/core/formatters/console.py,sha256=FdTp7AzeILCWrUynSvSew8QJKGOMJaAA9_YiQJd-uco,2196
+iam_validator/core/formatters/csv.py,sha256=pPqgvGh4KtD5Qm36xnMaDAavXYR6MlQhs4zbcrxT550,5941
+iam_validator/core/formatters/enhanced.py,sha256=TVtkcTIow8NGoLhG45-5ms-_PTxyxMcAHxf_uPMyKAc,18155
+iam_validator/core/formatters/html.py,sha256=j4sQi-wXiD9kCHldW5JCzbJe0frhiP5uQI9KlH3Sj_g,22994
+iam_validator/core/formatters/json.py,sha256=A7gZ8P32GEdbDvrSn6v56yQ4fOP_kyMaoFVXG2bgnew,939
+iam_validator/core/formatters/markdown.py,sha256=dk4STeY-tOEZsVrlmolIEqZvWYP9JhRtygxxNA49DEE,2293
+iam_validator/core/formatters/sarif.py,sha256=O3pn7whqFq5xxk-tuoqSb2k4Fk5ai_A2SKX_ph8GLV4,10469
+iam_validator/integrations/__init__.py,sha256=7Hlor_X9j0NZaEjFuSvoXAAuSKQ-zgY19Rk-Dz3JpKo,616
+iam_validator/integrations/github_integration.py,sha256=EnrolMq3uZbKWPxUMhYnqcKAfic6Fb8qJzieDruKqsc,26485
+iam_validator/integrations/ms_teams.py,sha256=t2PlWuTDb6GGH-eDU1jnOKd8D1w4FCB68bahGA7MJcE,14475
+iam_validator/sdk/__init__.py,sha256=fRDSXAclGmCU3KDft4StL8JUcpAsdzwIRf8mVj461q0,5306
+iam_validator/sdk/arn_matching.py,sha256=HSDpLltOYISq-SoPebAlM89mKOaUaghq_04urchEFDA,12778
+iam_validator/sdk/context.py,sha256=SBFeedu8rhCzFA-zC2cH4wLZxEJT6XOW30hIZAyXPVU,6826
+iam_validator/sdk/exceptions.py,sha256=tm91TxIwU157U_UHN7w5qICf_OhU11agj6pV5W_YP-4,1023
+iam_validator/sdk/helpers.py,sha256=OVBg4xrW95LT74wXCg1LQkba9kw5RfFqeCLuTqhgL-A,5697
+iam_validator/sdk/policy_utils.py,sha256=CZS1OGSdiWsd2lsCwg0BDcUNWa61tUwgvn-P5rKqeN8,12987
+iam_validator/sdk/shortcuts.py,sha256=EVNSYV7rv4TFH03ulsZ3mS1UVmTSp2jKpc2AXs4j1q4,8531
+iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYuCs,1021
+iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
+iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
+iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
+iam_policy_validator-1.8.0.dist-info/METADATA,sha256=vccDFxkghziff8eO-K7hIVreQjE5gkLsWrIS5b61EwY,16174
+iam_policy_validator-1.8.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.8.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.8.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.8.0.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,5 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.7.1"
-__version_info__ = tuple(int(part) for part in __version__.split("."))
+__version__ = "1.8.0"
+# Parse version, handling pre-release suffixes like -rc, -alpha, -beta
+_version_base = __version__.split("-")[0]  # Remove pre-release suffix if present
+__version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/checks/__init__.py

@@ -5,21 +5,21 @@ Built-in policy checks for IAM Policy Validator.
 from iam_validator.checks.action_condition_enforcement import (
     ActionConditionEnforcementCheck,
 )
-from iam_validator.checks.action_resource_matching import (
-    ActionResourceMatchingCheck,
-)
+from iam_validator.checks.action_resource_matching import ActionResourceMatchingCheck
 from iam_validator.checks.action_validation import ActionValidationCheck
 from iam_validator.checks.condition_key_validation import ConditionKeyValidationCheck
 from iam_validator.checks.condition_type_mismatch import ConditionTypeMismatchCheck
 from iam_validator.checks.full_wildcard import FullWildcardCheck
 from iam_validator.checks.mfa_condition_check import MFAConditionCheck
 from iam_validator.checks.policy_size import PolicySizeCheck
+from iam_validator.checks.policy_structure import PolicyStructureCheck
 from iam_validator.checks.principal_validation import PrincipalValidationCheck
 from iam_validator.checks.resource_validation import ResourceValidationCheck
 from iam_validator.checks.sensitive_action import SensitiveActionCheck
 from iam_validator.checks.service_wildcard import ServiceWildcardCheck
 from iam_validator.checks.set_operator_validation import SetOperatorValidationCheck
 from iam_validator.checks.sid_uniqueness import SidUniquenessCheck
+from iam_validator.checks.trust_policy_validation import TrustPolicyValidationCheck
 from iam_validator.checks.wildcard_action import WildcardActionCheck
 from iam_validator.checks.wildcard_resource import WildcardResourceCheck
 
@@ -32,12 +32,14 @@ __all__ = [
     "FullWildcardCheck",
     "MFAConditionCheck",
     "PolicySizeCheck",
+    "PolicyStructureCheck",
     "PrincipalValidationCheck",
     "ResourceValidationCheck",
     "SensitiveActionCheck",
     "ServiceWildcardCheck",
     "SetOperatorValidationCheck",
     "SidUniquenessCheck",
+    "TrustPolicyValidationCheck",
     "WildcardActionCheck",
     "WildcardResourceCheck",
 ]

iam_validator/checks/action_condition_enforcement.py

@@ -197,15 +197,16 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                 description = requirement.get("description", "These actions should not be used")
                 # Use per-requirement severity if specified, else use global
                 severity = requirement.get("severity", self.get_severity(config))
+                matching_actions_formatted = ", ".join(f"`{a}`" for a in matching_actions)
                 issues.append(
                     ValidationIssue(
                         severity=severity,
                         statement_sid=statement.sid,
                         statement_index=statement_idx,
                         issue_type="forbidden_action_present",
-                        message=f"FORBIDDEN: Actions {matching_actions} should not be used. {description}",
+                        message=f"FORBIDDEN: Actions {matching_actions_formatted} should not be used. {description}",
                         action=", ".join(matching_actions),
-                        suggestion=f"Remove these forbidden actions from the statement: {', '.join(matching_actions)}. {description}",
+                        suggestion=f"Remove these forbidden actions from the statement: {matching_actions_formatted}. {description}",
                         line_number=statement.line_number,
                     )
                 )
@@ -272,7 +273,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             # Collect all statements that match the action criteria
             matching_statements: list[tuple[int, Statement, list[str]]] = []
 
-            for idx, statement in enumerate(policy.statement):
+            for idx, statement in enumerate(policy.statement or []):
                 # Only check Allow statements
                 if statement.effect != "Allow":
                     continue
@@ -308,6 +309,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
 
                 # Use the first matching statement's index for the issue
                 first_idx, first_stmt, _ = matching_statements[0]
+                all_actions_formatted = ", ".join(f"`{a}`" for a in sorted(all_actions))
 
                 issues.append(
                     ValidationIssue(
@@ -315,7 +317,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                         statement_sid=first_stmt.sid,
                         statement_index=first_idx,
                         issue_type="policy_level_action_detected",
-                        message=f"POLICY-LEVEL: Actions {sorted(all_actions)} found in {len(matching_statements)} statement(s). {description}",
+                        message=f"POLICY-LEVEL: Actions {all_actions_formatted} found in {len(matching_statements)} statement(s). {description}",
                         action=", ".join(sorted(all_actions)),
                         suggestion=f"Review these statements: {', '.join(statement_refs)}. {description}",
                         line_number=first_stmt.line_number,
@@ -349,7 +351,10 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         return issues
 
     async def _check_action_match(
-        self, statement_actions: list[str], requirement: dict[str, Any], fetcher: AWSServiceFetcher
+        self,
+        statement_actions: list[str],
+        requirement: dict[str, Any],
+        fetcher: AWSServiceFetcher,
     ) -> tuple[bool, list[str]]:
         """
         Check if statement actions match the requirement.
@@ -527,7 +532,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                     available_actions = list(service_detail.actions.keys())
 
                     # Find which actual AWS actions the wildcard would grant
-                    _, granted_actions = fetcher._match_wildcard_action(
+                    _, granted_actions = fetcher.match_wildcard_action(
                         statement_action.split(":", 1)[1],  # Just the action part (e.g., "C*")
                         available_actions,
                     )
@@ -542,7 +547,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                             except re.error:
                                 continue
 
-                except (ValueError, Exception):
+                except (ValueError, Exception):  # pylint: disable=broad-exception-caught
                     # If we can't fetch the service or parse the action, fall back to prefix matching
                     stmt_prefix = statement_action.rstrip("*")
                     for pattern in patterns:
@@ -624,7 +629,20 @@ class ActionConditionEnforcementCheck(PolicyCheck):
 
                 if not any_present:
                     # Create a combined error for any_of
-                    condition_keys = [cond.get("condition_key", "unknown") for cond in any_of]
+                    # Handle both simple conditions and nested all_of
+                    condition_keys = []
+                    for cond in any_of:
+                        if "all_of" in cond:
+                            # Nested all_of - collect all condition keys
+                            nested_keys = [
+                                c.get("condition_key", "unknown") for c in cond["all_of"]
+                            ]
+                            condition_keys.append(f"({' + '.join(f'`{k}`' for k in nested_keys)})")
+                        else:
+                            # Simple condition
+                            condition_keys.append(f"`{cond.get('condition_key', 'unknown')}`")
+                    condition_keys_formatted = " OR ".join(condition_keys)
+                    matching_actions_formatted = ", ".join(f"`{a}`" for a in matching_actions)
                     issues.append(
                         ValidationIssue(
                             severity=self.get_severity(config),
@@ -632,8 +650,8 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                             statement_index=statement_idx,
                             issue_type="missing_required_condition_any_of",
                             message=(
-                                f"Actions {matching_actions} require at least ONE of these conditions: "
-                                f"{', '.join(condition_keys)}"
+                                f"Actions `{matching_actions_formatted}` require at least ONE of these conditions: "
+                                f"{condition_keys_formatted}"
                             ),
                             action=", ".join(matching_actions),
                             suggestion=self._build_any_of_suggestion(any_of),
@@ -766,17 +784,21 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             or self.get_severity(config)  # Global check severity
         )
 
+        suggestion_text, example_code = self._build_suggestion(
+            condition_key, description, example, expected_value, operator
+        )
+
+        matching_actions_str = ", ".join(f"`{a}`" for a in matching_actions)
         return ValidationIssue(
             severity=severity,
             statement_sid=statement.sid,
             statement_index=statement_idx,
             issue_type="missing_required_condition",
-            message=f"{message_prefix} Action(s) {matching_actions} require condition '{condition_key}'",
+            message=f"{message_prefix} Action(s) `{matching_actions_str}` require condition `{condition_key}`",
             action=", ".join(matching_actions),
             condition_key=condition_key,
-            suggestion=self._build_suggestion(
-                condition_key, description, example, expected_value, operator
-            ),
+            suggestion=suggestion_text,
+            example=example_code,
             line_number=statement.line_number,
         )
 
@@ -787,19 +809,20 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         example: str,
         expected_value: Any = None,
         operator: str = "StringEquals",
-    ) -> str:
-        """Build a helpful suggestion for adding the missing condition."""
-        parts = []
+    ) -> tuple[str, str]:
+        """Build suggestion and example for adding the missing condition.
 
-        if description:
-            parts.append(description)
+        Returns:
+            Tuple of (suggestion_text, example_code)
+        """
+        suggestion = description if description else f"Add condition: {condition_key}"
 
         # Build example based on condition key type
         if example:
-            parts.append(f"Example:\n```json\n{example}\n```")
+            example_code = example
         else:
             # Auto-generate example
-            example_lines = ['Add to "Condition" block:', f'  "{operator}": {{']
+            example_lines = [f'  "{operator}": {{']
 
             if isinstance(expected_value, list):
                 value_str = (
@@ -826,9 +849,9 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             example_lines.append(f'    "{condition_key}": {value_str}')
             example_lines.append("  }")
 
-            parts.append("\n".join(example_lines))
+            example_code = "\n".join(example_lines)
 
-        return ". ".join(parts) if parts else f"Add condition: {condition_key}"
+        return suggestion, example_code
 
     def _build_any_of_suggestion(self, any_of_conditions: list[dict[str, Any]]) -> str:
         """Build suggestion for any_of conditions."""
@@ -836,15 +859,38 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         suggestions.append("Add at least ONE of these conditions:")
 
         for i, cond in enumerate(any_of_conditions, 1):
-            condition_key = cond.get("condition_key", "unknown")
-            description = cond.get("description", "")
-            expected_value = cond.get("expected_value")
+            # Handle nested all_of blocks
+            if "all_of" in cond:
+                # Nested all_of - show all required conditions together
+                all_of_list = cond["all_of"]
+                condition_keys = [c.get("condition_key", "unknown") for c in all_of_list]
+                condition_keys_formatted = " + ".join(f"`{k}`" for k in condition_keys)
+
+                option = f"\n- **Option {i}**: {condition_keys_formatted} (both required)"
+
+                # Use description from first condition or combine them
+                descriptions = [
+                    c.get("description", "") for c in all_of_list if c.get("description")
+                ]
+                if descriptions:
+                    option += f" - {descriptions[0]}"
+
+                # Show example from first condition that has one
+                for c in all_of_list:
+                    if c.get("example"):
+                        # Example will be shown separately, just note it's available
+                        break
+            else:
+                # Simple condition (original behavior)
+                condition_key = cond.get("condition_key", "unknown")
+                description = cond.get("description", "")
+                expected_value = cond.get("expected_value")
 
-            option = f"\nOption {i}: {condition_key}"
-            if description:
-                option += f" - {description}"
-            if expected_value is not None:
-                option += f" (value: {expected_value})"
+                option = f"\n- **Option {i}**: `{condition_key}`"
+                if description:
+                    option += f" - {description}"
+                if expected_value is not None:
+                    option += f" (value: `{expected_value}`)"
 
             suggestions.append(option)
 
@@ -863,13 +909,12 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         description = condition_requirement.get("description", "")
         expected_value = condition_requirement.get("expected_value")
 
-        message = (
-            f"FORBIDDEN: Action(s) {matching_actions} must NOT have condition '{condition_key}'"
-        )
+        matching_actions_str = ", ".join(f"`{a}`" for a in matching_actions)
+        message = f"FORBIDDEN: Action(s) `{matching_actions_str}` must NOT have condition `{condition_key}`"
         if expected_value is not None:
-            message += f" with value '{expected_value}'"
+            message += f" with value `{expected_value}`"
 
-        suggestion = f"Remove the '{condition_key}' condition from the statement"
+        suggestion = f"Remove the `{condition_key}` condition from the statement"
         if description:
             suggestion += f". {description}"