iam-policy-validator 1.7.2__py3-none-any.whl → 1.8.0__py3-none-any.whl

{iam_policy_validator-1.7.2.dist-info → iam_policy_validator-1.8.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iam-policy-validator
-Version: 1.7.2
+Version: 1.8.0
 Summary: Validate AWS IAM policies for correctness and security using AWS Service Reference API
 Project-URL: Homepage, https://github.com/boogy/iam-policy-validator
 Project-URL: Documentation, https://github.com/boogy/iam-policy-validator/tree/main/docs
@@ -242,8 +242,13 @@ results = await validate_policies(policies)
 
 **All checks are fully configurable** - Enable/disable checks, adjust severity levels, add custom requirements, and define ignore patterns through the configuration file.
 
+### Core Checks (18 always-on + 1 opt-in)
+
+The validator includes **19 built-in checks** organized into three categories:
+
 ### AWS Correctness Checks (12)
 Validates policies against AWS IAM requirements:
+- **Policy structure** - Validates fundamental IAM policy grammar (Version, Effect, required fields, conflicts)
 - **Action validation** - Verify actions exist in AWS services
 - **Condition key validation** - Check condition keys are valid for actions
 - **Condition type matching** - Ensure condition values match expected types
@@ -255,7 +260,6 @@ Validates policies against AWS IAM requirements:
 - **MFA condition patterns** - Detect common MFA anti-patterns
 - **Policy type validation** - Enforce policy type requirements (RCP, SCP, etc.)
 - **Action-resource matching** - Detect impossible action-resource combinations
-- **Action-resource constraints** - Validate service-specific constraints
 
 ### Security Best Practices (6)
 Identifies security risks and overly permissive permissions:
@@ -266,6 +270,15 @@ Identifies security risks and overly permissive permissions:
 - **Sensitive actions** - ~490 actions across 4 risk categories requiring conditions
 - **Action condition enforcement** - Enforce required conditions (MFA, IP, SourceArn, etc.)
 
+### Trust Policy Validation (1 - Opt-in, Disabled by Default)
+Specialized validation for role assumption policies:
+- **Trust policy validation** - Validates action-principal coupling for assume role actions
+  - Ensures correct principal types (`AssumeRoleWithSAML` → Federated, etc.)
+  - Validates SAML/OIDC provider ARN formats
+  - Enforces required conditions (`SAML:aud`, OIDC audience, etc.)
+  - Use with `--policy-type TRUST_POLICY` flag
+  - See [Trust Policy Examples](examples/trust-policies/README.md)
+
 ### Configuration & Customization
 
 All checks can be customized via a yaml configuration file ex: `.iam-validator.yaml`:
@@ -325,10 +338,11 @@ ignore_patterns:
 ```
 
 **📖 Complete documentation:**
-- [Check Reference Guide](docs/check-reference.md) - All 18 checks with examples
+- [Check Reference Guide](docs/check-reference.md) - All 19 checks with examples
 - [Configuration Guide](docs/configuration.md) - Full configuration options
 - [Condition Requirements](docs/condition-requirements.md) - Action-specific requirements
 - [Privilege Escalation Detection](docs/privilege-escalation.md) - How privilege escalation works
+- [Trust Policy Validation](examples/trust-policies/README.md) - Trust policy examples and validation
 
 ## Output Formats & GitHub Integration
 
@@ -357,7 +371,7 @@ ignore_patterns:
 
 ## AWS Access Analyzer (Optional)
 
-In addition to the 18 built-in checks, optionally enable AWS Access Analyzer for additional validation capabilities that require AWS credentials:
+In addition to the 19 built-in checks, optionally enable AWS Access Analyzer for additional validation capabilities that require AWS credentials:
 
 ### Access Analyzer Capabilities
 
@@ -394,16 +408,18 @@ iam-validator analyze --path bucket-policy.json \
 ## 📚 Documentation
 
 **Guides:**
-- [Check Reference](docs/check-reference.md) - All 18 checks with examples
+- [Check Reference](docs/check-reference.md) - All 19 checks with examples
 - [Configuration Guide](docs/configuration.md) - Customize checks and behavior
 - [GitHub Actions Guide](docs/github-actions-workflows.md) - CI/CD integration
 - [Python Library Guide](docs/python-library-usage.md) - Use as Python package
+- [Trust Policy Guide](examples/trust-policies/README.md) - Trust policy validation
 - [Contributing Guide](CONTRIBUTING.md) - How to contribute
 
 **Examples:**
-- [Configuration Examples](examples/configs/) - 9 config file templates
+- [Configuration Examples](examples/configs/) - 9+ config file templates
 - [Workflow Examples](examples/github-actions/) - GitHub Actions workflows
 - [Custom Checks](examples/custom_checks/) - Add your own validation rules
+- [Trust Policies](examples/trust-policies/) - Trust policy examples
 
 ## 🤝 Contributing
 

{iam_policy_validator-1.7.2.dist-info → iam_policy_validator-1.8.0.dist-info}/RECORD

@@ -1,58 +1,61 @@
 iam_validator/__init__.py,sha256=APnMR3Fu4fHhxfsHBvUM2dJIwazgvLKQbfOsSgFPidg,693
 iam_validator/__main__.py,sha256=to_nz3n_IerJpVVZZ6WSFlFR5s_06J0csfPOTfQZG8g,197
-iam_validator/__version__.py,sha256=0niAY6KgsXeeyFV5nTmvfvem16X3OTrO_DItEqsW74A,361
-iam_validator/checks/__init__.py,sha256=eDiDlVon0CwWGSBnZgM-arn1i5R5ZSG89pgR-ifETxE,1782
-iam_validator/checks/action_condition_enforcement.py,sha256=VhFEGbkcgkRwNRRuslvat5uib2tlH2Nr6sltbAQTs6I,36834
-iam_validator/checks/action_resource_matching.py,sha256=sk67jcDF1WzW4tPgcRSdTj4UBe2stALdwHx5ViVA9dU,19207
-iam_validator/checks/action_validation.py,sha256=IpxtTsk58f2zEZ-xzAoyHw4QK8BCRV43OffP-8ydf9E,2578
-iam_validator/checks/condition_key_validation.py,sha256=10XxTwIcr887CbgmN90jfRZabj5RHo08dGa8csM50Fo,3980
-iam_validator/checks/condition_type_mismatch.py,sha256=JyiAOyUZShzXZI8dgycL4oqwRkpJYUPwoGX4zigsi5I,10613
+iam_validator/__version__.py,sha256=3gyLuIf6oV1A2rFZSmXco3rdq2hmgGAYEB2we_Su_TU,361
+iam_validator/checks/__init__.py,sha256=OTkPnmlelu4YjMO8krjhu2wXiTV72RzopA5u1SfPQA0,1990
+iam_validator/checks/action_condition_enforcement.py,sha256=XztLhckc3Xc5RwxlMM2U2M81TNyt9M5xgBwn5fqHK1M,39141
+iam_validator/checks/action_resource_matching.py,sha256=BTrweeD1SNy9hcsfIDEN4L1E7oLNiVLyg-yerlZ5eC0,19356
+iam_validator/checks/action_validation.py,sha256=t8JPbvLiQb0Lx7SF_gruxehVgy0WU5uWppDJhhsSnI0,2580
+iam_validator/checks/condition_key_validation.py,sha256=VaOo1CLrMVRi23oUE1nMlKAgzNY9_jrnnEfGbdfF53g,3982
+iam_validator/checks/condition_type_mismatch.py,sha256=VK7KxkdeX2FmKWJUaZwJXSFQUxqtnqGj5sigOuhGCWo,10707
 iam_validator/checks/full_wildcard.py,sha256=ywD762BOV8WxFuTTARkaGMJn27f3ZZVuZUjKo8URnTc,2281
 iam_validator/checks/mfa_condition_check.py,sha256=YCBX3tFTQRmVTAed_W-Tu1b6WqD2LBYyom53P7lBjh4,4935
 iam_validator/checks/policy_size.py,sha256=ibgmrErpkz6OfUAN6bFuHe1KHzpzzra9gHwNtVAkPWc,5729
-iam_validator/checks/policy_type_validation.py,sha256=9qmrA8CXwsVpCU4rT0RrqDXgVOzNamMEpdg3cXWAtBI,15213
-iam_validator/checks/principal_validation.py,sha256=gTv_TqJDspGEX3iJkHXrw3DyKMJeyE33uQakZ0PjNoo,29969
-iam_validator/checks/resource_validation.py,sha256=fGi9QuX-lIHDtLm8xB3VReFFhbZpQ2Yub-FKRafQCkw,5984
-iam_validator/checks/sensitive_action.py,sha256=0vuhF1UkAH_vxhfHsC8xk68aJXHvI7c9KTLcJFNlnHM,9652
-iam_validator/checks/service_wildcard.py,sha256=1ynXLG6_82SIH8aHP88qQojJf38ZH0agnSmHp0VkZ98,4010
-iam_validator/checks/set_operator_validation.py,sha256=1XjOdf-xk-m6m1bODuHsELZccriGqOJTDI-HCcuId80,7464
-iam_validator/checks/sid_uniqueness.py,sha256=yWNHyy002aIHxJKtHeYpYds7bKgreL0BvQmRkI2UwvQ,6891
-iam_validator/checks/wildcard_action.py,sha256=f1QZ68eHzQwCTeYY_9UiYaMxUaq7XYia6DaBjIspZ2A,1972
-iam_validator/checks/wildcard_resource.py,sha256=GNpbk7WDExHG6Yqu4_gxeRCK6NUEL8TFjgbvaHgg7V0,5414
+iam_validator/checks/policy_structure.py,sha256=CQh1FsqVOFENAQe7mbyRzlIntjMs0gAwv6wUUqsdXqc,22636
+iam_validator/checks/policy_type_validation.py,sha256=8wnaCmvFb_q4ToqPR8B1exwFdwwqXYEf-Dw8YUgnj0s,15873
+iam_validator/checks/principal_validation.py,sha256=HYxcUtTWDvWh9AZbqtUSWrZOJrNGALRu1jrDydNF3xk,27895
+iam_validator/checks/resource_validation.py,sha256=8FAVPxAsralAPlao5GeJNSutqKC7DLWYZaI7CHhLs_E,6052
+iam_validator/checks/sensitive_action.py,sha256=1-Bumsk_fPHTCW0iRmIHaqMaQY-1uYI5vH2uO3YGvf0,9765
+iam_validator/checks/service_wildcard.py,sha256=brdm4cm7bOgpHB8jyAzGEGPQzoytaFIy5CgfUVgamv8,4012
+iam_validator/checks/set_operator_validation.py,sha256=AnOC7Ywd3tk7zdqNkQXAAdtsiCxKwVQ6pGsbpsopZfY,7465
+iam_validator/checks/sid_uniqueness.py,sha256=ZScVKa1RROhrY2uSOUSeeIK4xXNVzfnp9hn5Jr-TVHk,6984
+iam_validator/checks/trust_policy_validation.py,sha256=q3YFqMk3MYa4pEr1CPCCPvMcbv8-6rzT74EfsgZ6k0k,17880
+iam_validator/checks/wildcard_action.py,sha256=-yS4o2SgDRMEp_SA_kcwmmf6do0gWppkP1rpg7IP9Zg,2023
+iam_validator/checks/wildcard_resource.py,sha256=zsz7nfvvqnOYLMUfM1w7E46267Y4SrBF4x1Nvgg-B7U,5467
 iam_validator/checks/utils/__init__.py,sha256=j0X4ibUB6RGx2a-kNoJnlVZwHfoEvzZsIeTmJIAoFzA,45
 iam_validator/checks/utils/policy_level_checks.py,sha256=2V60C0zhKfsFPjQ-NMlD3EemtwA9S6-4no8nETgXdQE,5274
-iam_validator/checks/utils/sensitive_action_matcher.py,sha256=tcWK4nImpSVNia0FUsN2uLK9LM5EnzjRFtaPQLHZaLw,10667
-iam_validator/checks/utils/wildcard_expansion.py,sha256=fSSoquVdVZaVWS_qBxAx7LMOzxgHed4ffQ6OAZnuqos,3132
+iam_validator/checks/utils/sensitive_action_matcher.py,sha256=qDXcJa_2sCJu9pBbjDlI7x5lPtLRc6jQCpKPMheCOJQ,11215
+iam_validator/checks/utils/wildcard_expansion.py,sha256=JK8iYcYpOzi5RN4IvIMBCbzkCEhVRJxZDKLZIKgD8nY,3131
 iam_validator/commands/__init__.py,sha256=M-5bo8w0TCWydK0cXgJyPD2fmk8bpQs-3b26YbgLzlc,565
 iam_validator/commands/analyze.py,sha256=rvLBJ5_A3HB530xtixhaIsC19QON68olEQnn8TievgI,20784
 iam_validator/commands/base.py,sha256=5baCCMwxz7pdQ6XMpWfXFNz7i1l5dB8Qv9dKKR04Gzs,1074
 iam_validator/commands/cache.py,sha256=p4ucRVuh42sbK3Lk0b610L3ofAR5TnUreF00fpO6VFg,14219
 iam_validator/commands/download_services.py,sha256=KKz3ybMLT8DQUf9aFZ0tilJ-o1b6PE8Pf1pC4K6cT8I,9175
 iam_validator/commands/post_to_pr.py,sha256=CvUXs2xvO-UhluxdfNM6F0TCWD8hDBEOiYw60fm1Dms,2363
-iam_validator/commands/validate.py,sha256=2v91ogbEzKfjk2u6Y4NO0yvsCOwxi9jXoqD7acBbVTE,23624
-iam_validator/core/__init__.py,sha256=1FvJPMrbzJfS9YbRUJCshJLd5gzWwR9Fd_slS0Aq9c8,416
-iam_validator/core/access_analyzer.py,sha256=8GgkR-vCkCtSxtXGywvQNBPYq-rvDLexUuLSyflq0V4,24520
-iam_validator/core/access_analyzer_report.py,sha256=O17gagknvkNMTTlq7BrLM68FjlCEm4LjIKD9oqxEbPg,24860
-iam_validator/core/aws_fetcher.py,sha256=obTzxHD9pMsWo-SojSOeWyw2s2_St-LNgbmh5BGEM9c,41215
-iam_validator/core/check_registry.py,sha256=cMjtJROkZOLzXxl-mTdLYHdxyajNnOsaHGs-EeaSZ7k,21741
+iam_validator/commands/validate.py,sha256=hau8oPCNGya8gAUrvbhQxAlR4fhaGKzl7MQSryBgQfQ,23381
+iam_validator/core/__init__.py,sha256=JyeUUjuVsXFPkxLjsZ9omLPAFudWR-lQ_8oBX9jTY70,376
+iam_validator/core/access_analyzer.py,sha256=mtMaY-FnKjKEVITky_9ywZe1FaCAm61ElRv5Z_ZeC7E,24562
+iam_validator/core/access_analyzer_report.py,sha256=UMm2RNGj2rAKav1zsCw_htQZZRwRC0jjayd2zvKma1A,24896
+iam_validator/core/aws_fetcher.py,sha256=U9aE1kJ6HqJYYFpT8bq90dAAKGvmy8wKV6v_1aQCno4,41741
+iam_validator/core/check_registry.py,sha256=5hmhKiF45cenLYviGMAEhb08_Fqvu9PFxXzBmLEQuqk,22639
 iam_validator/core/cli.py,sha256=PkXiZjlgrQ21QustBbspefYsdbxst4gxoClyG2_HQR8,3843
 iam_validator/core/condition_validators.py,sha256=7zBjlcf2xGFKGbcFrXSLvWT5tFhWxoqwzhsJqS2E8uY,21524
 iam_validator/core/constants.py,sha256=H3eH0yddn5Dk-xZxJWtuvluRIpuXKYGiiteBSHPpJoI,5560
-iam_validator/core/models.py,sha256=55BCSqqJiAN96SFwK3tiTy6fhu6YBL6avKo8VpCpy2A,12766
-iam_validator/core/policy_checks.py,sha256=3UMLl8SQ4oJLTU1kwscvh7c7gpT5QtjITk_bJCJ_rzs,26616
-iam_validator/core/policy_loader.py,sha256=HVEnaXhQwrb9WbXpu0tn8SJBvHNW9UgDO6w4zLjLsu0,16776
+iam_validator/core/ignore_patterns.py,sha256=pZqDJBtkbck-85QK5eFPM5ZOPEKs3McRh3avqiCT5z0,10398
+iam_validator/core/models.py,sha256=f5d9ovtO1xMSwhyBrKIgc2psEq0eugnd3S3ioqurqEE,13242
+iam_validator/core/policy_checks.py,sha256=le1ovFm3qcgq3JG-L336h4nCSfol0PzL65RC3Beslwk,8520
+iam_validator/core/policy_loader.py,sha256=2KJnXzGg3g9pDXWZHk3DO0xpZnZZ-wXWFEOdQ_naJ8s,17862
 iam_validator/core/pr_commenter.py,sha256=MU-t7SfdHUpSc6BDbh8_dNAbxDiG-bZBCry-jUXivAc,15066
 iam_validator/core/report.py,sha256=kzSeWnT1LqWZVA5pqKKz-maVowXVj0djdoShfRhhpz4,35899
 iam_validator/core/config/__init__.py,sha256=CWSyIA7kEyzrskEenjYbs9Iih10BXRpiY9H2dHg61rU,2671
 iam_validator/core/config/aws_api.py,sha256=HLIzOItQ0A37wxHcgWck6ZFO0wmNY8JNTiWMMK6JKYU,1248
 iam_validator/core/config/aws_global_conditions.py,sha256=gdmMxXGBy95B3uYUG-J7rnM6Ixgc6L7Y9Pcd2XAMb60,7170
 iam_validator/core/config/category_suggestions.py,sha256=QlrYi4BTkxDSTlL7NZGE9BWN-atWetZ6XjkI9F_7YzI,4370
-iam_validator/core/config/condition_requirements.py,sha256=1PuADTB9pLqh-kNUGC7kSU6LMLtXMSc003tvI7qKeAY,5170
+iam_validator/core/config/condition_requirements.py,sha256=qauIP73HFnOw1dchUeFpg1x7Y7QWkILo3GfxV_dxdQo,7696
 iam_validator/core/config/config_loader.py,sha256=qKD8aR8YAswaFf68pnYJLFNwKznvcc6lNxSQWU3i6SY,17713
-iam_validator/core/config/defaults.py,sha256=mCOr_YgiRQp6fThtxrcjMtm-LPdZQbd6AS16gLzV17c,27589
+iam_validator/core/config/defaults.py,sha256=rWzDrlw0AAudtm_If6zjNFvruLg71jpLJEdRgKYSKMQ,27917
 iam_validator/core/config/principal_requirements.py,sha256=VCX7fBDgeDTJQyoz7_x7GI7Kf9O1Eu-sbihoHOrKv6o,15105
 iam_validator/core/config/sensitive_actions.py,sha256=uATDIp_TD3OQQlsYTZp79qd1mSK2Bf9hJ0JwcqLBr84,25344
-iam_validator/core/config/service_principals.py,sha256=gQSROsxUWBD6P2F9qP320UZV4lHGlsyvHSkMyy0njrU,2685
+iam_validator/core/config/service_principals.py,sha256=8pys5H_yycVJ9KTyimAKFYBg83Aol2Iri53wiHjtnEM,3959
 iam_validator/core/config/wildcards.py,sha256=H_v6hb-rZ0UUz4cul9lxkVI39e6knaK4Y-MbWz2Ebpw,3228
 iam_validator/core/formatters/__init__.py,sha256=fnCKAEBXItnOf2m4rhVs7zwMaTxbG6ESh3CF8V5j5ec,868
 iam_validator/core/formatters/base.py,sha256=SShDeDiy5mYQnS6BpA8xYg91N-KX1EObkOtlrVHqx1Q,4451
@@ -77,8 +80,8 @@ iam_validator/utils/__init__.py,sha256=NveA2F3G1E6-ANZzFr7J6Q6u5mogvMp862iFokmYu
 iam_validator/utils/cache.py,sha256=wOQKOBeoG6QqC5f0oXcHz63Cjtu_-SsSS-0pTSwyAiM,3254
 iam_validator/utils/regex.py,sha256=xHoMECttb7qaMhts-c9b0GIxdhHNZTt-UBr7wNhWfzg,6219
 iam_validator/utils/terminal.py,sha256=FsRaRMH_JAyDgXWBCOgOEhbS89cs17HCmKYoughq5io,724
-iam_policy_validator-1.7.2.dist-info/METADATA,sha256=fwySi0xxZPeiRTXyYfmp8YZPNyphy8HylBzhSXkNNG0,15244
-iam_policy_validator-1.7.2.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-iam_policy_validator-1.7.2.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
-iam_policy_validator-1.7.2.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
-iam_policy_validator-1.7.2.dist-info/RECORD,,
+iam_policy_validator-1.8.0.dist-info/METADATA,sha256=vccDFxkghziff8eO-K7hIVreQjE5gkLsWrIS5b61EwY,16174
+iam_policy_validator-1.8.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+iam_policy_validator-1.8.0.dist-info/entry_points.txt,sha256=8HtWd8O7mvPiPdZR5YbzY8or_qcqLM4-pKaFdhtFT8M,62
+iam_policy_validator-1.8.0.dist-info/licenses/LICENSE,sha256=AMnbFTBDcK4_MITe2wiQBkj0vg-jjBBhsc43ydC7tt4,1098
+iam_policy_validator-1.8.0.dist-info/RECORD,,

iam_validator/__version__.py

@@ -3,7 +3,7 @@
 This file is the single source of truth for the package version.
 """
 
-__version__ = "1.7.2"
+__version__ = "1.8.0"
 # Parse version, handling pre-release suffixes like -rc, -alpha, -beta
 _version_base = __version__.split("-")[0]  # Remove pre-release suffix if present
 __version_info__ = tuple(int(part) for part in _version_base.split("."))

iam_validator/checks/__init__.py

@@ -5,21 +5,21 @@ Built-in policy checks for IAM Policy Validator.
 from iam_validator.checks.action_condition_enforcement import (
     ActionConditionEnforcementCheck,
 )
-from iam_validator.checks.action_resource_matching import (
-    ActionResourceMatchingCheck,
-)
+from iam_validator.checks.action_resource_matching import ActionResourceMatchingCheck
 from iam_validator.checks.action_validation import ActionValidationCheck
 from iam_validator.checks.condition_key_validation import ConditionKeyValidationCheck
 from iam_validator.checks.condition_type_mismatch import ConditionTypeMismatchCheck
 from iam_validator.checks.full_wildcard import FullWildcardCheck
 from iam_validator.checks.mfa_condition_check import MFAConditionCheck
 from iam_validator.checks.policy_size import PolicySizeCheck
+from iam_validator.checks.policy_structure import PolicyStructureCheck
 from iam_validator.checks.principal_validation import PrincipalValidationCheck
 from iam_validator.checks.resource_validation import ResourceValidationCheck
 from iam_validator.checks.sensitive_action import SensitiveActionCheck
 from iam_validator.checks.service_wildcard import ServiceWildcardCheck
 from iam_validator.checks.set_operator_validation import SetOperatorValidationCheck
 from iam_validator.checks.sid_uniqueness import SidUniquenessCheck
+from iam_validator.checks.trust_policy_validation import TrustPolicyValidationCheck
 from iam_validator.checks.wildcard_action import WildcardActionCheck
 from iam_validator.checks.wildcard_resource import WildcardResourceCheck
 
@@ -32,12 +32,14 @@ __all__ = [
     "FullWildcardCheck",
     "MFAConditionCheck",
     "PolicySizeCheck",
+    "PolicyStructureCheck",
     "PrincipalValidationCheck",
     "ResourceValidationCheck",
     "SensitiveActionCheck",
     "ServiceWildcardCheck",
     "SetOperatorValidationCheck",
     "SidUniquenessCheck",
+    "TrustPolicyValidationCheck",
     "WildcardActionCheck",
     "WildcardResourceCheck",
 ]

iam_validator/checks/action_condition_enforcement.py

@@ -197,15 +197,16 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                 description = requirement.get("description", "These actions should not be used")
                 # Use per-requirement severity if specified, else use global
                 severity = requirement.get("severity", self.get_severity(config))
+                matching_actions_formatted = ", ".join(f"`{a}`" for a in matching_actions)
                 issues.append(
                     ValidationIssue(
                         severity=severity,
                         statement_sid=statement.sid,
                         statement_index=statement_idx,
                         issue_type="forbidden_action_present",
-                        message=f"FORBIDDEN: Actions {matching_actions} should not be used. {description}",
+                        message=f"FORBIDDEN: Actions {matching_actions_formatted} should not be used. {description}",
                         action=", ".join(matching_actions),
-                        suggestion=f"Remove these forbidden actions from the statement: {', '.join(matching_actions)}. {description}",
+                        suggestion=f"Remove these forbidden actions from the statement: {matching_actions_formatted}. {description}",
                         line_number=statement.line_number,
                     )
                 )
@@ -272,7 +273,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             # Collect all statements that match the action criteria
             matching_statements: list[tuple[int, Statement, list[str]]] = []
 
-            for idx, statement in enumerate(policy.statement):
+            for idx, statement in enumerate(policy.statement or []):
                 # Only check Allow statements
                 if statement.effect != "Allow":
                     continue
@@ -308,6 +309,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
 
                 # Use the first matching statement's index for the issue
                 first_idx, first_stmt, _ = matching_statements[0]
+                all_actions_formatted = ", ".join(f"`{a}`" for a in sorted(all_actions))
 
                 issues.append(
                     ValidationIssue(
@@ -315,7 +317,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                         statement_sid=first_stmt.sid,
                         statement_index=first_idx,
                         issue_type="policy_level_action_detected",
-                        message=f"POLICY-LEVEL: Actions {sorted(all_actions)} found in {len(matching_statements)} statement(s). {description}",
+                        message=f"POLICY-LEVEL: Actions {all_actions_formatted} found in {len(matching_statements)} statement(s). {description}",
                         action=", ".join(sorted(all_actions)),
                         suggestion=f"Review these statements: {', '.join(statement_refs)}. {description}",
                         line_number=first_stmt.line_number,
@@ -530,7 +532,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                     available_actions = list(service_detail.actions.keys())
 
                     # Find which actual AWS actions the wildcard would grant
-                    _, granted_actions = fetcher._match_wildcard_action(
+                    _, granted_actions = fetcher.match_wildcard_action(
                         statement_action.split(":", 1)[1],  # Just the action part (e.g., "C*")
                         available_actions,
                     )
@@ -545,7 +547,7 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                             except re.error:
                                 continue
 
-                except (ValueError, Exception):
+                except (ValueError, Exception):  # pylint: disable=broad-exception-caught
                     # If we can't fetch the service or parse the action, fall back to prefix matching
                     stmt_prefix = statement_action.rstrip("*")
                     for pattern in patterns:
@@ -627,7 +629,20 @@ class ActionConditionEnforcementCheck(PolicyCheck):
 
                 if not any_present:
                     # Create a combined error for any_of
-                    condition_keys = [cond.get("condition_key", "unknown") for cond in any_of]
+                    # Handle both simple conditions and nested all_of
+                    condition_keys = []
+                    for cond in any_of:
+                        if "all_of" in cond:
+                            # Nested all_of - collect all condition keys
+                            nested_keys = [
+                                c.get("condition_key", "unknown") for c in cond["all_of"]
+                            ]
+                            condition_keys.append(f"({' + '.join(f'`{k}`' for k in nested_keys)})")
+                        else:
+                            # Simple condition
+                            condition_keys.append(f"`{cond.get('condition_key', 'unknown')}`")
+                    condition_keys_formatted = " OR ".join(condition_keys)
+                    matching_actions_formatted = ", ".join(f"`{a}`" for a in matching_actions)
                     issues.append(
                         ValidationIssue(
                             severity=self.get_severity(config),
@@ -635,8 +650,8 @@ class ActionConditionEnforcementCheck(PolicyCheck):
                             statement_index=statement_idx,
                             issue_type="missing_required_condition_any_of",
                             message=(
-                                f"Actions {matching_actions} require at least ONE of these conditions: "
-                                f"{', '.join(condition_keys)}"
+                                f"Actions `{matching_actions_formatted}` require at least ONE of these conditions: "
+                                f"{condition_keys_formatted}"
                             ),
                             action=", ".join(matching_actions),
                             suggestion=self._build_any_of_suggestion(any_of),
@@ -773,12 +788,13 @@ class ActionConditionEnforcementCheck(PolicyCheck):
             condition_key, description, example, expected_value, operator
         )
 
+        matching_actions_str = ", ".join(f"`{a}`" for a in matching_actions)
         return ValidationIssue(
             severity=severity,
             statement_sid=statement.sid,
             statement_index=statement_idx,
             issue_type="missing_required_condition",
-            message=f"{message_prefix} Action(s) {matching_actions} require condition '{condition_key}'",
+            message=f"{message_prefix} Action(s) `{matching_actions_str}` require condition `{condition_key}`",
             action=", ".join(matching_actions),
             condition_key=condition_key,
             suggestion=suggestion_text,
@@ -843,15 +859,38 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         suggestions.append("Add at least ONE of these conditions:")
 
         for i, cond in enumerate(any_of_conditions, 1):
-            condition_key = cond.get("condition_key", "unknown")
-            description = cond.get("description", "")
-            expected_value = cond.get("expected_value")
+            # Handle nested all_of blocks
+            if "all_of" in cond:
+                # Nested all_of - show all required conditions together
+                all_of_list = cond["all_of"]
+                condition_keys = [c.get("condition_key", "unknown") for c in all_of_list]
+                condition_keys_formatted = " + ".join(f"`{k}`" for k in condition_keys)
+
+                option = f"\n- **Option {i}**: {condition_keys_formatted} (both required)"
+
+                # Use description from first condition or combine them
+                descriptions = [
+                    c.get("description", "") for c in all_of_list if c.get("description")
+                ]
+                if descriptions:
+                    option += f" - {descriptions[0]}"
+
+                # Show example from first condition that has one
+                for c in all_of_list:
+                    if c.get("example"):
+                        # Example will be shown separately, just note it's available
+                        break
+            else:
+                # Simple condition (original behavior)
+                condition_key = cond.get("condition_key", "unknown")
+                description = cond.get("description", "")
+                expected_value = cond.get("expected_value")
 
-            option = f"\nOption {i}: {condition_key}"
-            if description:
-                option += f" - {description}"
-            if expected_value is not None:
-                option += f" (value: {expected_value})"
+                option = f"\n- **Option {i}**: `{condition_key}`"
+                if description:
+                    option += f" - {description}"
+                if expected_value is not None:
+                    option += f" (value: `{expected_value}`)"
 
             suggestions.append(option)
 
@@ -870,13 +909,12 @@ class ActionConditionEnforcementCheck(PolicyCheck):
         description = condition_requirement.get("description", "")
         expected_value = condition_requirement.get("expected_value")
 
-        message = (
-            f"FORBIDDEN: Action(s) {matching_actions} must NOT have condition '{condition_key}'"
-        )
+        matching_actions_str = ", ".join(f"`{a}`" for a in matching_actions)
+        message = f"FORBIDDEN: Action(s) `{matching_actions_str}` must NOT have condition `{condition_key}`"
         if expected_value is not None:
-            message += f" with value '{expected_value}'"
+            message += f" with value `{expected_value}`"
 
-        suggestion = f"Remove the '{condition_key}' condition from the statement"
+        suggestion = f"Remove the `{condition_key}` condition from the statement"
         if description:
             suggestion += f". {description}"
 

iam_validator/checks/action_resource_matching.py

@@ -88,6 +88,10 @@ class ActionResourceMatchingCheck(PolicyCheck):
         statement_sid = statement.sid
         line_number = statement.line_number
 
+        # Skip if no resources to validate (e.g., trust policies don't have Resource field)
+        if not resources:
+            return issues
+
         # Skip if we have a wildcard resource (handled by other checks)
         if "*" in resources:
             return issues
@@ -289,9 +293,9 @@ class ActionResourceMatchingCheck(PolicyCheck):
         # Special case: Wildcard resource
         if required_format == "*":
             return (
-                f'Action `{action}` can only use Resource: "*" (wildcard).\n'
+                f'Action `{action}` can only use Resource: `"*"` (wildcard).\n'
                 f"  This action does not support resource-level permissions.\n"
-                f'  Example: "Resource": "*"'
+                f'  Example: "Resource": `"*"`'
             )
 
         # Build service-specific suggestion with proper markdown formatting

iam_validator/checks/action_validation.py

@@ -63,7 +63,7 @@ class ActionValidationCheck(PolicyCheck):
                         statement_sid=statement_sid,
                         statement_index=statement_idx,
                         issue_type="invalid_action",
-                        message=error_msg or f"Invalid action: {action}",
+                        message=error_msg or f"Invalid action: `{action}`",
                         action=action,
                         line_number=line_number,
                     )

iam_validator/checks/condition_key_validation.py

@@ -62,7 +62,7 @@ class ConditionKeyValidationCheck(PolicyCheck):
                                 statement_index=statement_idx,
                                 issue_type="invalid_condition_key",
                                 message=result.error_message
-                                or f"Invalid condition key: {condition_key}",
+                                or f"Invalid condition key: `{condition_key}`",
                                 action=action,
                                 condition_key=condition_key,
                                 line_number=line_number,

iam_validator/checks/condition_type_mismatch.py

@@ -72,7 +72,7 @@ class ConditionTypeMismatchCheck(PolicyCheck):
         # Check each condition operator and its keys/values
         for operator, conditions in statement.condition.items():
             # Normalize the operator and get its expected type
-            base_operator, operator_type, set_prefix = normalize_operator(operator)
+            base_operator, operator_type, _set_prefix = normalize_operator(operator)
 
             if operator_type is None:
                 # Unknown operator - this will be caught by another check
@@ -108,7 +108,7 @@ class ConditionTypeMismatchCheck(PolicyCheck):
                             severity="warning",
                             message=(
                                 f"Type mismatch (usable but not recommended): Operator `{operator}` expects "
-                                f"{operator_type} values, but condition key `{condition_key}` is type {key_type}. "
+                                f"`{operator_type}` values, but condition key `{condition_key}` is type `{key_type}`. "
                                 f"Consider using an ARN-specific operator like ArnEquals or ArnLike instead."
                             ),
                             statement_sid=statement_sid,
@@ -123,8 +123,8 @@ class ConditionTypeMismatchCheck(PolicyCheck):
                         ValidationIssue(
                             severity=self.get_severity(config),
                             message=(
-                                f"Type mismatch: Operator `{operator}` expects {operator_type} values, "
-                                f"but condition key `{condition_key}` is type {key_type}."
+                                f"Type mismatch: Operator `{operator}` expects `{operator_type}` values, "
+                                f"but condition key `{condition_key}` is type `{key_type}`."
                             ),
                             statement_sid=statement_sid,
                             statement_index=statement_idx,
@@ -172,7 +172,7 @@ class ConditionTypeMismatchCheck(PolicyCheck):
         Returns:
             Type string or None if not found
         """
-        from iam_validator.core.config.aws_global_conditions import (
+        from iam_validator.core.config.aws_global_conditions import (  # pylint: disable=import-outside-toplevel
             get_global_conditions,
         )
 
@@ -229,7 +229,7 @@ class ConditionTypeMismatchCheck(PolicyCheck):
                                         if condition_key_obj.types:
                                             return condition_key_obj.types[0]
 
-            except Exception:
+            except Exception:  # pylint: disable=broad-exception-caught
                 # If we can't look up the action, skip it
                 continue