iam-policy-validator 1.8.0__py3-none-any.whl → 1.10.0__py3-none-any.whl

iam_validator/checks/action_resource_matching.py

@@ -22,8 +22,9 @@ Example:
 """
 
 import re
+from typing import ClassVar
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 from iam_validator.sdk.arn_matching import (
@@ -42,17 +43,9 @@ class ActionResourceMatchingCheck(PolicyCheck):
     work as intended because the resource ARNs don't match what the action requires.
     """
 
-    @property
-    def check_id(self) -> str:
-        return "action_resource_matching"
-
-    @property
-    def description(self) -> str:
-        return "Validates that resources match required types for actions"
-
-    @property
-    def default_severity(self) -> str:
-        return "medium"  # Security issue, not IAM validity error
+    check_id: ClassVar[str] = "action_resource_matching"
+    description: ClassVar[str] = "Validates that resources match required types for actions"
+    default_severity: ClassVar[str] = "medium"  # Security issue, not IAM validity error
 
     async def execute(
         self,
@@ -139,7 +132,7 @@ class ActionResourceMatchingCheck(PolicyCheck):
                             statement_sid=statement_sid,
                             line_number=line_number,
                             config=config,
-                            reason=f'Action {action} can only use Resource: "*"',
+                            reason=f'Action `{action}` can only use `Resource: "*"`',
                         )
                     )
                 continue
@@ -293,9 +286,9 @@ class ActionResourceMatchingCheck(PolicyCheck):
         # Special case: Wildcard resource
         if required_format == "*":
             return (
-                f'Action `{action}` can only use Resource: `"*"` (wildcard).\n'
+                f'Action `{action}` can only use `Resource: "*"` (wildcard).\n'
                 f"  This action does not support resource-level permissions.\n"
-                f'  Example: "Resource": `"*"`'
+                f'  Example: `"Resource": "*"`'
             )
 
         # Build service-specific suggestion with proper markdown formatting

iam_validator/checks/action_validation.py

@@ -9,7 +9,9 @@ validations. However, it can be useful in environments where Access Analyzer is
 not available or for pre-deployment policy validation to catch errors early.
 """
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
@@ -17,17 +19,9 @@ from iam_validator.core.models import Statement, ValidationIssue
 class ActionValidationCheck(PolicyCheck):
     """Validates that IAM actions exist in AWS services."""
 
-    @property
-    def check_id(self) -> str:
-        return "action_validation"
-
-    @property
-    def description(self) -> str:
-        return "Validates that actions exist in AWS service definitions"
-
-    @property
-    def default_severity(self) -> str:
-        return "error"
+    check_id: ClassVar[str] = "action_validation"
+    description: ClassVar[str] = "Validates that actions exist in AWS service definitions"
+    default_severity: ClassVar[str] = "error"
 
     async def execute(
         self,

iam_validator/checks/condition_key_validation.py

@@ -1,6 +1,8 @@
 """Condition key validation check - validates condition keys against AWS definitions."""
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
@@ -8,17 +10,9 @@ from iam_validator.core.models import Statement, ValidationIssue
 class ConditionKeyValidationCheck(PolicyCheck):
     """Validates condition keys against AWS service definitions and global keys."""
 
-    @property
-    def check_id(self) -> str:
-        return "condition_key_validation"
-
-    @property
-    def description(self) -> str:
-        return "Validates condition keys against AWS service definitions"
-
-    @property
-    def default_severity(self) -> str:
-        return "error"  # Invalid condition keys are IAM policy errors
+    check_id: ClassVar[str] = "condition_key_validation"
+    description: ClassVar[str] = "Validates condition keys against AWS service definitions"
+    default_severity: ClassVar[str] = "error"  # Invalid condition keys are IAM policy errors
 
     async def execute(
         self,

iam_validator/checks/condition_type_mismatch.py

@@ -3,7 +3,9 @@
 Validates that condition operators match the expected types for condition keys and values.
 """
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.condition_validators import (
     normalize_operator,
@@ -16,20 +18,11 @@ from iam_validator.core.models import Statement, ValidationIssue
 class ConditionTypeMismatchCheck(PolicyCheck):
     """Check for type mismatches between operators, keys, and values."""
 
-    @property
-    def check_id(self) -> str:
-        """Unique identifier for this check."""
-        return "condition_type_mismatch"
-
-    @property
-    def description(self) -> str:
-        """Description of what this check does."""
-        return "Validates condition operator types match key types and value formats"
-
-    @property
-    def default_severity(self) -> str:
-        """Default severity level for issues found by this check."""
-        return "error"
+    check_id: ClassVar[str] = "condition_type_mismatch"
+    description: ClassVar[str] = (
+        "Validates condition operator types match key types and value formats"
+    )
+    default_severity: ClassVar[str] = "error"
 
     async def execute(
         self,
@@ -109,7 +102,7 @@ class ConditionTypeMismatchCheck(PolicyCheck):
                             message=(
                                 f"Type mismatch (usable but not recommended): Operator `{operator}` expects "
                                 f"`{operator_type}` values, but condition key `{condition_key}` is type `{key_type}`. "
-                                f"Consider using an ARN-specific operator like ArnEquals or ArnLike instead."
+                                f"Consider using an ARN-specific operator like `ArnEquals` or `ArnLike` instead."
                             ),
                             statement_sid=statement_sid,
                             statement_index=statement_idx,

iam_validator/checks/full_wildcard.py

@@ -1,6 +1,8 @@
 """Full wildcard check - detects Action: '*' AND Resource: '*' together (critical security risk)."""
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from typing import ClassVar
+
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
@@ -8,17 +10,11 @@ from iam_validator.core.models import Statement, ValidationIssue
 class FullWildcardCheck(PolicyCheck):
     """Checks for both Action: '*' AND Resource: '*' which grants full administrative access."""
 
-    @property
-    def check_id(self) -> str:
-        return "full_wildcard"
-
-    @property
-    def description(self) -> str:
-        return "Checks for both action and resource wildcards together (critical risk)"
-
-    @property
-    def default_severity(self) -> str:
-        return "critical"
+    check_id: ClassVar[str] = "full_wildcard"
+    description: ClassVar[str] = (
+        "Checks for both action and resource wildcards together (critical risk)"
+    )
+    default_severity: ClassVar[str] = "critical"
 
     async def execute(
         self,
@@ -41,7 +37,7 @@ class FullWildcardCheck(PolicyCheck):
         if "*" in actions and "*" in resources:
             message = config.config.get(
                 "message",
-                "Statement allows all actions on all resources - CRITICAL SECURITY RISK",
+                "Statement allows all actions on all resources - **CRITICAL SECURITY RISK**",
             )
             suggestion = config.config.get(
                 "suggestion",

iam_validator/checks/mfa_condition_check.py

@@ -3,6 +3,8 @@
 Detects dangerous MFA-related condition patterns that may not enforce MFA as intended.
 """
 
+from typing import ClassVar
+
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.models import Statement, ValidationIssue
 
@@ -10,20 +12,9 @@ from iam_validator.core.models import Statement, ValidationIssue
 class MFAConditionCheck(PolicyCheck):
     """Check for MFA condition anti-patterns."""
 
-    @property
-    def check_id(self) -> str:
-        """Unique identifier for this check."""
-        return "mfa_condition_antipattern"
-
-    @property
-    def description(self) -> str:
-        """Description of what this check does."""
-        return "Detects dangerous MFA-related condition patterns"
-
-    @property
-    def default_severity(self) -> str:
-        """Default severity level for issues found by this check."""
-        return "warning"
+    check_id: ClassVar[str] = "mfa_condition_antipattern"
+    description: ClassVar[str] = "Detects dangerous MFA-related condition patterns"
+    default_severity: ClassVar[str] = "warning"
 
     async def execute(
         self, statement: Statement, statement_idx: int, fetcher, config: CheckConfig
@@ -73,8 +64,8 @@ class MFAConditionCheck(PolicyCheck):
                                 "**Dangerous MFA condition pattern detected.** "
                                 'Using `{"Bool": {"aws:MultiFactorAuthPresent": "false"}}` does not enforce MFA '
                                 "because `aws:MultiFactorAuthPresent` may not exist in the request context. "
-                                'Consider using `{"Bool": {"aws:MultiFactorAuthPresent": "true"}}` in an Allow statement, '
-                                "or use `BoolIfExists` in a Deny statement."
+                                'Consider using `{"Bool": {"aws:MultiFactorAuthPresent": "true"}}` in an `Allow` statement, '
+                                "or use `BoolIfExists` in a `Deny` statement."
                             ),
                             statement_sid=statement_sid,
                             statement_index=statement_idx,
@@ -100,7 +91,7 @@ class MFAConditionCheck(PolicyCheck):
                                 "**Dangerous MFA condition pattern detected.** "
                                 'Using `{"Null": {"aws:MultiFactorAuthPresent": "false"}}` only checks if the key exists, '
                                 "not whether MFA was actually used. This does not enforce MFA. "
-                                'Consider using `{"Bool": {"aws:MultiFactorAuthPresent": "true"}}` in an Allow statement instead.'
+                                'Consider using `{"Bool": {"aws:MultiFactorAuthPresent": "true"}}` in an `Allow` statement instead.'
                             ),
                             statement_sid=statement_sid,
                             statement_index=statement_idx,

iam_validator/checks/policy_size.py

@@ -12,12 +12,12 @@ Note: AWS does not count whitespace when calculating policy size.
 
 import json
 import re
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, ClassVar
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.constants import AWS_POLICY_SIZE_LIMITS
-from iam_validator.core.models import Statement, ValidationIssue
+from iam_validator.core.models import ValidationIssue
 
 if TYPE_CHECKING:
     from iam_validator.core.models import IAMPolicy
@@ -29,42 +29,9 @@ class PolicySizeCheck(PolicyCheck):
     # AWS IAM policy size limits (loaded from constants module)
     DEFAULT_LIMITS = AWS_POLICY_SIZE_LIMITS
 
-    @property
-    def check_id(self) -> str:
-        return "policy_size"
-
-    @property
-    def description(self) -> str:
-        return "Validates that IAM policies don't exceed AWS size limits"
-
-    @property
-    def default_severity(self) -> str:
-        return "error"
-
-    async def execute(
-        self,
-        statement: Statement,
-        statement_idx: int,
-        fetcher: AWSServiceFetcher,
-        config: CheckConfig,
-    ) -> list[ValidationIssue]:
-        """Execute the policy size check at statement level.
-
-        This is a policy-level check, so statement-level execution returns empty.
-        The actual check runs in execute_policy() which has access to the full policy.
-
-        Args:
-            statement: The IAM policy statement (unused)
-            statement_idx: Index of the statement in the policy (unused)
-            fetcher: AWS service fetcher (unused for this check)
-            config: Configuration for this check instance (unused)
-
-        Returns:
-            Empty list (actual check runs in execute_policy())
-        """
-        del statement, statement_idx, fetcher, config  # Unused
-        # This is a policy-level check - execution happens in execute_policy()
-        return []
+    check_id: ClassVar[str] = "policy_size"
+    description: ClassVar[str] = "Validates that IAM policies don't exceed AWS size limits"
+    default_severity: ClassVar[str] = "error"
 
     async def execute_policy(
         self,

iam_validator/checks/policy_structure.py

@@ -20,11 +20,11 @@ By detecting these issues early, we can:
 """
 
 import re
-from typing import Any
+from typing import Any, ClassVar
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
-from iam_validator.core.models import IAMPolicy, PolicyType, Statement, ValidationIssue
+from iam_validator.core.models import IAMPolicy, PolicyType, ValidationIssue
 
 # Valid statement fields according to AWS IAM policy grammar
 # https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html
@@ -350,7 +350,7 @@ def validate_statement_structure(
                 statement_index=statement_idx,
                 issue_type="missing_effect",
                 message="`Statement` is missing the required `Effect` field",
-                suggestion="Add an Effect field with value `Allow` or `Deny`",
+                suggestion="Add an `Effect` field with value `Allow` or `Deny`",
                 example='"Effect": "Allow"',
             )
         )
@@ -362,7 +362,7 @@ def validate_statement_structure(
                 statement_index=statement_idx,
                 issue_type="invalid_effect",
                 message=f"Invalid `Effect` value: `{statement_dict['Effect']}`. Must be `Allow` or `Deny`",
-                suggestion="Change Effect to either `Allow` or `Deny`",
+                suggestion="Change `Effect` to either `Allow` or `Deny`",
                 example='"Effect": "Allow"',
             )
         )
@@ -488,41 +488,11 @@ class PolicyStructureCheck(PolicyCheck):
     issues early.
     """
 
-    @property
-    def check_id(self) -> str:
-        return "policy_structure"
-
-    @property
-    def description(self) -> str:
-        return "Validates fundamental IAM policy structure (required fields, field conflicts, valid values)"
-
-    @property
-    def default_severity(self) -> str:
-        return "error"
-
-    async def execute(
-        self,
-        statement: Statement,
-        statement_idx: int,
-        fetcher: AWSServiceFetcher,
-        config: CheckConfig,
-    ) -> list[ValidationIssue]:
-        """Execute at statement level.
-
-        This is a policy-level check, so statement-level execution returns empty.
-        The actual check runs in execute_policy() which has access to all statements.
-
-        Args:
-            statement: The IAM policy statement (unused)
-            statement_idx: Index of the statement in the policy (unused)
-            fetcher: AWS service fetcher (unused)
-            config: Check configuration (unused)
-
-        Returns:
-            Empty list (actual check runs in execute_policy())
-        """
-        del statement, statement_idx, fetcher, config  # Unused
-        return []
+    check_id: ClassVar[str] = "policy_structure"
+    description: ClassVar[str] = (
+        "Validates fundamental IAM policy structure (required fields, field conflicts, valid values)"
+    )
+    default_severity: ClassVar[str] = "error"
 
     async def execute_policy(
         self,

iam_validator/checks/policy_type_validation.py

@@ -11,6 +11,7 @@ This check runs automatically based on:
 2. Auto-detection: If any statement has a Principal, provides helpful guidance
 """
 
+from iam_validator.core.constants import RCP_SUPPORTED_SERVICES
 from iam_validator.core.models import IAMPolicy, ValidationIssue
 
 
@@ -47,12 +48,12 @@ async def execute_policy(
         if is_trust_policy(policy):
             hint_msg = (
                 "Policy contains assume role actions - this is a TRUST POLICY. "
-                "Use --policy-type TRUST_POLICY for proper validation (suppresses missing Resource warnings, "
+                "Use `--policy-type TRUST_POLICY` for proper validation (suppresses missing Resource warnings, "
                 "enables trust-specific validation)"
             )
             suggestion_msg = "iam-validator validate --path <file> --policy-type TRUST_POLICY"
         else:
-            hint_msg = "Policy contains Principal element - this suggests it's a RESOURCE POLICY. Use --policy-type RESOURCE_POLICY"
+            hint_msg = "Policy contains Principal element - this suggests it's a RESOURCE POLICY. Use `--policy-type RESOURCE_POLICY`"
             suggestion_msg = "iam-validator validate --path <file> --policy-type RESOURCE_POLICY"
 
         issues.append(
@@ -164,8 +165,8 @@ async def execute_policy(
 
     # Resource Control Policies (RCPs) have very strict requirements
     elif policy_type == "RESOURCE_CONTROL_POLICY":
-        # RCP supported services (as of 2025)
-        rcp_supported_services = {"s3", "sts", "sqs", "secretsmanager", "kms"}
+        # Use the centralized list of RCP supported services from constants
+        rcp_supported_services = RCP_SUPPORTED_SERVICES
 
         for idx, statement in enumerate(policy.statement):
             # 1. Effect MUST be Deny (only RCPFullAWSAccess can use Allow)
@@ -174,13 +175,13 @@ async def execute_policy(
                     ValidationIssue(
                         severity="error",
                         issue_type="invalid_rcp_effect",
-                        message="Resource Control Policy statement must have Effect: Deny. "
-                        "For RCPs that you create, the Effect value must be 'Deny'. "
-                        "Only the AWS-managed RCPFullAWSAccess policy can use 'Allow'.",
+                        message="Resource Control Policy statement must have `Effect: Deny`. "
+                        "For RCPs that you create, the `Effect` value must be `Deny`. "
+                        "Only the AWS-managed `RCPFullAWSAccess` policy can use `Allow`.",
                         statement_index=idx,
                         statement_sid=statement.sid,
                         line_number=statement.line_number,
-                        suggestion='Change the Effect to "Deny" for this RCP statement.',
+                        suggestion="Change the `Effect` to `Deny` for this RCP statement.",
                     )
                 )
 
@@ -194,13 +195,12 @@ async def execute_policy(
                         severity="error",
                         issue_type="invalid_rcp_not_principal",
                         message="Resource Control Policy must not contain `NotPrincipal` element. "
-                        "RCPs only support Principal with value '*'. Use Condition elements "
+                        "RCPs only support `Principal` with value `*`. Use `Condition` elements "
                         "to restrict specific principals.",
                         statement_index=idx,
                         statement_sid=statement.sid,
                         line_number=statement.line_number,
-                        suggestion="Remove NotPrincipal and use Principal: '*' with Condition "
-                        "elements to restrict access.",
+                        suggestion='Remove `NotPrincipal` and use `Principal: "*"` with `Condition` elements to restrict access.',
                     )
                 )
             elif not has_principal:
@@ -208,8 +208,8 @@ async def execute_policy(
                     ValidationIssue(
                         severity="error",
                         issue_type="missing_rcp_principal",
-                        message="Resource Control Policy statement must have `Principal`: '*'. "
-                        "RCPs require the `Principal` element with value '*'. Use `Condition` "
+                        message='Resource Control Policy statement must have `Principal: "*"`. '
+                        'RCPs require the `Principal` element with value `"*"`. Use `Condition` '
                         "elements to restrict specific principals.",
                         statement_index=idx,
                         statement_sid=statement.sid,
@@ -257,7 +257,7 @@ async def execute_policy(
                                     statement_sid=statement.sid,
                                     line_number=statement.line_number,
                                     suggestion="Replace `*` with service-specific actions from supported "
-                                    f"services: {', '.join(sorted(rcp_supported_services))}",
+                                    f"services: {', '.join(f'`{a}`' for a in sorted(rcp_supported_services))}",
                                 )
                             )
                         else:
@@ -275,13 +275,13 @@ async def execute_policy(
                             severity="error",
                             issue_type="unsupported_rcp_service",
                             message=f"Resource Control Policy contains actions from unsupported services: "
-                            f"{', '.join(unsupported_actions)}. RCPs only support these services: "
-                            f"{', '.join(sorted(rcp_supported_services))}",
+                            f"{', '.join(f'`{a}`' for a in unsupported_actions)}. RCPs only support these services: "
+                            f"{', '.join(f'`{a}`' for a in sorted(rcp_supported_services))}",
                             statement_index=idx,
                             statement_sid=statement.sid,
                             line_number=statement.line_number,
                             suggestion=f"Use only actions from supported RCP services: "
-                            f"{', '.join(sorted(rcp_supported_services))}",
+                            f"{', '.join(f'`{a}`' for a in sorted(rcp_supported_services))}",
                         )
                     )
 
@@ -296,8 +296,7 @@ async def execute_policy(
                         statement_index=idx,
                         statement_sid=statement.sid,
                         line_number=statement.line_number,
-                        suggestion="Replace `NotAction` with `Action` element listing the specific "
-                        "actions to deny.",
+                        suggestion="Replace `NotAction` with `Action` element listing the specific actions to deny.",
                     )
                 )
 

iam_validator/checks/principal_validation.py

@@ -35,9 +35,9 @@ Supports: any_of, all_of, none_of, and expected_value (single value or list)
 """
 
 import fnmatch
-from typing import Any
+from typing import Any, ClassVar
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.config.service_principals import is_aws_service_principal
 from iam_validator.core.models import Statement, ValidationIssue
@@ -46,17 +46,11 @@ from iam_validator.core.models import Statement, ValidationIssue
 class PrincipalValidationCheck(PolicyCheck):
     """Validates Principal elements in resource policies."""
 
-    @property
-    def check_id(self) -> str:
-        return "principal_validation"
-
-    @property
-    def description(self) -> str:
-        return "Validates Principal elements in resource policies for security best practices"
-
-    @property
-    def default_severity(self) -> str:
-        return "high"
+    check_id: ClassVar[str] = "principal_validation"
+    description: ClassVar[str] = (
+        "Validates Principal elements in resource policies for security best practices"
+    )
+    default_severity: ClassVar[str] = "high"
 
     async def execute(
         self,
@@ -122,7 +116,7 @@ class PrincipalValidationCheck(PolicyCheck):
                         severity=self.get_severity(config),
                         issue_type="unauthorized_principal",
                         message=f"`Principal` not in allowed list: `{principal}`. "
-                        f"Only principals in the `allowed_principals` whitelist are permitted.",
+                        f"Only principals in the `allowed_principals` allow-list are permitted.",
                         statement_index=statement_idx,
                         statement_sid=statement.sid,
                         line_number=statement.line_number,
@@ -401,7 +395,6 @@ class PrincipalValidationCheck(PolicyCheck):
                     # Create a combined error for any_of
                     condition_keys = [cond.get("condition_key", "unknown") for cond in any_of]
                     severity = requirement.get("severity", self.get_severity(config))
-                    matching_principals_str = ", ".join(f"`{p}`" for p in matching_principals)
                     issues.append(
                         ValidationIssue(
                             severity=severity,
@@ -409,7 +402,7 @@ class PrincipalValidationCheck(PolicyCheck):
                             statement_index=statement_idx,
                             issue_type="missing_principal_condition_any_of",
                             message=(
-                                f"`Principal`s `{matching_principals_str}` require at least ONE of these conditions: "
+                                f"`Principal`s `{', '.join(f'`{p}`' for p in matching_principals)}` require at least ONE of these conditions: "
                                 f"{', '.join(f'`{c}`' for c in condition_keys)}"
                             ),
                             suggestion=self._build_any_of_suggestion(any_of),
@@ -566,14 +559,12 @@ class PrincipalValidationCheck(PolicyCheck):
             condition_key, description, example, expected_value, operator
         )
 
-        matching_principals_formatted = ", ".join(f"`{p}`" for p in matching_principals)
-
         return ValidationIssue(
             severity=severity,
             statement_sid=statement.sid,
             statement_index=statement_idx,
             issue_type="missing_principal_condition",
-            message=f"{message_prefix} Principal(s) {matching_principals_formatted} require condition `{condition_key}`",
+            message=f"{message_prefix} Principal(s) {', '.join(f'`{p}`' for p in matching_principals)} require condition `{condition_key}`",
             suggestion=suggestion_text,
             example=example_code,
             line_number=statement.line_number,
@@ -599,7 +590,7 @@ class PrincipalValidationCheck(PolicyCheck):
         Returns:
             Tuple of (suggestion_text, example_code)
         """
-        suggestion = description if description else f"Add condition: {condition_key}"
+        suggestion = description if description else f"Add condition: `{condition_key}`"
 
         # Build example based on condition key type
         if example:

iam_validator/checks/resource_validation.py

@@ -1,8 +1,9 @@
 """Resource validation check - validates ARN formats."""
 
 import re
+from typing import ClassVar
 
-from iam_validator.core.aws_fetcher import AWSServiceFetcher
+from iam_validator.core.aws_service import AWSServiceFetcher
 from iam_validator.core.check_registry import CheckConfig, PolicyCheck
 from iam_validator.core.constants import DEFAULT_ARN_VALIDATION_PATTERN, MAX_ARN_LENGTH
 from iam_validator.core.models import Statement, ValidationIssue
@@ -15,17 +16,9 @@ from iam_validator.sdk.arn_matching import (
 class ResourceValidationCheck(PolicyCheck):
     """Validates ARN format for resources."""
 
-    @property
-    def check_id(self) -> str:
-        return "resource_validation"
-
-    @property
-    def description(self) -> str:
-        return "Validates ARN format for resources"
-
-    @property
-    def default_severity(self) -> str:
-        return "error"
+    check_id: ClassVar[str] = "resource_validation"
+    description: ClassVar[str] = "Validates ARN format for resources"
+    default_severity: ClassVar[str] = "error"
 
     async def execute(
         self,