Validate policies with IAM Access Analyzer - Amazon Identity and Access Management
Validating policies in IAM (console)Validating policies using IAM Access Analyzer (Amazon CLI or Amazon API)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Validate policies with IAM Access Analyzer

You can validate your policies using Amazon Identity and Access Management Access Analyzer policy validation. You can create or edit a policy using the Amazon CLI, Amazon API, or JSON policy editor in the IAM console. IAM Access Analyzer validates your policy against IAM policy grammar and Amazon best practices. You can view policy validation check findings that include security warnings, errors, general warnings, and suggestions for your policy. These findings provide actionable recommendations that help you author policies that are functional and conform to security best practices. To view a list of the basic policy checks that are run by IAM Access Analyzer, see IAM policy validation check reference.

Validating policies in IAM (console)

You can view findings generated by IAM Access Analyzer policy validation when you create or edit a managed policy in the IAM console. You can also view these findings for inline user or role policies. IAM Access Analyzer does not generate these findings for inline group policies.

To view findings generated by policy checks for IAM JSON policies

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. Begin creating or editing a policy using one of the following methods:

    1. To create a new managed policy, go to the Policies page and create a new policy. For more information, see Creating policies using the JSON editor.

    2. To view policy checks for an existing customer managed policy, go the Policies page, choose the name of a policy, and then choose Edit. For more information, see Editing customer managed policies (console).

    3. To view policy checks for an inline policy on a user or role, go the Users or Roles page, choose the name of a user or role, choose the name of the policy on the Permissions tab and then choose Edit. For more information, see Editing inline policies (console).

  3. In the policy editor, choose the JSON tab.

  4. In the policy validation pane below the policy, choose one or more of the following tabs. The tab names also indicate the number of each finding type for your policy.

    • Security – View warnings if your policy allows access that Amazon considers a security risk because the access is overly permissive.

    • Errors – View errors if your policy includes lines that prevent the policy from functioning.

    • Warnings – View warnings if your policy doesn't conform to best practices, but the issues are not security risks.

    • Suggestions – View suggestions if Amazon recommends improvements that don't impact the permissions of the policy.

  5. Review the finding details provided by the IAM Access Analyzer policy check. Each finding indicates the location of the reported issue. To learn more about what causes the issue and how to resolve it, choose the Learn more link next to the finding. You can also search for the policy check associated with each finding in the Access Analyzer policy checks reference page.

  6. Optional. If you are editing an existing policy, you can run a custom policy check to determine whether your updated policy grants new access compared to the existing version. In the policy validation pane below the policy, choose the Check for new access tab and then choose Check policy. If the modified permissions grant new access, the statement will be highlighted in the policy validation pane. If you do not intend to grant new access, update the policy statement and choose Check policy until no new access is detected. For more information, see Validate policies with IAM Access Analyzer custom policy checks.

    Note

    A charge is associated with each check for new access. For more details on pricing, see IAM Access Analyzer pricing.

  7. Update your policy to resolve the findings.

    Important

    Test new or edited policies thoroughly before implementing them in your production workflow.

  8. When you are finished, choose Next. The Policy validator reports any syntax errors that are not reported by IAM Access Analyzer.

    Note

    You can switch between the Visual and JSON tabs anytime. However, if you make changes or choose Next in the Visual tab, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring.

  9. For new policies, on the Review and create page, enter a Policy name and a Description (optional) for the policy that you are creating. Review the Permissions defined in this policy to see the permissions that are granted by your policy. Then choose Create policy to save your work.

    For existing policies, on the Review and save page, review the Permissions defined in this policy to see the permissions that are granted by your policy. Choose the Set this new version as the default. checkbox to save the updated version as the default version of the policy. Then choose Save changes to save your work.

Validating policies using IAM Access Analyzer (Amazon CLI or Amazon API)

You can view findings generated by IAM Access Analyzer policy validation from the Amazon Command Line Interface (Amazon CLI).

To view findings generated by IAM Access Analyzer policy validation (Amazon CLI or Amazon API)

Use one of the following: