IAM Access Analyzer policy validation

To view findings generated by policy checks for IAM JSON policies

1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

2. Begin creating or editing a policy using one of the following methods:

   1. To create a new managed policy, go to the Policies page and create a new policy. For more information, see Creating policies using the JSON editor.

   2. To view policy checks for an existing customer managed policy, go the Policies page, choose the name of a policy, and then choose Edit. For more information, see Editing customer managed policies (console).

   3. To view policy checks for an inline policy on a user or role, go the Users or Roles page, choose the name of a user or role, choose the name of the policy on the Permissions tab and then choose Edit. For more information, see Editing customer managed policies (console).

3. In the policy editor, choose the JSON tab.

4. In the policy validation pane below the policy, choose one or more of the following tabs. The tab names also indicate the number of each finding type for your policy.

   • Security – View warnings if your policy allows access that Amazon considers a security risk because the access is overly permissive.

   • Errors – View errors if your policy includes lines that prevent the policy from functioning.

   • Warnings – View warnings if your policy doesn't conform to best practices, but the issues are not security risks.

   • Suggestions – View suggestions if Amazon recommends improvements that don't impact the permissions of the policy.

5. Review the finding details provided by the IAM Access Analyzer policy check. Each finding indicates the location of the reported issue. To learn more about what causes the issue and how to resolve it, choose the Learn more link next to the finding. You can also search for the policy check associated with each finding in the Access Analyzer policy checks reference page.

6. Optional. If you are editing an existing policy, you can run a custom policy check to determine whether your updated policy grants new access compared to the existing version. In the policy validation pane below the policy, choose the Check for new access tab and then choose Check policy. If the modified permissions grant new access, the statement will be highlighted in the policy validation pane. If you do not intend to grant new access, update the policy statement and choose Check policy until no new access is detected. For more information, see IAM Access Analyzer custom policy checks.

   Note

   A charge is associated with each check for new access. For more details on pricing, see IAM Access Analyzer pricing.

7. Update your policy to resolve the findings.

   Important

   Test new or edited policies thoroughly before implementing them in your production workflow.

8. When you are finished, choose Next. The Policy validator reports any syntax errors that are not reported by IAM Access Analyzer.

   Note

   You can switch between the Visual and JSON tabs anytime. However, if you make changes or choose Next in the Visual tab, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring.

9. For new policies, on the Review and create page, enter a Policy name and a Description (optional) for the policy that you are creating. Review the Permissions defined in this policy to see the permissions that are granted by your policy. Then choose Create policy to save your work.

   For existing policies, on the Review and save page, review the Permissions defined in this policy to see the permissions that are granted by your policy. Choose the Set this new version as the default. check box to save the updated version as the default version of the policy. Then choose Save changes to save your work.