IAM Access Analyzer policy validation - Amazon Identity and Access Management
Validating policies in IAM (console)Validating policies using Access Analyzer (Amazon CLI or Amazon API)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IAM Access Analyzer policy validation

You can validate your policies using Amazon Identity and Access Management Access Analyzer policy checks. You can create or edit a policy using the Amazon CLI, Amazon API, or JSON policy editor in the IAM console. IAM Access Analyzer validates your policy against IAM policy grammar and best practices. You can view policy validation check findings that include security warnings, errors, general warnings, and suggestions for your policy. These findings provide actionable recommendations that help you author policies that are functional and conform to security best practices. To view a list of the warnings, errors, and suggestions that are returned by Access Analyzer, see Access Analyzer policy check reference.

Validating policies in IAM (console)

You can view findings generated by the policy checks when you create or edit a managed policy in the IAM console. You can also view these findings for inline user or role policies. Access Analyzer does not generate these findings for inline group policies.

To view findings generated by policy checks for IAM JSON policies

  1. Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/.

  2. Begin creating or editing a policy using one of the following methods:

    1. To create a new managed policy, go to the Policies page and create a new policy. For more information, see Creating policies on the JSON tab.

    2. To view policy checks for an existing managed policy, go the Policies page, choose the name of a policy, and then choose Edit policy. For more information, see Editing customer managed policies (console).

    3. To view policy checks for an inline policy on a user or role, go the Users or Roles page, choose the name of a user or role, and choose Edit policy on the Permissions tab. For more information, see Editing customer managed policies (console).

  3. In the policy editor, choose the JSON tab.

  4. In the policy validation pane below the policy, choose one or more of the following tabs. The tab names also indicate the number of each finding type for your policy.

    • Security – View warnings if your policy allows access that Amazon considers a security risk because the access is overly permissive.

    • Errors – View errors if your policy includes lines that prevent the policy from functioning.

    • General – View warnings if your policy doesn't conform to best practices, but the issues are not security risks.

    • Suggestions – View suggestions if Amazon recommends improvements that don't impact the permissions of the policy.

  5. Review the finding details provided by the IAM Access Analyzer policy check. Each finding indicates the location of the reported issue. To learn more about what causes the issue and how to resolve it, choose the Learn more link next to the finding. You can also search for the policy check associated with each finding in the Access Analyzer policy checks reference page.

  6. Update your policy to resolve the findings.

    Important

    Test new or edited policies thoroughly before implementing them in your production workflow.

  7. When you are finished, choose Review policy. The Policy Validator reports any syntax errors that are not reported by Access Analyzer.

    Note

    You can switch between the Visual editor and JSON tabs anytime. However, if you make changes or choose Review policy in the Visual editor tab, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring.

  8. On the Review policy page, type a Name and a Description (optional) for the policy that you are creating. Review the policy Summary to see the permissions that are granted by your policy. Then choose Create policy to save your work.

Validating policies using Access Analyzer (Amazon CLI or Amazon API)

You can view findings generated by IAM Access Analyzer policy checks from the Amazon Command Line Interface (Amazon CLI).

To view findings generated by IAM Access Analyzer policy checks (Amazon CLI or Amazon API)

Use one of the following: