Action summary (list of resources)
Policies are summarized in three tables: the policy summary, the service summary, and the action summary. The action summary table includes a list of resources and the associated conditions that apply to the chosen action.

To view an action summary for each action that grants permissions, choose the link in the service summary. The action summary table includes details about the resource, including its Region and Account. You can also view the conditions that apply to each resource. This shows you conditions that apply to some resources but not others.
Viewing action summaries
You can view the action summary for managed policies, any policy that is attached to a user, and any policy that is attached to a role on the Policies page.
To view the action summary for a managed policy
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Policies.
-
In the list of policies, choose the name of the policy that you want to view.
-
On the Policy details page for the policy, view the Permissions tab to see the policy summary.
-
In the policy summary list of services, choose the name of the service that you want to view.
-
In the service summary list of actions, choose the name of the action that you want to view.
To view the action summary for a policy attached to a user
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
Choose Users from the navigation pane.
-
In the list of users, choose the name of the user whose policy you want to view.
-
On the Summary page for the user, view the Permissions tab to see the list of policies that are attached to the user directly or from a group.
-
In the table of policies for the user, choose the name of the policy that you want to view.
If you are on the Users page and choose to view the service summary for a policy that is attached to that user, you are redirected to the Policies page. You can view service summaries only on the Policies page.
-
In the policy summary list of services, choose the name of the service that you want to view.
Note
If the policy that you select is an inline policy that is attached directly to the user, then the service summary table appears. If the policy is an inline policy attached from a group, then you are taken to the JSON policy document for that group. If the policy is a managed policy, then you are taken to the service summary for that policy on the Policies page.
-
In the service summary list of actions, choose the name of the action that you want to view.
To view the action summary for a policy attached to a role
Sign in to the Amazon Web Services Management Console and open the IAM console at https://console.amazonaws.cn/iam/
. -
In the navigation pane, choose Roles.
-
In the list of roles, choose the name of the role whose policy you want to view.
-
On the Summary page for the role, view the Permissions tab to see the list of policies that are attached to the role.
-
In the table of policies for the role, choose the name of the policy that you want to view.
If you are on the Roles page and choose to view the service summary for a policy that is attached to that user, you are redirected to the Policies page. You can view service summaries only on the Policies page.
-
In the policy summary list of services, choose the name of the service that you want to view.
-
In the service summary list of actions, choose the name of the action that you want to view.
Understanding the elements of an action summary
The example below is the action summary for the PutObject
(Write) action from
the Amazon S3 service summary (see Service summary (list of
actions)). For this action, the policy
defines multiple conditions on a single resource.

The action summary page includes the following information:
-
Choose JSON to see additional details about the policy, such as viewing the multiple conditions that are applied to the actions. (If you are viewing the action summary for an inline policy that is attached directly to a user, the steps differ. To access the JSON policy document in that case, you must close the action summary dialog box and return to the policy summary.)
-
To view the summary for a specific resource, type keywords into the Search box to reduce the list of available resources.
-
Next to the Actions back arrow appears the name of the service and action in the format
action name action in service
(in this case PutObject action in S3). The action summary for this service includes the list of resources that are defined in the policy. -
Resource – This column lists the resources that the policy defines for the chosen service. In this example, the PutObject action is allowed on all object paths, but on only the
developer_bucket
Amazon S3 bucket resource. Depending on the information that the service provides to IAM, you might see an ARN such asarn:aws-cn:s3:::developer_bucket/*
, or you might see the defined resource type, such asBucketName = developer_bucket, ObjectPath = All
. -
Region – This column shows the Region in which the resource is defined. Resources can be defined for all Regions, or a single Region. They cannot exist in more than one specific Region.
-
All regions – The actions that are associated with the resource apply to all Regions. In this example, the action belongs to a global service, Amazon S3. Actions that belong to global services apply to all Regions.
-
Region text – The actions associated with the resource apply to one Region. For example, a policy can specify the
us-west-2
Region for a resource.
-
-
Account – This column indicates whether the services or actions associated with the resource apply to a specific account. Resources can exist in all accounts or a single account. They cannot exist in more than one specific account.
-
All accounts – The actions that are associated with the resource apply to all accounts. In this example, the action belongs to a global service, Amazon S3. Actions that belong to global services apply to all accounts.
-
This account – The actions that are associated with the resource apply only in the current account..
-
Account number – The actions that are associated with the resource apply to one account (one that you are not currently logged in to). For example, if a policy specifies the
123456789012
account for a resource, then the account number appears in the policy summary.
-
-
Request condition – This column shows whether the actions that are associated with the resource are subject to conditions. This example includes the
s3:x-amz-acl = public-read
condition. To learn more about those conditions, choose JSON to review the JSON policy document.