Menu
AWS Identity and Access Management
User Guide

Examples of Policy Summaries

The following examples include JSON policies with their associated policy summaries and service summaries to help you understand the permissions given through a policy.

Policy 1: DenyCustomerBucket

This policy demonstrates an allow and a deny for the same service.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "FullAccess", "Effect": "Allow", "Action": ["s3:*"], "Resource": ["*"] }, { "Sid": "DenyCustomerBucket", "Action": ["s3:*"], "Effect": "Deny", "Resource": ["arn:aws:s3:::customer", "arn:aws:s3:::customer/*" ] } ] }

DenyCustomerBucket Policy Summary:


        Policy summary dialog image

DenyCustomerBucket S3 (Allow) Service Summary:


        Service summary dialog image

Policy 2: DynamoDbRowCognitoID

This policy provides row-level access to Amazon DynamoDB based on the user's Amazon Cognito ID.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:UpdateItem" ], "Resource": [ "arn:aws:dynamodb:us-west-1:123456789012:table/myDynamoTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${cognito-identity.amazonaws.com:sub}" ] } } } ] }

DynamoDbRowCognitoID Policy Summary:


        Policy summary dialog image

DynamoDbRowCognitoID DynamoDB (Allow) Service Summary:


        Service summary dialog image

Policy 3: MultipleResourceCondition

This policy includes multiple resources and conditions.

Copy
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:PutObject", "s3:PutObjectAcl"], "Resource": ["arn:aws:s3:::Apple_bucket/*"], "Condition": { "StringEquals": { "s3:x-amz-acl": ["public-read"] } } }, { "Effect": "Allow", "Action": ["s3:PutObject", "s3:PutObjectAcl"], "Resource": ["arn:aws:s3:::Orange_bucket/*"], "Condition": { "StringEquals": { "s3:prefix": ["custom", "other"] } } }] }

MultipleResourceCondition Policy Summary:


        Policy summary dialog image

MultipleResourceCondition S3 (Allow) Service Summary:


        Service summary dialog image

Policy 4: EC2_Troubleshoot

The following policy allows users to get a screenshot of a running Amazon EC2 instance to help with EC2 troubleshooting and to view the listing information of the Amazon S3 developer bucket.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:GetConsoleScreenshot" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::developer" ] } ] }

EC2_Troubleshoot Policy Summary:


        Policy summary dialog image

EC2_Troubleshoot S3 (Allow) Service Summary:


        Service summary dialog image