Menu
AWS Identity and Access Management
User Guide

Policy Summary (List of Services)

An IAM console policy summary includes a list of services with summaries of the permissions defined for the chosen policy. If the policy includes a Deny statement, then the summary is grouped according to the effect of the policy (Explicit deny or Allow).

Tip

Because permissions that are not explicitly allowed are denied by default, it is a best practice to include only Allow statements within a policy.

You can view the policy summary for managed policies on the Policies page, or view the policies for those summaries that are attached to a user on the Users page. If your policy does not include a policy summary, see Missing Policy Summary.

To view the policy summary for a managed policy

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Policies from the navigation pane.

  3. In the list of policies, choose the name of the policy that you want to view.

  4. On the details page for the policy, choose the Permissions tab, if necessary, in order to view the policy summary table.

  5. To switch between viewing the JSON text or summary for a policy, choose JSON or Policy summary.

  6. To edit customer managed policies while viewing the JSON document for the policy, choose Edit. You cannot edit AWS managed policies.

To view the summary for a policy attached to a user

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Users from the navigation pane.

  3. In the list of users, choose the name of the user whose policy you want to view.

  4. On the details page for the user, choose the Permissions tab, if necessary, to view the list of policies that are attached to the user directly or from a group.

  5. In the table of policies for the user, expand the header for the policy summary that you want to view.

  6. To switch between viewing the JSON text or summary for a policy, choose JSON or Policy summary.

  7. To edit inline policies that are attached directly to the user, choose Edit policy. To edit managed policies, you must go to the Policies page. To edit inline policies for a group that are assigned to a user, you must go to the details page for that group. You cannot edit AWS managed policies.

Understanding the Elements of a Policy Summary

In the following example of a user details page, the PolSumUser user has eight attached policies. The SummaryAllElements policy is a managed policy that is attached directly to the user. This policy is expanded to show the policy summary.


          Policy summary dialog image

In the preceding image, the policy summary is visible from within the user details page:

  1. The Permissions tab for a user includes the policies that are attached to the PolSumUser user.

  2. The SummaryAllElements policy is one of eight policies that are attached to the user. The SummaryAllElements table row is expanded in order to view the policy summary.

  3. The view for each policy can be toggled between the policy summary and the JSON policy document.

  4. Simulate policy opens the policy simulator for testing the policy.

  5. Use the search box to reduce the list of services and easily find a specific service.

  6. The highlighted area is the expanded view of the policy summary for SummaryAllElements. The following image shows the details within that policy summary.

  7. Three other policies are attached directly to this user. Below those is an additional Attached from group section that could include more policies.

The following policy summary table image shows the expanded SummaryAllElements policy on the PolSumUser user details page.


          Policy summary dialog image

In the preceding image, the policy summary is visible from within the user details page:

  1. Service – This column lists the services that are defined within the policy and provides details for each service. Each service name in the policy summary table is a link to the service summary table, which is explained in Service Summary (List of Actions). In this example, permissions are defined for Amazon S3, Billing, and Amazon EC2.

  2. The policy summary groups services according to whether the policy allows or explicitly denies the use of the service. In this example, the policy includes both Allow and Deny statements for the Amazon S3 service. Therefore the policy summary includes S3 within both the Explicit deny and Allow sections.

  3. Access level – This column tells whether the actions in each access level (List, Read, Write, and Permissions management) have Full or Limited permissions defined in the policy. For additional details and examples of the access level summary, see Understanding Access Level Summaries Within Policy Summaries.

  4. Full access – This entry indicates that the service has access to all actions within all four of the access levels available for the service. In this example, because this row is in the Explicit deny section of the table, all Amazon S3 actions are denied for the resources included in the policy.

  5. If the entry does not include Full access, then the service has access to some but not all of the actions for the service. The access is then defined by following descriptions for each of the four access level classifications (List, Read, Write, and Permissions management):

    Full: The policy provides access to all actions within each access level classification listed. In this example, the policy provides access to all of the Billing Read actions.

    Limited: The policy provides access to one or more but not all actions within each access level classification listed. In this example, the policy provides access to some of the Billing Write actions.

  6. Resource – This column lists the resources that the policy specifies for each service.

  7. Multiple – The policy includes more than one but not all of the resources within the service. In this example, access is denied to more than one Amazon S3 resource.

  8. All resources – The policy is defined for all resources within the service. In this example, the policy allows the listed actions to be performed on all Billing resources.

  9. Resource ARN – The policy includes one resource within the service. In this example, the listed actions are allowed on only the arn:aws:s3:::developer_bucket/* Amazon S3 resource.

  10. Request condition – This column indicates whether the services or actions associated with the resource are subject to conditions. To view a list of conditions for the policy, click JSON for the policy.

  11. None – The policy includes no conditions for the service. In this example no conditions are applied to the denied actions in the Amazon S3 service.

  12. Condition text – The policy includes one condition for the service. In this example, the listed Billing actions are allowed only if the IP address of the source matches 203.0.113.0/24.

  13. Multiple – The policy includes more than one condition for the service. In this example, access to the listed Amazon S3 actions is allowed based on more than one condition.