This section presents detailed syntax, descriptions, and examples of the elements, variables, and evaluation logic of IAM policies. It includes the following sections.
IAM Policy Elements Reference — This section describes each of the elements that you can use when you create a policy. It includes additional policy examples and describes conditions, supported data types, and how they are used in various services.
IAM Policy Variables Overview — This section describes placeholders that you can specify in a policy that are replaced during policy evaluation with values from the request.
Creating a Condition That Tests Multiple Key Values (Set Operations) — This section describes how to create policies for requests in which a request key includes multiple items that you need to test against a set of values.
IAM Policy Evaluation Logic — This section describes AWS requests, how they are authenticated, and how AWS uses policies to determine access to resources.
Grammar of the IAM Policy Language — This section presents a formal grammar for the language used to create policies in IAM.
Common Errors in IAM Policies — This section describes the most common policy errors that can prevent you from saving changes to a policy and how to correct them.
AWS is making improvements to the policy rules engine that enforce a stricter syntax. Starting in March 2015, you cannot save any policy that does not comply with the stricter rules.
To help you correct invalid policies, AWS created the Policy Validator that informs you whenever it detects an invalid policy. One click takes you to an editor that shows both the existing policy and a copy with the recommended changes. You can accept the changes or make further modifications. For more information, see Using Policy Validator.