AWS Identity and Access Management
User Guide

AWS IAM Policy Reference

This section presents detailed syntax, descriptions, and examples of the elements, variables, and evaluation logic of IAM policies. It includes the following sections.

  • IAM Policy Elements Reference — This section describes each of the elements that you can use when you create a policy. It includes additional policy examples and describes conditions, supported data types, and how they are used in various services.

  • IAM Policy Variables Overview — This section describes placeholders that you can specify in a policy that are replaced during policy evaluation with values from the request.

  • Creating a Condition That Tests Multiple Key Values (Set Operations) — This section describes how to create policies for requests in which a request key includes multiple items that you need to test against a set of values.

  • IAM Policy Evaluation Logic — This section describes AWS requests, how they are authenticated, and how AWS uses policies to determine access to resources.

  • Grammar of the IAM Policy Language — This section presents a formal grammar for the language used to create policies in IAM.

  • AWS Managed Policies for Job Functions — This section lists all of the AWS managed policies that directly map to common job functions in the IT industry. Use these policies to grant the permissions needed to carry out the tasks expected of someone in a specific job function. These policies consolidate permissions for many services into a single policy.

  • AWS Service Actions and Condition Context Keys for Use in IAM Policies — This section presents a list of all of the AWS API actions that can be used as permissions in an IAM policy and the service-specific condition keys that can be used to further refine the request.

  • AWS IAM Policy Actions Grouped by Access Level — This section presents a list the access levels that all AWS API actions are members of. Each API action that can be used as a policy permission is categorized into one access level.


You cannot save any policy that does not comply with the established policy syntax. You can use Policy Validator to detect and correct invalid policies. One click takes you to an editor that shows both the existing policy and a copy with the recommended changes. You can accept the changes or make further modifications. For more information, see Using Policy Validator.