Menu
AWS Identity and Access Management
User Guide

Troubleshoot IAM Policies

Use the information here to help you diagnose and fix common errors, such as syntax errors, found in IAM policies.

IAM policies use syntax that begins with the rules of JavaScript Object Notation (JSON). JSON describes an 'object' and the name and value pairs that make up an object. The IAM policy grammar builds on that by defining what names and values have meaning for, and are understood by, the AWS services that use policies to grant permissions.

More Than One Policy Object

An IAM policy must consist of one and only one JSON object. You denote an object by placing { } braces around it. Although you can nest other objects within a JSON object by embedding additional { } braces within the outer pair, a policy can contain only one outermost pair of { } braces. The following example is incorrect because it contains two objects at the top level (called out in red):

{
  "Version": "2012-10-17",
  "Statement": 
  {
     "Effect":"Allow",
     "Action":"ec2:Describe*",
     "Resource":"*"
  }
}
{ 
  "Statement": {
     "Effect": "Allow",
     "Action": "s3:*",
     "Resource": "arn:aws:s3:::my-bucket/*"
  }
}

You can, however, meet the intention of the previous example with the use of correct policy grammar. Instead of including two complete policy objects each with its own Statement element, you can combine the two blocks into a single Statement element. The Statement element has an array of two objects as its value, as shown in the following example (called out in bold):

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:Describe*", "Resource":" *" }, { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::my-bucket/*" } ] }

More Than One Statement Element

This error might at first appear to be a variation on the previous section. However, syntactically it is a different type of error. The following example has only one policy object as denoted by a single pair of { } braces at the top level. However, that object contains two Statement elements within it.

An IAM policy must contain only one Statement element, consisting of the name (Statement) appearing to the left of a colon, followed by its value on the right. The value of a Statement element must be an object, denoted by { } braces, containing one Effect element, one Action element, and one Resource element. The following example is incorrect because it contains two Statement elements in the policy object (called out in red):

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "ec2:Describe*",
    "Resource": "*"
  },
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::my-bucket/*"
  }
}

A value object can be an array of multiple value objects. To solve this problem, combine the two Statement elements into one element with an object array, as shown in the following example (called out in bold):

Copy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:Describe*", "Resource":"*" }, { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::my-bucket/*" } ] }

The value of the Statement element is an object array. The array in this example consists of two objects, each of which is by itself is a correct value for a Statement element. Each object in the array is separated by commas.

More Than One Effect, Action, or Resource Element in a Statement Element

On the value side of the Statement name/value pair, the object must consist of only one Effect element, one Action element, and one Resource element. The following policy is incorrect because it has two Effect elements in the value object of the Statement:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Deny",
    "Effect": "Allow",     
    "Action": "ec2:* ",
    "Resource": "*"
  }
}

Note

The policy engine does not allow such errors in new or edited policies. However, the policy engine continues to permit policies that were saved before the engine was updated. The behavior of existing policies with the error is as follows:

  • Multiple Effect elements: only the last Effect element is observed. The others are ignored.

  • Multiple Action elements: all Action elements are combined internally and treated as if they were a single list.

  • Multiple Resource elements: all Resource elements are combined internally and treated as if they were a single list.

The policy engine does not allow you to save any policy with syntax errors. You must correct the errors in the policy before you can save it. The Policy Validator tool can help you to find all older policies with errors and can recommend corrections for them.

In each case, the solution is to remove the incorrect extra element. For Effect elements, this is straightforward: if you want the previous example to deny permissions to Amazon EC2 instances, then you must remove the line "Effect": "Allow", from the policy, as follows:

Copy
{ "Version": "2012-10-17", "Statement": { "Efect": "Deny", "Action": "ec2:* ", "Resource": "*" } }

However, if the duplicate element is Action or Resource, then the resolution can be more complicated. You might have multiple actions that you want to allow (or deny) permission to, or you might want to control access to multiple resources. For example, the following example is incorrect because it has multiple Resource elements (called out in red):

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::my-bucket",
    "Resource": "arn:aws:s3:::my-bucket/*"
  }
}

Each of the required elements in a Statement element's value object can be present only once. The solution is to place each value in an array. The following example illustrates this by making the two separate resource elements into one Resource element with an array as the value object (called out in bold):

Copy
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ] } }

Missing Policy Summary

The IAM console includes policy summary tables that describe the access level, resources, and conditions that are allowed or denied for each service in a policy. Policies are summarized in three tables: the policy summary, the service summary, and the action summary. The policy summary table includes a list of services and summaries of the permissions that are defined by the chosen policy. You can view the policy summary for any policies that are attached to a user on the Users page. You can view the policy summary for managed policies on the Policies page. If AWS is unable to render a summary for a policy, then you see the JSON policy document instead of the summary, and receive the following error:

A summary for this policy cannot be generated. You can still view or edit the JSON policy document.

If your policy does not include a summary, one of the following errors has occurred:

  • Unsupported policy element – IAM does not support generating policy summaries for policies that include one of the following policy elements:

    • Principal

    • NotPrincipal

    • NotResource

  • No policy permissions – If a policy does not provide any effective permissions, then the policy summary cannot be generated. For example, if a policy includes a single statement with the element "NotAction": "*", then it grants access to all actions except "all actions" (*). This means it grants Deny or Allow access to nothing.

    Note

    You must be careful when using these policy elements such as NotPrincipal, NotAction, and NotResource. For information about using policy elements, see IAM Policy Elements Reference.

    You can create a policy that does not provide effective permissions if you provide mismatched services and resources. This can occur if you specify actions in one service and resources from another service. In this case, the policy summary does appear. The only indication that there is a problem is that the resource column in the summary can include a resource from a different service. If this column includes a mismatched resource, then you should review your policy for errors. To better understand your policies, always test them with the policy simulator.

Policy Summary Includes Unrecognized Services, Actions, or Resource Types

In the IAM console, if a policy summary includes a warning symbol ( ), then the policy might include an unrecognized service, action or resource type. To learn about warnings within a policy summary, see Policy Summary (List of Services).

Note

IAM reviews service names, actions, and resource types for services that support policy summaries. However, your policy summary might include a resource value or condition that does not exist. Always test your policies with the policy simulator.

If your policy includes unrecognized services, actions or resource types, one of the following errors has occurred:

  • Preview service – Services that are in preview do not support policy summaries.

  • Custom service – Custom services do not support policy summaries.

  • Service does not support summaries – If your policy includes a generally available (GA) service that does not support policy summaries, then the service is included in the Unrecognized services section of the policy summary table. Generally available services are services that are released publicly and are not preview or custom services. If an unrecognized service is generally available and the name is spelled correctly, then the service does not support IAM policy summaries. To learn how to request policy summary support for a GA service, see Service Does Not Support IAM Policy Summaries.

  • Action does not support summaries – If your policy includes a supported service with an unsupported action, then the action is included in the Unrecognized actions section of the service summary table. To learn about warnings within a service summary, see Service Summary (List of Actions).

  • Resource type does not support summaries – If your policy includes a supported action with an unsupported resource type, then the resource is included in the Unrecognized resource types section of the service summary table. To learn about warnings within a service summary, see Service Summary (List of Actions).

  • Typo – Because the policy validator in AWS checks only that the JSON is syntactically correct, you can create a policy that includes a typo. If you are certain that your policy contains none of the errors above, then your policy might include a typo. Check for misspelled service, action, and resource type names. For example, you might use s2 instead of s3 and ListMyBuckets instead of ListAllMyBuckets. Another common action typo is the inclusion of unnecessary text in ARNs, such as arn:aws:s3: : :*, or missing colons in actions, such as AWSAuthRuntimeService.AuthenticatePassword. You can evaluate a policy that might include typos by using the policy simulator to confirm whether the policy provides the permissions you intended.

Service Does Not Support IAM Policy Summaries

When a generally available (GA) service or action is not recognized by IAM policy summaries, it is possible that the service does not support these summaries. Generally available services are services that are released publicly and are not previewed or custom services. If an unrecognized service is generally available and the name is spelled correctly, then the service does not support IAM policy summaries. If your policy includes a supported service with an unsupported action, then the service does not fully support IAM policy summaries.

To request that a service add IAM policy summary support

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. Locate the policy that includes the unsupported service:

    • If the policy is a managed policy, choose Policies in the navigation pane. In the list of policies, choose the name of the policy that you want to view.

    • If the policy is an inline policy attached to the user, choose Users in the navigation pane. In the list of users, choose the name of the user whose policy you want to view. In the table of policies for the user, expand the header for the policy summary that you want to view.

  3. In the left side on the AWS Management Console footer, choose Feedback. In the Tell us about your experience: box, type I request that the <ServiceName> service add support for IAM policy summaries. If you want more than one service to support summaries, type I request that the <ServiceName1>, <ServiceName2>, and <ServiceName3> services add support for IAM policy summaries.

To request that a service add IAM policy summary support for a missing action

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. Locate the policy that includes the unsupported service:

    • If the policy is a managed policy, choose Policies in the navigation pane. In the list of policies, choose the name of the policy that you want to view.

    • If the policy is an inline policy attached to the user, choose Users in the navigation pane. In the list of users, choose the name of the user whose policy you want to view. In the table of policies for the user, choose the name of the policy that you want to view to expand the policy summary.

  3. In the policy summary, choose the name of the service that includes an unsupported action.

  4. In the left side on the AWS Management Console footer, choose Feedback. In the Tell us about your experience: box, type I request that the <ServiceName> service add IAM policy summary support for the <ActionName> action. If you want to report more than one unsupported action, type I request that the <ServiceName> service add IAM policy summary support for the <ActionName1>, <ActionName2>, and <ActionName3> actions.

To request that a different service includes missing actions, repeat the last three steps.

My Policy Does Not Grant the Expected Permissions

To assign permissions to a user, group, role, or resource, you create a policy, which is a document that defines permissions. The policy document includes the following elements:

  • Effect – whether the policy allows or denies access

  • Action – the list of actions that are allowed or denied by the policy

  • Resource – the list of resources on which the actions can occur

  • Condition (Optional) – the circumstances under which the policy grants permission

To learn about these and other policy elements, see IAM Policy Elements Reference.

To grant access, your policy must define an action with a supported resource. If your policy also includes a condition, that condition must include a global condition key or must apply to the action. To learn which resources are supported by an action, see the AWS documentation for your service. To learn which conditions are supported by an action, see AWS Service Actions and Condition Context Keys for Use in IAM Policies.

To learn whether your policy defines an action, resource, or condition that does not grant permissions, you can view the policy summary for your policy using the IAM console at https://console.aws.amazon.com/iam/. You can use policy summaries to identify and correct problems in your policy.

There are several reasons why an element might not grant permissions despite being defined in the IAM policy:

To view examples of policy summaries that include warnings, see Policy Summary (List of Services).

An action is defined without an applicable resource

The policy below defines all ec2:Describe* actions and defines a specific resource. None of the ec2:Describe actions are granted because none of these actions support resource-level permissions. Resource-level permissions mean that the action supports resources using ARNs in the policy's Resource element. If an action does not support resource-level permissions, then that statement in the policy must use a wildcard (*) in the Resource element. To learn which services support resource-level permissions, see AWS Services That Work with IAM.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": "ec2:Describe*",
        "Resource": "arn:aws:ec2:us-east-2:ACCOUNT-ID:instance/*"
    }]
}

This policy does not provide any permissions, and the policy summary includes the following error:

This policy does not grant any permissions. To grant access, policies must have an action that has an applicable resource or condition.

To fix this policy, you must use * in the Resource element.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": "ec2:Describe*",
        "Resource": "*"
    }]
}

A resource is defined without an applicable action

The policy below defines an Amazon S3 bucket resource but does not include an S3 action that can be performed on that resource. This policy also grants full access to all Amazon CloudFront actions.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": "cloudfront:*",
        "Resource": [
            "arn:aws:cloudfront:*",
            "arn:aws:s3:::examplebucket"
        ]
    }]
}

This policy provides permissions for all CloudFront actions. But because the policy defines the S3 examplebucket resource without defining any S3 actions, the policy summary includes the following warning:

This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition.

To fix this policy to provide S3 bucket permissions, you must define S3 actions that can be performed on a bucket resource.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "cloudfront:*",
            "s3:CreateBucket",
            "s3:ListBucket*",
            "s3:PutBucket*",
            "s3:GetBucket*"
        ],
        "Resource": [
            "arn:aws:cloudfront:*",
            "arn:aws:s3:::examplebucket"
        ]
    }]
}

Alternately, to fix this policy to provide only CloudFront permissions, remove the S3 resource.

A condition is defined without an applicable action

The policy below defines two Amazon S3 actions for all S3 resources, if the S3 prefix equals custom and the version ID equals 1234. However, the s3:VersionId condition key is used for object version tagging and is not supported by the defined bucket actions. To learn which conditions are supported by an action, see AWS Service Actions and Condition Context Keys for Use in IAM Policies and follow the link to the service documentation for condition keys.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucketVersions",
                "s3:ListBucket"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        "custom"
                    ],
                    "s3:VersionId": [
                        "1234"
                    ]
                }
            }
        }
    ]
}

This policy provides permissions for the s3:ListBucket action and the s3:ListBucket action if the bucket name includes the custom prefix. But because the s3:VersionId condition is not supported by any of the defined actions, the policy summary includes the following error:

This policy does not grant any permissions. To grant access, policies must have an action that has an applicable resource or condition.

To fix this policy to use S3 object version tagging, you must define an S3 action that supports the s3:VersionId condition key.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucketVersions",
                "s3:ListBucket",
                "s3:GetObjectVersion"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        "custom"
                    ],
                    "s3:VersionId": [
                        "1234"
                    ]
                }
            }
        }
    ]
}

This policy provides permissions for every action and condition in the policy. However, the policy still does not provide any permissions because there is no case where a single action matches both conditions. Instead, you must create two separate statements that each include only actions with the conditions to which they apply.

To fix this policy, create two statements. The first statement includes the actions that support the s3:prefix condition, and the second statement includes the actions that support the s3:VersionId condition.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucketVersions",
                "s3:ListBucket"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "s3:prefix": "custom"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "s3:GetObjectVersion",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "s3:VersionId": "1234"
                }
            }
        }
    ]
}

Missing Version Element

A Version policy element is different from a policy version. The Version policy element is used within a policy and defines the version of the policy language. A policy version, on the other hand, is created when you make changes to a customer managed policy in IAM. The changed policy doesn't overwrite the existing policy. Instead, IAM creates a new version of the managed policy. To learn more about the Version policy element see Version. To learn more about policy versions, see Versioning for Managed Policies.

As AWS features evolve, new capabilities are added to IAM policies to support those features. Sometimes, an update to the policy syntax includes a new version number. If you use newer features of the policy grammar in your policy, then you must tell the policy parsing engine which version you are using. The default policy version is "2008-10-17." If you want to use any policy feature that was introduced later, then you must specify the version number that supports the feature you want. We recommend that you always include the latest policy syntax version number, which is currently "Version": "2012-10-17". For example, the following policy is incorrect because it uses a policy variable ${...} in the ARN for a resource without specifying a policy syntax version that supports policy variables (called out in red):

{
  "Statement": 
  {
    "Action": "iam:*AccessKey*",
    "Effect": "Allow",
    "Resource": "arn:aws:iam::123456789012:user/${aws:username}"
  }
}

Adding a Version element at the top of the policy with the value 2012-10-17, the first IAM API version that supports policy variables, solves this problem (called out in bold):

Copy
{ "Version": "2012-10-17", "Statement": { "Action": "iam:*AccessKey*", "Effect": "Allow", "Resource": "arn:aws:iam::123456789012:user/${aws:username}" } }

I Can't Attach or Detach a Policy in My IAM Account

Some AWS managed policies are linked to a service. These policies are used only with a service-linked role for that service. In the IAM console, when you view the Summary page for a policy, the page includes a banner to indicate that the policy is linked to a service. You cannot attach this policy to a user, group, or role within IAM. When you create a service-linked role for the service, this policy is automatically attached to your new role. Because the policy is required, you cannot detach the policy from the service-linked role.