Access Analyzer policy validation - AWS Identity and Access Management

Access Analyzer policy validation

You can validate your policies using AWS IAM Access Analyzer policy checks. You can create or edit a policy using the AWS CLI, AWS API, or JSON policy editor in the IAM console. Access Analyzer validates your policy against IAM policy grammar and best practices. You can view policy validation check findings that include security warnings, errors, general warnings, and suggestions for your policy. These findings provide actionable recommendations that help you author policies that are functional and conform to security best practices. To view a list of the warnings, errors, and suggestions that are returned by Access Analyzer, see Access Analyzer policy check reference.

Validating policies in IAM (console)

You can view findings generated by the policy checks when you create or edit a managed policy in the IAM console. You can also view these findings for inline user or role policies. Access Analyzer does not generate these findings for inline group policies.

To view findings generated by policy checks for IAM JSON policies

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. Begin creating or editing a policy using one of the following methods:

    1. To create a new managed policy, go to the Policies page and create a new policy. For more information, see Creating policies on the JSON tab.

    2. To view policy checks for an existing managed policy, go the Policies page, choose the name of a policy, and then choose Edit policy. For more information, see Editing customer managed policies (console).

    3. To view policy checks for an inline policy on a user or role, go the Users or Roles page, choose the name of a user or role, and choose Edit policy on the Permissions tab. For more information, see Editing customer managed policies (console).

  3. In the policy editor, choose the JSON tab.

  4. In the policy validation pane below the policy, choose one or more of the following tabs. The tab names also indicate the number of each finding type for your policy.

    • Security – View warnings if your policy allows access that AWS considers a security risk because the access is overly permissive.

    • Errors – View errors if your policy includes lines that prevent the policy from functioning.

    • General – View warnings if your policy doesn't conform to best practices, but the issues are not security risks.

    • Suggestions – View suggestions if AWS recommends improvements that don't impact the permissions of the policy.

  5. Review the finding details provided by the Access Analyzer policy check. Each finding indicates the location of the reported issue. To learn more about what causes the issue and how to resolve it, choose the Learn more link next to the finding. You can also search for the policy check associated with each finding in the Access Analyzer policy checks reference page.

  6. Update your policy to resolve the findings.

    Important

    Test new or edited policies thoroughly before implementing them in your production workflow.

  7. When you are finished, choose Review policy. The Policy Validator reports any syntax errors that are not reported by Access Analyzer.

    Note

    You can switch between the Visual editor and JSON tabs anytime. However, if you make changes or choose Review policy in the Visual editor tab, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring.

  8. On the Review policy page, type a Name and a Description (optional) for the policy that you are creating. Review the policy Summary to see the permissions that are granted by your policy. Then choose Create policy to save your work.

Validating policies using Access Analyzer (AWS CLI or AWS API)

You can view findings generated by IAM Access Analyzer policy checks from the AWS Command Line Interface (AWS CLI).

To view findings generated by Access Analyzer policy checks (AWS CLI or AWS API)

Use one of the following: