Examples of Policy Summaries
The following examples include JSON policies with their associated policy summaries, the service summaries, and the action summaries to help you understand the permissions given through a policy.
Policy 1: DenyCustomerBucket
This policy demonstrates an allow and a deny for the same service.
Copy{ "Version": "2012-10-17", "Statement": [ { "Sid": "FullAccess", "Effect": "Allow", "Action": ["s3:*"], "Resource": ["*"] }, { "Sid": "DenyCustomerBucket", "Action": ["s3:*"], "Effect": "Deny", "Resource": ["arn:aws:s3:::customer", "arn:aws:s3:::customer/*" ] } ] }
DenyCustomerBucket Policy Summary:
DenyCustomerBucket S3 (Allow) Service Summary:
GetBucketPolicy (List) Action Summary:
Policy 2: DynamoDbRowCognitoID
This policy provides row-level access to Amazon DynamoDB based on the user's Amazon Cognito ID.
Copy{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Query", "dynamodb:UpdateItem" ], "Resource": [ "arn:aws:dynamodb:us-west-1:123456789012:table/myDynamoTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${cognito-identity.amazonaws.com:sub}" ] } } } ] }
DynamoDbRowCognitoID Policy Summary:
DynamoDbRowCognitoID DynamoDB (Allow) Service Summary:
GetItem (List) Action Summary:
Policy 3: MultipleResourceCondition
This policy includes multiple resources and conditions.
Copy{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["s3:PutObject", "s3:PutObjectAcl"], "Resource": ["arn:aws:s3:::Apple_bucket/*"], "Condition": { "StringEquals": { "s3:x-amz-acl": ["public-read"] } } }, { "Effect": "Allow", "Action": ["s3:PutObject", "s3:PutObjectAcl"], "Resource": ["arn:aws:s3:::Orange_bucket/*"], "Condition": { "StringEquals": { "s3:prefix": ["custom", "other"] } } }] }
MultipleResourceCondition Policy Summary:
MultipleResourceCondition S3 (Allow) Service Summary:
PutObject (Write) Action Summary:
Policy 4: EC2_Troubleshoot
The following policy allows users to get a screenshot of a running Amazon EC2 instance, which can help with EC2 troubleshooting. This policy also permits viewing information about the items in the Amazon S3 developer bucket.
Copy{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:GetConsoleScreenshot" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::developer" ] } ] }
EC2_Troubleshoot Policy Summary:
EC2_Troubleshoot S3 (Allow) Service Summary:
ListBucket (List) Action Summary:
Policy 5: Unrecognized_Service_Action
The following policy was intended to provide full access to DynamoDB, but that access
fails
because dynamodb is misspelled as dynamobd. This policy was intended
to allow access to some Amazon EC2 actions in the us-east-2 region, but deny that
access to the ap-northeast-2 region. However, access to reboot instances in the
ap-northeast-2 region is not explicitly denied because of the unrecognized
o in the middle of the RebootInstances action. The policy was also
intended to provide access for developers to list all Amazon S3 buckets and read all
of the objects
within Amazon S3. However, access to list the buckets fails because of an unrecognized
s at the end of the ListBucket action. This example shows how you
can use policy summaries to locate and fix errors in your policies. To learn how to
edit
policies based on information in a policy summary, see Editing Policies to Change Policy Summaries.
Copy{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamobd:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "s3:HeadBucket", "s3:ListAllMyBuckets", "s3:ListBuckets", "s3:ListObjects", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::developer" ] }, { "Effect": "Deny", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::customer", "arn:aws:s3:::customer/*" ] }, { "Action": [ "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:ReboootInstances" ], "Resource": "*", "Effect": "Deny", "Condition": { "StringEquals": { "ec2:Region": "ap-northeast-2" } } }, { "Action": [ "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances" ], "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ec2:Region": "us-east-2" } } }, { "Action": "ec2:RunInstances", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ec2:Region": "us-west-2" } } } ] }
Unrecognized_Service_Action Policy Summary:
Unrecognized_Service_Action S3 (Allow) Service Summary:
Unrecognized_Service_Action GetObject (List) Action Summary:
Policy 6: CodeBuild_CodeCommit_CodeDeploy
This policy provides access to specific CodeBuild, CodeCommit, and CodeDeploy resources.
Because these resources are specific to each service, they appear only with the matching
service. If you include a resource that does not match any services in the Action
element, then the resource appears in all action summaries.
Copy{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1487980617000", "Effect": "Allow", "Action": [ "codebuild:*", "codecommit:*", "codedeploy:*" ], "Resource": [ "arn:aws:codebuild:us-east-2:123456789012:project/my-demo-project", "arn:aws:codebuild:us-east-2:123456789012:build/my-demo-project:7b7416ae-89b4-46cc-8236-61129df660ad", "arn:aws:codecommit:us-east-2:123456789012:MyDemoRepo", "arn:aws:codedeploy:us-east-2:123456789012:application:WordPress_App", "arn:aws:codedeploy:us-east-2:123456789012:instance/AssetTag*" ] } ] }
CodeBuild_CodeCommit_CodeDeploy Policy Summary:
CodeBuild_CodeCommit_CodeDeploy CodeBuild (Allow) Service Summary:
CodeBuild_CodeCommit_CodeDeploy ListBuilds (List) Action Summary:
