Examples of policy summaries
The following examples include JSON policies with their associated policy summaries, the service summaries, and the action summaries to help you understand the permissions given through a policy.
Policy 1: DenyCustomerBucket
This policy demonstrates an allow and a deny for the same service.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "FullAccess", "Effect": "Allow", "Action": ["s3:*"], "Resource": ["*"] }, { "Sid": "DenyCustomerBucket", "Action": ["s3:*"], "Effect": "Deny", "Resource": ["arn:aws:s3:::customer", "arn:aws:s3:::customer/*" ] } ] }
DenyCustomerBucket Policy Summary:

DenyCustomerBucket S3 (Explicit deny) Service Summary:

GetObject (Read) Action Summary:

Policy 2: DynamoDbRowCognitoID
This policy provides row-level access to Amazon DynamoDB based on the user's Amazon Cognito ID.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:UpdateItem" ], "Resource": [ "arn:aws:dynamodb:us-west-1:123456789012:table/myDynamoTable" ], "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [ "${cognito-identity.amazonaws.com:sub}" ] } } } ] }
DynamoDbRowCognitoID Policy Summary:

DynamoDbRowCognitoID DynamoDB (Allow) Service Summary:

GetItem (List) Action Summary:

Policy 3: MultipleResourceCondition
This policy includes multiple resources and conditions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": ["arn:aws:s3:::Apple_bucket/*"], "Condition": {"StringEquals": {"s3:x-amz-acl": ["public-read"]}} }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": ["arn:aws:s3:::Orange_bucket/*"], "Condition": {"StringEquals": { "s3:x-amz-acl": ["custom"], "s3:x-amz-grant-full-control": ["1234"] }} } ] }
MultipleResourceCondition Policy Summary:

MultipleResourceCondition S3 (Allow) Service Summary:

PutObject (Write) Action Summary:

Policy 4: EC2_troubleshoot
The following policy allows users to get a screenshot of a running Amazon EC2 instance, which can help with EC2 troubleshooting. This policy also permits viewing information about the items in the Amazon S3 developer bucket.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:GetConsoleScreenshot" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::developer" ] } ] }
EC2_Troubleshoot Policy Summary:

EC2_Troubleshoot S3 (Allow) Service Summary:

ListBucket (List) Action Summary:

Policy 5: Unrecognized_Service_Action
The following policy was intended to provide full access to DynamoDB, but that access fails
because dynamodb
is misspelled as dynamobd
. This policy was intended
to allow access to some Amazon EC2 actions in the us-east-2
Region, but
deny that access to the ap-northeast-2
Region. However, access to reboot
instances in the ap-northeast-2
Region is not explicitly denied because of the
unrecognized o
in the middle of the RebootInstances
action. This
example shows how you can use policy summaries to locate errors in your policies. To learn how
to edit policies based on information in a policy summary, see Editing policies to fix warnings.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamobd:*" ], "Resource": [ "*" ] }, { "Effect": "Deny", "Action": [ "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootoInstances" ], "Resource": "*", "Effect": "Deny", "Condition": { "StringEquals": { "ec2:Region": "ap-northeast-2" } } }, { "Action": [ "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances" ], "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ec2:Region": "us-east-2" } } } ] }
Unrecognized_Service_Action Policy Summary:

Unrecognized_Service_Action EC2 (Explicit deny) Service Summary:

Unrecognized_Service_Action StartInstances (Write) Action Summary:

Policy 6: CodeBuild_CodeCommit_CodeDeploy
This policy provides access to specific CodeBuild, CodeCommit, and CodeDeploy resources.
Because these resources are specific to each service, they appear only with the matching
service. If you include a resource that does not match any services in the Action
element, then the resource appears in all action summaries.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1487980617000", "Effect": "Allow", "Action": [ "codebuild:*", "codecommit:*", "codedeploy:*" ], "Resource": [ "arn:aws:codebuild:us-east-2:123456789012:project/my-demo-project", "arn:aws:codecommit:us-east-2:123456789012:MyDemoRepo", "arn:aws:codedeploy:us-east-2:123456789012:application:WordPress_App", "arn:aws:codedeploy:us-east-2:123456789012:instance/AssetTag*" ] } ] }
CodeBuild_CodeCommit_CodeDeploy Policy Summary:

CodeBuild_CodeCommit_CodeDeploy CodeBuild (Allow) Service Summary:

CodeBuild_CodeCommit_CodeDeploy StartBuild (Write) Action Summary:
