Menu
AWS Identity and Access Management
User Guide

Using Policy Validator

Policy Validator automatically examines your existing IAM access control policies to ensure that they comply with the IAM policy grammar. A policy is a JSON document written using the IAM policy grammar. It defines access permissions for the AWS user, group, or role you attach the policy to. If the Policy Validator determines that a policy is not in compliance with the grammar, it prompts you to fix the policy. Policy Validator is only available if you have non-compliant policies.

Important

You cannot save any new or updated policies that do not comply with the policy syntax. If a policy fails validation, it cannot be saved until the error is corrected. Existing policies with errors that were set up prior to the introduction of the Policy Validator will continue to function, however you cannot edit and save them without fixing the policy syntax errors.

Note

The policy validator only checks JSON policy syntax and grammar. It does not validate that your ARNs, action names, or condition keys are correct.

Identifying and fixing non-compliant access control policies to comply with the policy grammar

  1. Sign in to the IAM console. If you have any non-compliant policies, a yellow banner titled Fix policy syntax appears at the top of the console screen. If this banner does not appear, then all of your policies are in good shape and you can stop right now.

  2. Click the Fix Now link.

  3. A list of the non-compliant policies appears. Select the policy that you want to correct by clicking the policy name.

  4. A screen similar to the following appears, showing the recommended changes to your policy at the top of the page in an editing window and the original version at the bottom. In the following example, the policy engine recommends changing two separate Resource elements (not valid) into a single Resource array element with two items in it (valid). For more information about the policy rules, see the AWS IAM Policy Reference.

  5. Do one of the following:

    • If you want to accept the recommended changes, click Apply Changes.

    • If you want to alter the policy further, you can edit directly in the top edit box. If you make any changes, the Validate button is enabled. When you are done, check the syntax against the rules by clicking Validate. If Policy Validator confirms that your edited policy is OK, click Apply Changes. If errors are reported, continue to edit the policy until it passes validation and then click Apply Changes.

  6. You are returned to the list of non-compliant policies, if any. Repeat the procedure for each until you have fixed all of your policies.

You can edit any of your policies on your own at any time, without using the Policy Validator. If you fix any compliance issues then they are automatically removed from the list of non-compliant policies.