Menu
AWS Identity and Access Management
User Guide

Policy Summary (List of Services)

Policies are summarized in three tables: the policy summary, the service summary, and the action summary. The policy summary table includes a list of services and summaries of the permissions that are defined by the chosen policy.


      Policy summaries diagram image that illustrates the 3 tables and their
        relationship

The policy summary table is grouped into one or more Uncategorized services, Explicit deny, and Allow sections. If the policy includes a service that IAM does not recognize, then the service is included in the Uncategorized services section of the table. If IAM recognizes the service, then it is included under the Explicit deny or Allow sections of the table, depending on the effect of the policy (Deny or Allow).

Viewing Policy Summaries

You can view the summaries for any policies that are attached to a user on the Users page. You can view the policy summary for managed policies on the Policies page. If your policy does not include a policy summary, see Missing Policy Summary to learn why.

To view the policy summary from the Policies page

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, choose the name of the policy that you want to view.

  4. On the Summary page for the policy, view the Permissions tab to see the policy summary.

To view the summary for a policy attached to a user

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Users from the navigation pane.

  3. In the list of users, choose the name of the user whose policy you want to view.

  4. On the Summary page for the user, view the Permissions tab to see the list of policies that are attached to the user directly or from a group.

  5. In the table of policies for the user, choose the name of the policy that you want to view.

Editing Policies to Change Policy Summaries

While viewing a policy summary, you might find a typo or notice that the policy does not provide the permissions you expected. You cannot edit a policy summary directly. However, you can edit the policy using the JSON policy editor and then view the changes in the policy summary. You cannot edit AWS managed policies.

To edit a policy for your policy summary

  1. Open the policy summary as explained in the previous procedures.

  2. Choose { } JSON and Policy summary to compare the policy summary to the JSON policy document. You can use this information to determine which lines in the policy document you want to change.

  3. Choose Edit policy to edit the JSON policy document.

    If you are on the Users page and choose to edit a customer managed policy that is attached to that user, you are redirected to the Policies page. You can edit customer managed policies only on the Policies page.

  4. Edit your policy and choose Save to save your changes.

  5. Choose Policy summary to see your changes reflected in the policy summary.

Understanding the Elements of a Policy Summary

In the following example of a user details page, the PolSumUser user has eight attached policies. The SummaryAllElements policy is a managed policy (customer managed policy) that is attached directly to the user. This policy is expanded to show the policy summary.


        Policy summary dialog image

In the preceding image, the policy summary is visible from within the user details page:

  1. The Permissions tab for a user includes the policies that are attached to the PolSumUser user.

  2. The SummaryAllElements policy is one of several policies that are attached to the user. The policy is expanded in order to view the policy summary.

  3. Use the Policy summary and { } JSON buttons to toggle between the policy summary and the JSON policy document.

  4. Simulate policy opens the policy simulator for testing the policy.

  5. Use the search box to reduce the list of services and easily find a specific service.

  6. The expanded view shows additional details of the SummaryAllElements policy.

The following policy summary table image shows the expanded SummaryAllElements policy on the PolSumUser user details page.


        Policy summary dialog image

In the preceding image, the policy summary is visible from within the user details page:

  1. Service – This column lists the services that are defined within the policy and provides details for each service. Each service name in the policy summary table is a link to the service summary table, which is explained in Service Summary (List of Actions). In this example, permissions are defined for the Amazon S3, Billing, and Amazon EC2 services. The policy also defines permissions for a (misspelled) codedploy service, which IAM does not recognize.

  2. Unrecognized services – This policy includes an unrecognized service (in this case codedploy ). You can use this warning to check whether a service name might include a typo. If the service name is correct, then the service might not support policy summaries, might be in preview, or might be a custom service. To request policy summary support for a generally available (GA) service, see Service Does Not Support IAM Policy Summaries. In this example, the policy includes an unrecognized codedploy service that is missing an e. Because of this typo, the policy does not provide the expected AWS CodeDeploy permissions. You can edit the policy to include the accurate codedeploy service name; the service then appears in the policy summary.

  3. For those services that IAM recognizes, it arranges services according to whether the policy allows or explicitly denies the use of the service. In this example, the policy includes Allow and Deny statements for the Amazon S3 service. Therefore the policy summary includes S3 within both the Explicit deny and Allow sections.

  4. Show remaining 97 – Choose this link to expand the table to include the services that are not defined by the policy. These services are implicitly denied (or denied by default) within this policy. However, a statement in another policy might still allow or explicitly deny using the service. The policy summary summarizes the permissions of a single policy. To learn about how the AWS service decides whether a given request should be allowed or denied, see IAM Policy Evaluation Logic.

  5. S3 – This service includes an unrecognized action. IAM recognizes service names and actions for services that support policy summaries. When a service is recognized but contains an action that is not recognized, IAM includes a warning next to that action. In this example, IAM can't recognize at least one Amazon S3 action. To learn more about unrecognized actions and to view the unrecognized action in the S3 service summary, see Service Summary (List of Actions).

    Note

    IAM reviews services and actions for errors, but does not review resources or conditions. Your policy summary might include a resource or condition that does not exist. Always test your policies with the policy simulator.

  6. Access level – This column tells whether the actions in each access level (List, Read, Write, and Permissions management) have Full or Limited permissions defined in the policy. For additional details and examples of the access level summary, see Understanding Access Level Summaries Within Policy Summaries.

    • Full access – This entry indicates that the service has access to all actions within all four of the access levels available for the service. In this example, because this row is in the Explicit deny section of the table, all Amazon S3 actions are denied for the resources included in the policy.

    • If the entry does not include Full access, then the service has access to some but not all of the actions for the service. The access is then defined by following descriptions for each of the four access level classifications (List, Read, Write, and Permissions management):

      Full: The policy provides access to all actions within each access level classification listed. In this example, the policy provides access to all of the Billing Read actions.

      Limited: The policy provides access to one or more but not all actions within each access level classification listed. In this example, the policy provides access to some of the Billing Write actions.

  7. Resource – This column shows the resources that the policy specifies for each service.

    • Multiple – The policy includes more than one but not all of the resources within the service. In this example, access is explicitly denied to more than one Amazon S3 resource.

    • All resources –- The policy is defined for all resources within the service. In this example, the policy allows the listed actions to be performed on all Billing resources.

    • Resource text – The policy includes one resource within the service. In this example, the listed actions are allowed on only the developer_bucket Amazon S3 bucket resource. Depending on the information that the service provides to IAM, you might see an ARN such as arn:aws:s3:::developer_bucket/*, or you might see the defined resource type, such as BucketName = developer_bucket.

      Note

      This column can include a resource from a different service. If the policy statement that includes the resource does not include both actions and resources from the same service, then your policy includes mismatched resources. IAM does not warn you about mismatched resources when you create a policy, or when you view a policy in the policy summary. If this column includes a mismatched resource, then you should review your policy for errors. To better understand your policies, always test them with the policy simulator.

  8. Request condition – This column indicates whether the services or actions associated with the resource are subject to conditions.

    • None – The policy includes no conditions for the service. In this example no conditions are applied to the denied actions in the Amazon S3 service.

    • Condition text – The policy includes one condition for the service. In this example, the listed Billing actions are allowed only if the IP address of the source matches 203.0.113.0/24.

    • Multiple – The policy includes more than one condition for the service. In this example, access to the listed Amazon S3 actions is allowed based on more than one condition. To view each of the multiple conditions for the policy, choose { } JSON to view the policy document.