Policy summary (list of services) - AWS Identity and Access Management

Policy summary (list of services)

Policies are summarized in three tables: the policy summary, the service summary, and the action summary. The policy summary table includes a list of services and summaries of the permissions that are defined by the chosen policy.


      Policy summaries diagram image that illustrates the 3 tables and their
        relationship

The policy summary table is grouped into one or more Uncategorized services, Explicit deny, and Allow sections. If the policy includes a service that IAM does not recognize, then the service is included in the Uncategorized services section of the table. If IAM recognizes the service, then it is included under the Explicit deny or Allow sections of the table, depending on the effect of the policy (Deny or Allow).

Viewing policy summaries

You can view the summaries for any policies that are attached to a user by choosing the policy name on the Permissions tab on the user details page. You can view the summaries for any policies that are attached to a role by choosing the policy name on the Permissions tab on the role details page. You can view the policy summary for managed policies on the Policies page. If your policy does not include a policy summary, see Missing policy summary to learn why.

To view the policy summary from the Policies page
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, choose the name of the policy that you want to view.

  4. On the Policy details page for the policy, view the Permissions tab to see the policy summary.

To view the summary for a policy attached to a user
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Users from the navigation pane.

  3. In the list of users, choose the name of the user whose policy you want to view.

  4. On the Summary page for the user, view the Permissions tab to see the list of policies that are attached to the user directly or from a group.

  5. In the table of policies for the user, expand the row of the policy that you want to view.

To view the summary for a policy attached to a role
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles.

  3. In the list of roles, choose the name of the role whose policy you want to view.

  4. On the Summary page for the role, view the Permissions tab to see the list of policies that are attached to the role.

  5. In the table of policies for the role, expand the row of the policy that you want to view.

Editing policies to fix warnings

While viewing a policy summary, you might find a typo or notice that the policy does not provide the permissions that you expected. You cannot edit a policy summary directly. However, you can edit a customer managed policy using the visual policy editor, which catches many of the same errors and warnings that the policy summary reports. You can then view the changes in the policy summary to confirm that you fixed all of the issues. To learn how to edit an inline policy, see Editing IAM policies. You cannot edit AWS managed policies.

To edit a policy for your policy summary using the Visual option
  1. Open the policy summary as explained in the previous procedures.

  2. Choose Edit.

    If you are on the Users page and choose to edit a customer managed policy that is attached to that user, you are redirected to the Policies page. You can edit customer managed policies only on the Policies page.

  3. Choose the Visual option to view the editable visual representation of your policy. IAM might restructure your policy to optimize it for the visual editor and to make it easier for you to find and fix any problems. The warnings and error messages on the page can guide you to fix any issues with your policy. For more information about how IAM restructures policies, see Policy restructuring.

  4. Edit your policy and choose Next to see your changes reflected in the policy summary. If you still see a problem, choose Previous to return to the editing screen.

  5. Choose Save changes to save your changes.

To edit a policy for your policy summary with the JSON option
  1. Open the policy summary as explained in the previous procedures.

  2. You can use the Summary and JSON buttons to compare the policy summary to the JSON policy document. You can use this information to determine which lines in the policy document you want to change.

  3. Choose Edit and then choose the JSON option to edit the JSON policy document.

    Note

    You can switch between the Visual and JSON editor options any time. However, if you make changes or choose Next in the Visual editor option, IAM might restructure your policy to optimize it for the visual editor. For more information, see Policy restructuring.

    If you are on the Users page and choose to edit a customer managed policy that is attached to that user, you are redirected to the Policies page. You can edit customer managed policies only on the Policies page.

  4. Edit your policy. Resolve any security warnings, errors, or general warnings generated during policy validation, and then choose Next. If you still see a problem, choose Previous to return to the editing screen.

  5. Choose Save changes to save your changes.

Understanding the elements of a policy summary

In the following example of a policy details page, the SummaryAllElements policy is a managed policy (customer managed policy) that is attached directly to the user. This policy is expanded to show the policy summary.


        Policy summary dialog image

In the preceding image, the policy summary is visible from within the Policies page:

  1. The Permissions tab includes the permissions defined in the policy.

  2. If the policy does not grant permissions to all the actions, resources, and conditions defined in the policy, then a warning or error banner appears at the top of the page. The policy summary then includes details about the problem. To learn how policy summaries help you to understand and troubleshoot the permissions that your policy grants, see My policy does not grant the expected permissions.

  3. Use the Summary and JSON buttons to toggle between the policy summary and the JSON policy document.

  4. Use the Search box to reduce the list of services and find a specific service.

  5. The expanded view shows additional details of the SummaryAllElements policy.

The following policy summary table image shows the expanded SummaryAllElements policy on the policy details page.


        Policy summary dialog image

In the preceding image, the policy summary is visible from within the Policies page:

  1. For those services that IAM recognizes, it arranges services according to whether the policy allows or explicitly denies the use of the service. In this example, the policy includes a Deny statement for the Amazon S3 service and Allow statements for the Billing, CodeDeploy, and Amazon EC2 services.

  2. Service – This column lists the services that are defined within the policy and provides details for each service. Each service name in the policy summary table is a link to the service summary table, which is explained in Service summary (list of actions). In this example, permissions are defined for the Amazon S3, Billing, CodeDeploy, and Amazon EC2 services.

  3. Access level – This column tells whether the actions in each access level (List, Read, Write, Permission Management, and Tagging) have Full or Limited permissions defined in the policy. For additional details and examples of the access level summary, see Understanding access level summaries within policy summaries.

    • Full access – This entry indicates that the service has access to all actions within all four of the access levels available for the service.

    • If the entry does not include Full access, then the service has access to some but not all of the actions for the service. The access is then defined by following descriptions for each of the access level classifications (List, Read, Write, Permission Management, and Tagging):

      Full: The policy provides access to all actions within each access level classification listed. In this example, the policy provides access to all of the Billing Read actions.

      Limited: The policy provides access to one or more but not all actions within each access level classification listed. In this example, the policy provides access to some of the Billing Write actions.

  4. Resource – This column shows the resources that the policy specifies for each service.

    • Multiple – The policy includes more than one but not all of the resources within the service. In this example, access is explicitly denied to more than one Amazon S3 resource.

    • All resources – The policy is defined for all resources within the service. In this example, the policy allows the listed actions to be performed on all Billing resources.

    • Resource text – The policy includes one resource within the service. In this example, the listed actions are allowed on only the DeploymentGroupName CodeDeploy resource. Depending on the information that the service provides to IAM, you might see an ARN or you might see the defined resource type.

      Note

      This column can include a resource from a different service. If the policy statement that includes the resource does not include both actions and resources from the same service, then your policy includes mismatched resources. IAM does not warn you about mismatched resources when you create a policy, or when you view a policy in the policy summary. If this column includes a mismatched resource, then you should review your policy for errors. To better understand your policies, always test them with the policy simulator.

  5. Request condition – This column indicates whether the services or actions associated with the resource are subject to conditions.

    • None – The policy includes no conditions for the service. In this example no conditions are applied to the denied actions in the Amazon S3 service.

    • Condition text – The policy includes one condition for the service. In this example, the listed Billing actions are allowed only if the IP address of the source matches 203.0.113.0/24.

    • Multiple – The policy includes more than one condition for the service. To view each of the multiple conditions for the policy, choose JSON to view the policy document.

  6. Show remaining services – Toggle this button to expand the table to include the services that are not defined by the policy. These services are implicitly denied (or denied by default) within this policy. However, a statement in another policy might still allow or explicitly deny using the service. The policy summary summarizes the permissions of a single policy. To learn about how the AWS service decides whether a given request should be allowed or denied, see Policy evaluation logic.

When a policy or an element within the policy does not grant permissions, IAM provides additional warnings and information in the policy summary. The following policy summary table shows the expanded Show remaining services services on the SummaryAllElements policy details page with the possible warnings.


        Policy summary dialog image

In the preceding image, you can see all services that include defined actions, resources, or conditions with no permissions:

  1. Resource warnings – For services that do not provide permissions for all of the included actions or resources, you see one of the following warnings in the Resource column of the table:

    • No resources are defined. – This means that the service has defined actions but no supported resources are included in the policy.

    • One or more actions do not have an applicable resource. – This means that the service has defined actions, but that some of those actions don't have a supported resource.

    • One or more resources do not have an applicable action. – This means that the service has defined resources, but that some of those resources don't have a supporting action.

    If a service includes both actions that do not have an applicable resource and resources that do have an applicable resource, then only the One or more resources do not have an applicable action. warning is shown. This is because when you view the service summary for the service, resources that do not apply to any action are not shown. For the ListAllMyBuckets action, this policy includes the last warning because the action does not support resource-level permissions, and does not support the s3:x-amz-acl condition key. If you fix either the resource problem or the condition problem, the remaining issue appears in a detailed warning.

  2. Request condition warnings – For services that do not provide permissions for all of the included conditions, you see one of the following warnings in the Request condition column of the table:

    • One or more actions do not have an applicable condition. – This means that the service has defined actions, but that some of those actions don't have a supported condition.

    • One or more conditions do not have an applicable action. – This means that the service has defined conditions, but that some of those conditions don't have a supporting action.

  3. Multiple | One or more actions do not have an applicable resource. – The Deny statement for Amazon S3 includes more than one resource. It also includes more than one action, and some actions support the resources and some do not. To view this policy, see SummaryAllElements JSON policy document. In this case, the policy includes all Amazon S3 actions, and only the actions that can be performed on a bucket or bucket object are denied.

  4. No resources are defined – The service has defined actions, but no supported resources are included in the policy, and therefore the service provides no permissions. In this case, the policy includes CodeCommit actions but no CodeCommit resources.

  5. DeploymentGroupName | string like | All, region | string like | us-west-2 | One or more actions do not have an applicable resource. – The service has a defined action, and at least one more action that does not have a supporting resource.

  6. None | One or more conditions do not have an applicable action. – The service has at least one condition key that does not have a supporting action.

SummaryAllElements JSON policy document

The SummaryAllElements policy is not intended for you to use to define permissions in your account. Rather, it is included to demonstrate the errors and warnings that you might encounter while viewing a policy summary.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "billing:Get*", "payments:List*", "payments:Update*", "account:Get*", "account:List*", "cur:GetUsage*" ], "Resource": [ "*" ], "Condition": { "IpAddress": { "aws:SourceIp": "203.0.113.0/24" } } }, { "Effect": "Deny", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::customer", "arn:aws:s3:::customer/*" ] }, { "Effect": "Allow", "Action": [ "ec2:GetConsoleScreenshots" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "codedploy:*", "codecommit:*" ], "Resource": [ "arn:aws:codedeploy:us-west-2:123456789012:deploymentgroup:*", "arn:aws:codebuild:us-east-1:123456789012:project/my-demo-project" ] }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetObject", "s3:DeletObject", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::developer_bucket", "arn:aws:s3:::developer_bucket/*", "arn:aws:autoscling:us-east-2:123456789012:autoscalgrp" ], "Condition": { "StringEquals": { "s3:x-amz-acl": [ "public-read" ], "s3:prefix": [ "custom", "other" ] } } } ] }