Menu
AWS Identity and Access Management
User Guide

Service Summary (List of Actions)

Policies are summarized in three tables: the policy summary, the service summary, and the action summary. The service summary table includes a list of the actions and summaries of the permissions that are defined by the policy for the chosen service.


      Policy summaries diagram image that illustrates the 3 tables and their
        relationship

You can view a service summary for each service listed in the policy summary. The table is grouped into Uncategorized actions and access level sections. If the policy includes an action that IAM does not recognize, then the action is included in the Uncategorized actions section of the table. If IAM recognizes the action, then it is included under one of the access level (List, Read, Write and Permissions management) sections of the table. To view a list of actions that belong to each of the action levels for a specific service, see AWS IAM Policy Actions Grouped by Access Level. To see a complete list of actions for a specific service, see AWS Service Actions and Condition Context Keys for Use in IAM Policies.

Viewing Service Summaries

You can view the service summary for managed policies on the Policies page, or view service summaries for inline and managed policies attached to a user through the Users page. However, if you choose a service name on the Users page from a managed policy, you are redirected to the Policies page. Service summaries for managed policies must be viewed on the Policies page.

To view the service summary for a managed policy

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, choose the name of the policy that you want to view.

  4. On the Summary page for the policy, view the Permissions tab to see the policy summary.

  5. In the policy summary list of services, choose the name of the service that you want to view.

To view the service summary for a policy attached to a user

  1. Sign in to the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Users from the navigation pane.

  3. In the list of users, choose the name of the user whose policy you want to view.

  4. On the Summary page for the user, view the Permissions tab to see the list of policies that are attached to the user directly or from a group.

  5. In the table of policies for the user, choose the name of the policy that you want to view.

  6. In the policy summary list of services, choose the name of the service that you want to view.

    Note

    If the policy that you select is an inline policy that is attached directly to the user, then the service summary table appears. If the policy is an inline policy attached from a group, then you are taken to the JSON policy document for that group. If the policy is a managed policy, then you are taken to the service summary for that policy on the Policies page.

Understanding the Elements of a Service Summary

The example below is the service summary for Amazon S3 that is allowed from the SummaryAllElements policy summary (see Understanding the Elements of a Policy Summary). The actions for this service are grouped by Uncategorized actions and access level. For example, two Write actions are defined out of the total 21 Write actions available for the service.


        Service summary dialog image

The service summary page for a managed policy includes the following information:

  1. Next to the Back link appears the name of the service (in this case S3). The service summary for this service includes the list of allowed actions that are defined in the policy. If instead, the text (Explicitly denied) appears next to the name of a service, then the actions listed in the service summary table are explicitly denied.

  2. Choose { } JSON to see additional details about the policy. You can do this to view all conditions that are applied to the actions. (If you are viewing the service summary for an inline policy that is attached directly to a user, you must close the service summary dialog box and return to the policy summary to access the JSON policy document.)

  3. To view the summary for a specific action, type keywords into the search box to reduce the list of available actions.

  4. Action (4 of 52 actions) – This column lists the actions that are defined within the policy and provides the resources and conditions for each action. The action name links to the action summary table. The count indicates the number of recognized actions that provide permissions. The total is the number of known actions for the service. In this example, 4 actions provide permissions out of 52 total known S3 actions.

  5. Show remaining 48 – Choose this link to expand the table to include actions that are known but not defined by the policy for this service.

  6. Unrecognized actions – This policy includes at least one unrecognized action within the service. You can use this warning to check whether an action might include a typo. If the action name is correct, then the service might not fully support policy summaries, might be in preview, or might be a custom service. To request policy summary support for a specific action in a generally available (GA) service, see Service Does Not Support IAM Policy Summaries. In this example, two actions are unrecognized. The DeletObject action is missing an e, and the ListBuckets action includes an extra s.

    Note

    IAM reviews services and actions for errors, but does not review resources or conditions. Your policy summary might include a resource or condition that does not exist. Always test your policies with the policy simulator.

  7. For those actions that IAM recognizes, the table groups these actions into at least one or up to four sections, depending on the level of access that the policy allows or denies. The sections are List, Read, Write, and Permissions management. You can also see the number of actions that are defined out of the total number of actions available within each access level. For information about which actions belong to each of the action levels for AWS services, see AWS IAM Policy Actions Grouped by Access Level. To see a complete list of actions for a specific service, see AWS Service Actions and Condition Context Keys for Use in IAM Policies.

  8. Resource – This column shows the resources that the policy defines for the service. IAM does not check whether the resource applies to each action. In this example, actions in the S3 service are allowed on only the developer_bucket Amazon S3 bucket resource. Depending on the information that the service provides to IAM, you might see an ARN such as arn:aws:s3:::developer_bucket/*, or you might see the defined resource type, such as BucketName = developer_bucket.

    Note

    This column can include a resource from a different service. If the policy statement that includes the resource does not include both actions and resources from the same service, then your policy includes mismatched resources. IAM does not warn you about mismatched resources when you create a policy, or when you view a policy in the service summary. IAM also does not indicate whether the action applies to the resources, only whether the service matches. If this column includes a mismatched resource, then you should review your policy for errors. To better understand your policies, always test them with the policy simulator.

  9. Request condition – This column tells whether the actions associated with the resource are subject to conditions. This example has multiple request conditions. To learn more about those conditions, choose { } JSON to review the JSON policy document.