Action summary (list of resources) - AWS Identity and Access Management
Viewing action summariesUnderstanding the elements of an action summary

Action summary (list of resources)

Policies are summarized in three tables: the policy summary, the service summary, and the action summary. The action summary table includes a list of resources and the associated conditions that apply to the chosen action.

policy summaries diagram that illustrates the 3 tables and their relationship.

To view an action summary for each action that grants permissions, choose the link in the service summary. The action summary table includes details about the resource, including its Region and Account. You can also view the conditions that apply to each resource. This shows you conditions that apply to some resources but not others.

Viewing action summaries

You can view the action summary for managed policies, any policy that is attached to a user, and any policy that is attached to a role on the Policies page.

To view the action summary for a managed policy

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, choose the name of the policy that you want to view.

  4. On the Policy details page for the policy, view the Permissions tab to see the policy summary.

  5. In the policy summary list of services, choose the name of the service that you want to view.

  6. In the service summary list of actions, choose the name of the action that you want to view.

To view the action summary for a policy attached to a user

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. Choose Users from the navigation pane.

  3. In the list of users, choose the name of the user whose policy you want to view.

  4. On the Summary page for the user, view the Permissions tab to see the list of policies that are attached to the user directly or from a group.

  5. In the table of policies for the user, choose the name of the policy that you want to view.

    If you are on the Users page and choose to view the service summary for a policy that is attached to that user, you are redirected to the Policies page. You can view service summaries only on the Policies page.

  6. In the policy summary list of services, choose the name of the service that you want to view.

    Note

    If the policy that you select is an inline policy that is attached directly to the user, then the service summary table appears. If the policy is an inline policy attached from a group, then you are taken to the JSON policy document for that group. If the policy is a managed policy, then you are taken to the service summary for that policy on the Policies page.

  7. In the service summary list of actions, choose the name of the action that you want to view.

To view the action summary for a policy attached to a role

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Roles.

  3. In the list of roles, choose the name of the role whose policy you want to view.

  4. On the Summary page for the role, view the Permissions tab to see the list of policies that are attached to the role.

  5. In the table of policies for the role, choose the name of the policy that you want to view.

    If you are on the Roles page and choose to view the service summary for a policy that is attached to that user, you are redirected to the Policies page. You can view service summaries only on the Policies page.

  6. In the policy summary list of services, choose the name of the service that you want to view.

  7. In the service summary list of actions, choose the name of the action that you want to view.

Understanding the elements of an action summary

The example below is the action summary for the PutObject (Write) action from the Amazon S3 service summary (see Service summary (list of actions)). For this action, the policy defines multiple conditions on a single resource.

Action summary dialog image

The action summary page includes the following information:

  1. Choose JSON to see additional details about the policy, such as viewing the multiple conditions that are applied to the actions. (If you are viewing the action summary for an inline policy that is attached directly to a user, the steps differ. To access the JSON policy document in that case, you must close the action summary dialog box and return to the policy summary.)

  2. To view the summary for a specific resource, type keywords into the Search box to reduce the list of available resources.

  3. Next to the Actions back arrow appears the name of the service and action in the format action name action in service (in this case PutObject action in S3). The action summary for this service includes the list of resources that are defined in the policy.

  4. Resource – This column lists the resources that the policy defines for the chosen service. In this example, the PutObject action is allowed on all object paths, but on only the developer_bucket Amazon S3 bucket resource. Depending on the information that the service provides to IAM, you might see an ARN such as arn:aws:s3:::developer_bucket/*, or you might see the defined resource type, such as BucketName = developer_bucket, ObjectPath = All.

  5. Region – This column shows the Region in which the resource is defined. Resources can be defined for all Regions, or a single Region. They cannot exist in more than one specific Region.

    • All regions – The actions that are associated with the resource apply to all Regions. In this example, the action belongs to a global service, Amazon S3. Actions that belong to global services apply to all Regions.

    • Region text – The actions associated with the resource apply to one Region. For example, a policy can specify the us-east-2 Region for a resource.

  6. Account – This column indicates whether the services or actions associated with the resource apply to a specific account. Resources can exist in all accounts or a single account. They cannot exist in more than one specific account.

    • All accounts – The actions that are associated with the resource apply to all accounts. In this example, the action belongs to a global service, Amazon S3. Actions that belong to global services apply to all accounts.

    • This account – The actions that are associated with the resource apply only in the current account..

    • Account number – The actions that are associated with the resource apply to one account (one that you are not currently logged in to). For example, if a policy specifies the 123456789012 account for a resource, then the account number appears in the policy summary.

  7. Request condition – This column shows whether the actions that are associated with the resource are subject to conditions. This example includes the s3:x-amz-acl = public-read condition. To learn more about those conditions, choose JSON to review the JSON policy document.