AWS IAM policy validator

  • 📄
  • 🗑️

About the AWS document validator

Introducing the AWS IAM policy validator, a browser-based tool designed to validate your AWS Identity and Access Management (IAM) policies. Running entirely within your browser, this validator ensures that your policies never leave your machine. Simply input your IAM policies and the validator will analyze them for confirmity and potential errors.

The AWS IAM policy validator was built on top of Parliament, a IAM validation library written in Python by Duo Labs. If you need IAM validation locally, you can use this library to get the same results you get with this online tool.

Learn more about IAM policies

Identity and Access Management (IAM) policies are the standard way of managing access to resources and services in AWS. An IAM policy contains a collection of permissions that define what actions are allowed, or denied. The policy can be attached to an identity or resource called the IAM principal. Every time this principal makes a request to AWS - this can be through the console, CLI or API - the attached policies of the principal are checked to verify that it is actually allowed to perform the request.

There are six types of IAM policies: identity-based policies, resource-based policies, permissions boundaries, service control policies, access control lists, and session policies.

  • Identity-based policies are policies that give permissions to IAM identities such as users, roles or groups.
  • Resource-based policies are policies that can be attached to AWS resources, such as S3 buckets. This type of policy specifies who can access a resource, and how.
  • Sometimes it makes sense to limit which permissions an identity can be given. For example, you don't want an IAM user to ever get the rights to create EC2 instances. In that case you can use permissions boundaries. A permission boundary can result in an action being denied, even if the principal requesting the action has the correct permissions attached in an identity-based policy.
  • Similar to permission boundaries are the service control policies (SCPs). They also limit which permissions an IAM identity can have.The only difference is that service control policies are applied organisation-wide (meaning all IAM identities within the organisation), while permission boundaries only apply to a single IAM identity.
  • Access control lists (ACLs) are a bit different from the other policies, since they are the only policy type that does not use the JSON policy format. Access control lists are used to specify which principals in other accounts can access a resource. ACLs can be used only with the Amazon S3, WAF en VPC services.
  • Finally you have the session policies, which are simply IAM policies that are attached to a session. When the session ends, so do the permissions granted by the session policy.