AWS Security Blog

Quickly Diagnose Policy Errors by Using the AWS Identity and Access Management Console

Have you ever spent time searching for a syntax error—such as a missing comma—when editing an AWS Identity and Access Management (IAM) policy? If so, you will be happy to hear that AWS has made it easier for you to identify and correct such errors. To help you find the source of the errors, we’ve added a new Validate Policy button to the IAM console. This button returns a JSON error message that identifies the line number where the error occurs. Check for errors before you apply your policy, or validate your policy at any time during the policy authoring process.

In this blog post, I’ll demonstrate how you can quickly debug errors in your IAM policies. Let’s start by creating a new managed policy that will enable your IAM users to manage their own credentials. 

First, open the IAM console, and then click Policies in the navigation pane.

Image of Policies in navigation pane

Next, click Create Policy to create your own managed policy.

Image of Create Policy button

Click the Select button next to Create Your Own Policy.

Image of the Select button next to Create Your Own Policy

For this example, let’s name the policy UsersManageOwnCredentials. Next, copy the following policy, which is missing a comma for this example, and paste it in the Policy Document box. Don’t forget to add your account ID to the Resource element (shown in red).

{
    "Version": "2012-10-17",    
    "Statement": [
        {
            "Sid": "MissingCommaPolicy",
	    "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey",
                "iam:GetLoginProfile",
                "iam:UpdateLoginProfile"
            ],
            "Resource": "arn:aws:iam::YOUR-ACCOUNT-ID-HERE:user/${aws:username}"
        },
        {
            "Effect": "Allow",
            "Action": "iam:ListUsers"
            "Resource": "*"
        }
    ]
}

The Review Policy page should look the way it does in the following image. Note that this policy is missing a comma after the “Action”: “iam:ListUsers” element. Click Validate Policy to diagnose the policy for any errors.

Image of how your Review Policy page should look

For this example, the error message shown in the following image appears at the top of the page to let you know that you are missing a comma at the end of line 20.

Image of the policy with the error message

Add a comma to the end of line 20, and then click Validate Policy to confirm that you corrected the error. This time, the message at the top of the page tells you that this policy is valid. Note that policy validation is also applied when you click Apply Policy.

Image of the valid policy

Click Create Policy to create the validated policy. You have created your own managed policy, which you can attach to any users, groups, and roles in your AWS account. Learn more about managing your managed policy.

To get started using policy validation with your policies, sign in to the IAM console. If you want to learn more about policies, visit the IAM policy documentation. Post your questions or suggestions on the IAM forum.

– Brigid