docs.aws.amazon.com
Open in
urlscan Pro
18.66.147.89
Public Scan
URL:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html
Submission: On January 17 via api from BR — Scanned from DE
Submission: On January 17 via api from BR — Scanned from DE
Form analysis
0 forms found in the DOMText Content
SELECT YOUR COOKIE PREFERENCES We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can click “Customize cookies” to decline performance cookies. If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To continue without accepting these cookies, click “Continue without accepting.” To make more detailed choices or learn more, click “Customize cookies.” Accept all cookiesContinue without acceptingCustomize cookies CUSTOMIZE COOKIE PREFERENCES We use cookies and similar tools (collectively, "cookies") for the following purposes. ESSENTIAL Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms. PERFORMANCE Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes. Allow performance category Allowed FUNCTIONAL Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly. Allow functional category Allowed ADVERTISING Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising. Allow advertising category Allowed Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by clicking Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice . CancelSave preferences UNABLE TO SAVE COOKIE PREFERENCES We will only store essential cookies at this time, because we were unable to save your cookie preferences. If you want to change your cookie preferences, try again later using the link in the AWS console footer, or contact support if the problem persists. Dismiss Contact Us English Create an AWS Account 1. AWS 2. ... 3. Documentation 4. AWS Identity and Access Management 5. User Guide Feedback Preferences AWS IDENTITY AND ACCESS MANAGEMENT USER GUIDE * What is IAM? * How IAM works * Users in AWS * Permissions and policies in IAM * What is ABAC? * Security features outside IAM * Quick links to common tasks * Working with AWS SDKs * Getting set up * Getting started * How IAM users sign in * IAM console search * Tutorials * Delegate access to the billing console * Delegate access across AWS accounts using roles * Create a customer managed policy * Use attribute-based access control (ABAC) * Use SAML session tags for ABAC * Permit users to manage their credentials and MFA settings * Signing in to AWS * Your AWS account ID and its alias * AWS sign-in issues * Identities * Users * Adding a user * Controlling user access to the console * How IAM users sign in to AWS * Using MFA devices with your IAM sign-in page * Managing users * Changing permissions for a user * Managing passwords * Changing the root user password * Setting a password policy * Managing user passwords * Permitting IAM users to change their own passwords * How an IAM user changes their own password * Access keys * Retrieving lost passwords or access keys * Multi-factor authentication (MFA) * Enabling MFA devices * Enabling a virtual MFA device (console) * Enabling a FIDO security key (console) * Supported configurations for using FIDO security keys * Enabling a hardware TOTP token (console) * Enabling and managing virtual MFA devices (AWS CLI or AWS API) * Checking MFA status * Resynchronizing virtual and hardware MFA devices * Deactivating MFA devices * What if an MFA device is lost or stops working? * Configuring MFA-protected API access * Sample code: MFA * Finding unused credentials * Getting credential reports * Using IAM with CodeCommit * Using IAM with Amazon Keyspaces * Managing server certificates * User groups * Creating user groups * Managing user groups * Listing IAM user groups * Adding and removing users in an IAM user group * Attaching a policy to an IAM user group * Renaming an IAM user group * Deleting a user group * Roles * Terms and concepts * Common scenarios * Providing access across AWS accounts * Providing access for non AWS workloads * Providing access to third-party AWS accounts * Using an external ID for third-party access * Providing access to AWS services * The confused deputy problem * Providing access through identity federation * Identity providers and federation * About web identity federation * Using Amazon Cognito for mobile apps * Using web identity federation API operations for mobile apps * Identifying users with web identity federation * Additional resources for web identity federation * About SAML 2.0 federation * Creating IAM identity providers * Creating OIDC identity providers * Obtaining the thumbprint for an OIDC Identity Provider * Creating IAM SAML identity providers * Configuring relying party trust and claims * Integrating third-party SAML solution providers with AWS * Configuring SAML assertions for the authentication response * Enable SAML 2.0 federated users to access the AWS console * Enabling custom identity broker access to the AWS console * Service-linked roles * Creating roles * Creating a role for an IAM user * Creating a role for an AWS service * Creating a role for identity federation * Creating a role for web Identity/OIDC federation * Creating a role for SAML 2.0 federation * Creating a role using custom trust policies * Examples of policies for delegating access * Using roles * Granting a user permissions to switch roles * Granting permissions to pass a role to a service * Switching roles (console) * Switching roles (AWS CLI) * Switching roles (Tools for Windows PowerShell) * Switching roles (AWS API) * Using roles for applications on Amazon EC2 * Using instance profiles * Revoking role temporary credentials * Managing roles * Modifying a role * Modifying a role (console) * Modifying a role (AWS CLI) * Modifying a role (AWS API) * Deleting roles or instance profiles * Roles vs. resource-based policies * Tagging IAM resources * Tagging IAM users * Tagging IAM roles * Tagging customer managed policies * Tagging IAM identity providers * Tagging OpenID Connect (OIDC) identity providers * Tagging IAM SAML identity providers * Tagging instance profiles * Tagging server certificates * Tagging virtual MFA devices * Session tags * Temporary security credentials * Requesting temporary security credentials * Using temporary credentials with AWS resources * Controlling permissions for temporary security credentials * Permissions for AssumeRole API operations * Monitor and control actions taken with assumed roles * Permissions for GetFederationToken * Permissions for GetSessionToken * Disabling permissions * Granting permissions to create credentials * Managing AWS STS in an AWS Region * Using AWS STS interface VPC endpoints * Using bearer tokens * Sample applications that use temporary credentials * Additional resources for temporary credentials * AWS account root user * Log events with CloudTrail * Access management * Policies and permissions * Managed policies and inline policies * Deprecated AWS managed policies * Permissions boundaries * Identity vs resource * Controlling access using policies * Control access to IAM users and roles using tags * Control access to AWS resources using tags * Example policies * AWS: Specific access during a date range * AWS: Enable or disable AWS Regions * AWS: Self-manage credentials with MFA (My security credentials) * AWS: Specific access with MFA during a date range * AWS: Self-manage credentials no MFA (My security credentials) * AWS: Self-manage MFA device (My security credentials) * AWS: Self-manage console password (My security credentials) * AWS: Self-manage password, access keys, & SSH public keys (My security credentials) * AWS: Deny access based on requested Region * AWS: Deny access based on source IP * AWS: Deny access to Amazon S3 resources outside your account except AWS Data Exchange * Data Pipeline: Deny access to pipelines not created by user * DynamoDB: Access specific table * DynamoDB: Allow access to specific attributes * DynamoDB: Allow item access based on a Amazon Cognito ID * EC2: Attach or detach volumes to an EC2 instance * EC2: Attach or detach tagged EBS volumes * EC2: Launch instances in a subnet (includes console) * EC2: Manage security groups with the same tags (includes console) * EC2: Start or stop instances a user has tagged (includes console) * EC2: Start or stop instances based on tags * EC2: Start or stop for matching tags * EC2: Full access within a Region (includes console) * EC2: Start or stop an instance, modify security group (includes console) * EC2: Requires MFA (GetSessionToken) for operations * EC2: Limit terminating instances to IP range * IAM: Access the policy simulator API * IAM: Access the policy simulator console * IAM: Assume tagged roles * IAM: Allows and denies multiple services (includes console) * IAM: Add specific tag to tagged user * IAM: Add a specific tag * IAM: Create only tagged users * IAM: Generate credential reports * IAM: Manage group membership (includes console) * IAM: Manage a tag * IAM: Pass a role to a service * IAM: Read-only console access (no reporting) * IAM: Read-only console access * IAM: Specific users manage group (includes console) * IAM: Setting account password requirements (includes console) * IAM: Access the policy simulator API based on user path * IAM: Access the policy simulator console based on user path (includes console) * IAM: MFA self-management * IAM: Rotate credentials (includes console) * IAM: View Organizations service last accessed information for a policy * IAM: Apply limited managed policies * AWS: Deny access to resources outside your account except AWS managed IAM policies * Lambda: Service access to DynamoDB * RDS: Full access within a Region * RDS: Restore databases (includes console) * RDS: Full access for tag owners * S3: Access bucket if cognito * S3: Access federated user home directory (includes console) * S3: Full access with recent MFA * S3: Access IAM user home directory (includes console) * S3: Restrict management to a specific bucket * S3: Read and write objects to a specific bucket * S3: Read and write to a specific bucket (includes console) * Managing IAM policies * Creating IAM policies * Creating IAM policies (console) * Creating IAM policies (CLI) * Creating IAM policies (API) * Validating policies * Generating policies * Testing IAM policies * Add or remove identity permissions * Versioning IAM policies * Editing IAM policies * Deleting IAM policies * Refining permissions using access information * View IAM access information * View access information for Organizations * Example scenarios * Understanding policies * Policy summary (list of services) * Access levels in policy summaries * Service summary (list of actions) * Action summary (list of resources) * Example policy summaries * Permissions required * Example policies for IAM * Code examples * IAM examples * Actions * Attach a policy to a role * Attach a policy to a user * Attach an inline policy to a role * Create a policy * Create a policy version * Create a role * Create a service-linked role * Create a user * Create an access key * Create an alias for an account * Create an inline policy for a user * Delete a policy * Delete a role * Delete a role policy * Delete a server certificate * Delete a service-linked role * Delete a user * Delete an access key * Delete an account alias * Delete an inline policy from a user * Detach a policy from a role * Detach a policy from a user * Generate a credential report * Get a credential report * Get a detailed authorization report for your account * Get a policy * Get a policy version * Get a role * Get a server certificate * Get a summary of account usage * Get a user * Get data about the last use of an access key * Get the account password policy * List SAML providers * List a user's access keys * List account aliases * List groups * List inline policies for a role * List inline policies for a user * List policies * List policies attached to a role * List roles * List server certificates * List users * Update a server certificate * Update a user * Update an access key * Scenarios * Create a user and assume a role * Create read-only and read-write users * Manage access keys * Manage policies * Manage roles * Manage your account * Roll back a policy version * Cross-service examples * Create a long-lived Amazon EMR cluster and run several steps * Create a short-lived Amazon EMR cluster and run a step * AWS STS examples * Actions * Assume a role * Get a session token * Scenarios * Assume an IAM role that requires an MFA token * Construct a URL for federated users * Get a session token that requires an MFA token * Security * Data protection * Logging and monitoring * Compliance validation * Resilience * Infrastructure security * Configuration and vulnerability analysis * Security best practices and use cases * Security best practices * Business use cases * AWS managed policies * IAM Access Analyzer * Findings for public and cross-account access * How IAM Access Analyzer findings work * Getting started with IAM Access Analyzer findings * Working with findings * Reviewing findings * Filtering findings * Archiving findings * Resolving findings * Supported resource types * Settings * Archive rules * Monitoring with EventBridge * Security Hub integration * Logging with CloudTrail * IAM Access Analyzer filter keys * Using service-linked roles * Preview access * Previewing access in Amazon S3 console * Previewing access with IAM Access Analyzer APIs * IAM Access Analyzer policy validation * Policy check reference * IAM Access Analyzer policy generation * IAM Access Analyzer policy generation and action last accessed support * IAM Access Analyzer quotas * Troubleshooting IAM * General issues * Access denied error messages * IAM policies * FIDO security keys * IAM roles * IAM and Amazon EC2 * IAM and Amazon S3 * SAML 2.0 federation * Viewing a SAML response in your browser * Reference * IAM identifiers * Quotas, name requirements, and character limits * Services that work with IAM * Policy reference * JSON element reference * Version * Id * Statement * Sid * Effect * Principal * NotPrincipal * Action * NotAction * Resource * NotResource * Condition * Condition operators * Conditions with multiple keys or values * Single-valued vs. multivalued condition keys * Variables and tags * Supported data types * Policy evaluation logic * Cross-account policy evaluation logic * Policy grammar * AWS managed policies for job functions * Creating roles and attaching policies (console) * Global condition keys * IAM condition keys * Actions, resources, and condition keys * Resources * Making HTTP query requests * Document history Grammar of the IAM JSON policy language - AWS Identity and Access Management AWSDocumentationAWS Identity and Access ManagementUser Guide The policy language and JSONConventions used in this grammarGrammarPolicy grammar notes GRAMMAR OF THE IAM JSON POLICY LANGUAGE PDFRSS This page presents a formal grammar for the language used to create JSON policies in IAM. We present this grammar so that you can understand how to construct and validate policies. For examples of policies, see the following topics: * Policies and permissions in IAM * Example IAM identity-based policies * Example Policies for Working in the Amazon EC2 Console and Example Policies for Working With the AWS CLI, the Amazon EC2 CLI, or an AWS SDK in the Amazon EC2 User Guide for Linux Instances. * Bucket Policy Examples and User Policy Examples in the Amazon Simple Storage Service User Guide. For examples of policies used in other AWS services, go to the documentation for those services. Topics * The policy language and JSON * Conventions used in this grammar * Grammar * Policy grammar notes THE POLICY LANGUAGE AND JSON Policies are expressed in JSON. When you create or edit a JSON policy, IAM can perform policy validation to help you create an effective policy. IAM identifies JSON syntax errors, while IAM Access Analyzer provides additional policy checks with recommendations to help you further refine your policies. To learn more about policy validation, see Validating IAM policies. To learn more about IAM Access Analyzer policy checks and actionable recommendations, see IAM Access Analyzer policy validation. In this document, we do not provide a complete description of what constitutes valid JSON. However, here are some basic JSON rules: * White space between individual entities is allowed. * Values are enclosed in quotation marks. Quotation marks are optional for numeric and Boolean values. * Many elements (for example, action_string_list and resource_string_list) can take a JSON array as a value. Arrays can take one or more values. If more than one value is included, the array is in square brackets ([ and ]) and comma-delimited, as in the following example: "Action" : ["ec2:Describe*","ec2:List*"] * Basic JSON data types (Boolean, number, and string) are defined in RFC 7159. CONVENTIONS USED IN THIS GRAMMAR The following conventions are used in this grammar: * The following characters are JSON tokens and are included in policies: { } [ ] " , : * The following characters are special characters in the grammar and are not included in policies: = < > ( ) | * If an element allows multiple values, it is indicated using repeated values, a comma delimiter, and an ellipsis (...). Examples: [<action_string>, <action_string>, ...] <principal_map> = { <principal_map_entry>, <principal_map_entry>, ... } If multiple values are allowed, it is also valid to include only one value. For only one value, the trailing comma must be omitted. If the element takes an array (marked with [ and ]) but only one value is included, the brackets are optional. Examples: "Action": [<action_string>] "Action": <action_string> * A question mark (?) following an element indicates that the element is optional. Example: <version_block?> However, be sure to refer to the notes that follow the grammar listing for details about optional elements. * A vertical line (|) between elements indicates alternatives. In the grammar, parentheses define the scope of the alternatives. Example: ("Principal" | "NotPrincipal") * Elements that must be literal strings are enclosed in double quotation marks ("). Example: <version_block> = "Version" : ("2008-10-17" | "2012-10-17") For additional notes, see Policy grammar notes following the grammar listing. GRAMMAR The following listing describes the policy language grammar. For conventions used in the listing, see the preceding section. For additional information, see the notes that follow. Note This grammar describes policies marked with a version of 2008-10-17 and 2012-10-17. A Version policy element is different from a policy version. The Version policy element is used within a policy and defines the version of the policy language. A policy version, on the other hand, is created when you make changes to a customer managed policy in IAM. The changed policy doesn't overwrite the existing policy. Instead, IAM creates a new version of the managed policy. To learn more about the Version policy element see IAM JSON policy elements: Version. To learn more about policy versions, see Versioning IAM policies. policy = { <version_block?> <id_block?> <statement_block> } <version_block> = "Version" : ("2008-10-17" | "2012-10-17") <id_block> = "Id" : <policy_id_string> <statement_block> = "Statement" : [ <statement>, <statement>, ... ] <statement> = { <sid_block?>, <principal_block?>, <effect_block>, <action_block>, <resource_block>, <condition_block?> } <sid_block> = "Sid" : <sid_string> <effect_block> = "Effect" : ("Allow" | "Deny") <principal_block> = ("Principal" | "NotPrincipal") : ("*" | <principal_map>) <principal_map> = { <principal_map_entry>, <principal_map_entry>, ... } <principal_map_entry> = ("AWS" | "Federated" | "Service" | "CanonicalUser") : [<principal_id_string>, <principal_id_string>, ...] <action_block> = ("Action" | "NotAction") : ("*" | [<action_string>, <action_string>, ...]) <resource_block> = ("Resource" | "NotResource") : ("*" | [<resource_string>, <resource_string>, ...]) <condition_block> = "Condition" : { <condition_map> } <condition_map> = { <condition_type_string> : { <condition_key_string> : <condition_value_list> }, <condition_type_string> : { <condition_key_string> : <condition_value_list> }, ... } <condition_value_list> = [<condition_value>, <condition_value>, ...] <condition_value> = ("string" | "number" | "Boolean") POLICY GRAMMAR NOTES * A single policy can contain an array of statements. * Policies have a maximum size between 2048 characters and 10,240 characters, depending on what entity the policy is attached to. For more information, see IAM and AWS STS quotas, name requirements, and character limits. Policy size calculations do not include white space characters. * Individual elements must not contain multiple instances of the same key. For example, you cannot include the Effect block twice in the same statement. * Blocks can appear in any order. For example, version_block can follow id_block in a policy. Similarly, effect_block, principal_block, action_block can appear in any order within a statement. * The id_block is optional in resource-based policies. It must not be included in identity-based policies. * The principal_block element is required in resource-based policies (for example, in Amazon S3 bucket policies) and in trust policies for IAM roles. It must not be included in identity-based policies. * The principal_map element in Amazon S3 bucket policies can include the CanonicalUser ID. Most resource-based policies do not support this mapping. To learn more about using the canonical user ID in a bucket policy, see Specifying a Principal in a Policy in the Amazon Simple Storage Service User Guide. * Each string value (policy_id_string, sid_string, principal_id_string, action_string, resource_string, condition_type_string, condition_key_string, and the string version of condition_value) can have its own minimum and maximum length restrictions, specific allowed values, or required internal format. NOTES ABOUT STRING VALUES This section provides additional information about string values that are used in different elements in a policy. action_string Consists of a service namespace, a colon, and the name of an action. Action names can include wildcards. Examples: "Action":"ec2:StartInstances" "Action":[ "ec2:StartInstances", "ec2:StopInstances" ] "Action":"cloudformation:*" "Action":"*" "Action":[ "s3:Get*", "s3:List*" ] policy_id_string Provides a way to include information about the policy as a whole. Some services, such as Amazon SQS and Amazon SNS, use the Id element in reserved ways. Unless otherwise restricted by an individual service, policy_id_string can include spaces. Some services require this value to be unique within an AWS account. Note The id_block is allowed in resource-based policies, but not in identity-based policies. There is no limit to the length, although this string contributes to the overall length of the policy, which is limited. "Id":"Admin_Policy" "Id":"cd3ad3d9-2776-4ef1-a904-4c229d1642ee" sid_string Provides a way to include information about an individual statement. For IAM policies, basic alphanumeric characters (A-Z,a-z,0-9) are the only allowed characters in the Sid value. Other AWS services that support resource policies may have other requirements for the Sid value. For example, some services require this value to be unique within an AWS account, and some services allow additional characters such as spaces in the Sid value. "Sid":"1" "Sid": "ThisStatementProvidesPermissionsForConsoleAccess" principal_id_string Provides a way to specify a principal using the Amazon Resource Name (ARN) of the AWS account, IAM user, IAM role, federated user, or assumed-role user. For an AWS account, you can also use the short form AWS:accountnumber instead of the full ARN. For all of the options including AWS services, assumed roles, and so on, see Specifying a principal. Note that you can use * only to specify "everyone/anonymous." You cannot use it to specify part of a name or ARN. resource_string In most cases, consists of an Amazon Resource Name (ARN). "Resource":"arn:aws:iam::123456789012:user/Bob" "Resource":"arn:aws:s3:::examplebucket/*" condition_type_string Identifies the type of condition being tested, such as StringEquals, StringLike, NumericLessThan, DateGreaterThanEquals, Bool, BinaryEquals, IpAddress, ArnEquals, etc. For a complete list of condition types, see IAM JSON policy elements: Condition operators. "Condition": { "NumericLessThanEquals": { "s3:max-keys": "10" } } "Condition": { "Bool": { "aws:SecureTransport": "true" } } "Condition": { "StringEquals": { "s3:x-amz-server-side-encryption": "AES256" } } condition_key_string Identifies the condition key whose value will be tested to determine whether the condition is met. AWS defines a set of condition keys that are available in all AWS services, including aws:PrincipalType, aws:SecureTransport, and aws:userid. For a list of AWS condition keys, see AWS global condition context keys. For condition keys that are specific to a service, see the documentation for that service such as the following: * Specifying Conditions in a Policy in the Amazon Simple Storage Service User Guide * IAM Policies for Amazon EC2 in the Amazon EC2 User Guide for Linux Instances. "Condition":{ "Bool": { "aws:SecureTransport": "true" } } "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "AES256" } } "Condition": { "StringEquals": { "aws:ResourceTag/purpose": "test" } } Javascript is disabled or is unavailable in your browser. To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions. Document Conventions Cross-account policy evaluation logic AWS managed policies for job functions Did this page help you? - Yes Thanks for letting us know we're doing a good job! If you've got a moment, please tell us what we did right so we can do more of it. Did this page help you? - No Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. Did this page help you? Yes No Provide feedback Edit this page on GitHub Next topic:AWS managed policies for job functions Previous topic:Cross-account policy evaluation logic Need help? * Try AWS re:Post * Connect with an AWS IQ expert PrivacySite termsCookie preferences © 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved. On this page -------------------------------------------------------------------------------- * The policy language and JSON * Conventions used in this grammar * Grammar * Policy grammar notes DID THIS PAGE HELP YOU? - NO Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. Feedback