Understand IAM policy JSON anatomy
📑 On this page
Part 94 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
An IAM permission statement combines an effect with actions and resources. Conditions can narrow the context further.
Before you run it
aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.
The command
cat > policy-anatomy.json <<'EOF'
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "ReadOneBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::replace-with-bucket"]
}]
}
EOFVersion selects policy language behavior; it is not a document revision number.
Inspect the result
aws accessanalyzer validate-policy \
--policy-type IDENTITY_POLICY \
--policy-document file://policy-anatomy.jsonResolve errors and review every security warning before attachment.
One tiny variation
aws accessanalyzer validate-policy \
--policy-type IDENTITY_POLICY \
--policy-document file://policy-anatomy.json \
--query "findings[].{Type:findingType,Issue:issueCode,Detail:findingDetails}" \
--output tableShape validation findings into a review-friendly table.
Common mistake
A syntactically valid policy can still be dangerously broad or functionally wrong. Validation assists human review; it does not replace intent.
Cleanup
rm policy-anatomy.jsonOnly a local policy file was created.
Next, we will learn Create a customer managed IAM policy.