← All posts
2 min read

Understand IAM policy JSON anatomy

#aws#cli#iam#security#identity
📑 On this page

Part 94 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

An IAM permission statement combines an effect with actions and resources. Conditions can narrow the context further.

Before you run it

aws sts get-caller-identity
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
GROUP_NAME="aws-zero-readers"
ROLE_NAME="aws-zero-demo-role"

IAM is global rather than regional. Use a sandbox account and a delegated administrator identity, never root access keys.

The command

cat > policy-anatomy.json <<'EOF'
{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "ReadOneBucket",
    "Effect": "Allow",
    "Action": ["s3:ListBucket"],
    "Resource": ["arn:aws:s3:::replace-with-bucket"]
  }]
}
EOF

Version selects policy language behavior; it is not a document revision number.

Inspect the result

aws accessanalyzer validate-policy \
  --policy-type IDENTITY_POLICY \
  --policy-document file://policy-anatomy.json

Resolve errors and review every security warning before attachment.

One tiny variation

aws accessanalyzer validate-policy \
  --policy-type IDENTITY_POLICY \
  --policy-document file://policy-anatomy.json \
  --query "findings[].{Type:findingType,Issue:issueCode,Detail:findingDetails}" \
  --output table

Shape validation findings into a review-friendly table.

Common mistake

A syntactically valid policy can still be dangerously broad or functionally wrong. Validation assists human review; it does not replace intent.

Cleanup

rm policy-anatomy.json

Only a local policy file was created.

Next, we will learn Create a customer managed IAM policy.

Official AWS CLI reference