Inspect IAM managed policy metadata
📑 On this page
Part 96 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
get-policy returns metadata. The permissions document lives in the default policy version and requires another command.
Before you run it
POLICY_ARN="arn:aws:iam::123456789012:policy/AwsZeroListBuckets"Replace the account number or capture the ARN from create-policy.
The command
aws iam get-policy --policy-arn "$POLICY_ARN"IAM writes can take a short time to propagate. Inspect the resource after every change.
Inspect the result
aws iam get-policy \
--policy-arn "$POLICY_ARN" \
--query "Policy.{Name:PolicyName,Path:Path,DefaultVersion:DefaultVersionId,Attachments:AttachmentCount,Created:CreateDate,Updated:UpdateDate}" \
--output tableRead the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.
One tiny variation
aws iam list-entities-for-policy \
--policy-arn "$POLICY_ARN"List every user, group, and role currently attached to the managed policy.
Common mistake
Attachment count is not the number of people who can exercise the policy. A role or group attachment can affect many sessions or users.
Cleanup
# This lesson is read-only or reuses a named demo identity.
aws sts get-caller-identityKeep shared demo identities only while following the IAM sequence. Part 125 removes them in dependency order.
Next, we will learn Read an IAM managed policy document.