← All posts
2 min read

Inspect IAM managed policy metadata

#aws#cli#iam#security#identity
📑 On this page

Part 96 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

get-policy returns metadata. The permissions document lives in the default policy version and requires another command.

Before you run it

POLICY_ARN="arn:aws:iam::123456789012:policy/AwsZeroListBuckets"

Replace the account number or capture the ARN from create-policy.

The command

aws iam get-policy --policy-arn "$POLICY_ARN"

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

aws iam get-policy \
  --policy-arn "$POLICY_ARN" \
  --query "Policy.{Name:PolicyName,Path:Path,DefaultVersion:DefaultVersionId,Attachments:AttachmentCount,Created:CreateDate,Updated:UpdateDate}" \
  --output table

Read the returned ARN, path, IDs, and attachment state instead of checking only the command exit code.

One tiny variation

aws iam list-entities-for-policy \
  --policy-arn "$POLICY_ARN"

List every user, group, and role currently attached to the managed policy.

Common mistake

Attachment count is not the number of people who can exercise the policy. A role or group attachment can affect many sessions or users.

Cleanup

# This lesson is read-only or reuses a named demo identity.
aws sts get-caller-identity

Keep shared demo identities only while following the IAM sequence. Part 125 removes them in dependency order.

Next, we will learn Read an IAM managed policy document.

Official AWS CLI reference