Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ User Guide/ Access Analyzer/ Validating Policies/ Access Analyzer Policy Check Reference
Updated on 2025-11-07 GMT+08:00
View PDF
Share

Access Analyzer Policy Check Reference

IAM Access Analyzer validates your policies against policy grammar. You can view policy validation check findings and refer to the solutions provided in "Resolving the error" to optimize your policies.

Error - JSON Syntax Error (JSON_SYNTAX_ERROR)

The finding includes the following message:

Fix the JSON syntax error at character {column} in line {line} with index {offset}.

Resolving the error

Check your JSON syntax to fix the error.

Error - Invalid Policy Element (INVALID_POLICY_ELEMENT)

The finding includes the following message:

The element {element} in the policy is invalid.

Resolving the error

Remove the invalid elements from the policy statements.

Error - Unsupported Principal (UNSUPPORTED_PRINCIPAL)

The finding includes the following message:

The "Principal" element is not supported for identity policy. Delete the "Principal" element.

Resolving the error

Remove the "Principal" element. Identity policies do not support the "Principal" element.

Error - Data Type Mismatch (DATA_TYPE_MISMATCH)

The finding includes the following message:

The text does not match the expected JSON data type {data_type}.

Resolving the error

Update the text to use the supported data type.

For example, the "Effect" element requires the string data type. If you enter an integer, the data type cannot match.

Error - Invalid Version (INVALID_VERSION)

The finding includes the following message:

The version {version} is not valid. Use the following version: "5.0".

Resolving the error

To use all available policy features, set the "Version" element to 5.0.

Error - Missing Version (MISSING_VERSION)

The finding includes the following message:

Add the "Version" element to the policy.

Resolving the error

Add the "Version" element to the policy.

Error - Missing Statement (MISSING_STATEMENT)

The finding includes the following message:

Add the "Statement" element to the policy.

Resolving the error

Add the "Statement" element to the policy.

Error - Missing Effect (MISSING_EFFECT)

The finding includes the following message:

Add the "Effect" element to the policy statement with a value of "Allow" or "Deny".

Resolving the error

Include the "Effect" element with a value of Allow or Deny in the policy.

Error - Invalid Effect (INVALID_EFFECT)

The finding includes the following message:

The effect {effect} is not valid. Use "Allow" or "Deny".

Resolving the error

Update the "Effect" element with a valid value. The valid values include "Allow" and "Deny".

Error - Missing Action (MISSING_ACTION)

The finding includes the following message:

Add the "Action" (or "NotAction") element to the policy statement.

Resolving the error

Ensure that the authorization statement of a JSON policy contains the "Action" or "NotAction" element.

The authorization statement of a trust policy must contain the "Action" element.

Error - Invalid Element for Trust Policy (INVALID_ELEMENT_FOR_TRUST_POLICY)

The finding includes the following message:

Trust policy does not support the {element} element. Remove the {element} element.

Resolving the error

Update the text with supported elements.

Error - Unsupported Element Combination (UNSUPPORTED_ELEMENT_COMBINATION)

The finding includes the following message:

Policy elements {key_1} and {key_2} cannot be used in the same statement. Remove either of them.

Resolving the error

Modify the statement to ensure that there are no unsupported element combinations. Some combinations of policy elements cannot be used together. For example, you cannot include both the "Action" and "NotAction" elements in the same policy. "Resource" and "NotResource" cannot be used together, either.

Error - Invalid Condition Operator (INVALID_CONDITION_OPERATOR)

The finding includes the following message:

Invalid condition operator {operator} in policy. Please use a valid condition operator. Did you mean {valid_operator} ?

Resolving the error

Update the text with supported condition operators.

Error - Missing Brace in Variable (MISSING_BRACE_IN_VARIABLE)

The finding includes the following message:

The policy variable is missing a closing curly brace. Add "}" after the variable text.

Resolving the error

The policy variable structure supports the prefix $, followed by a pair of curly braces ({}). Include the request value that you want to use in the policy in ${}, for example, ${g:DomainId}.

Add the missing brace to ensure that full opening and closing set of braces is present.

Error - Empty Variable (EMPTY_VARIABLE)

The finding includes the following message:

Empty policy variable. Remove the "${}" variable structure or provide a variable within the structure.

Resolving the error

The policy variable structure supports the prefix $, followed by a pair of curly braces ({}). Include the request value that you want to use in the policy in ${}, for example, ${g:DomainId}.

Error - Unsupported Space in Variable (UNSUPPORTED_SPACE_IN_VARIABLE)

The finding includes the following message:

The space is not supported within the policy variable text. Remove the space.

Resolving the error

The policy variable structure supports the prefix $, followed by a pair of curly braces ({}). Include the request value that you want to use in the policy in ${}, for example, ${g:DomainId}. Remove spaces in the variable name.

Error - Unsupported Default Value in Variable (UNSUPPORTED_DEFAULT_VALUE_IN_VARIABLE)

The finding includes the following message:

The default value is not supported within the policy variable text when the key is '*', '?' or '$'. Remove the default value.

Resolving the error

If a policy variable is '*', '?' or '$', the variable cannot be set to a default value. Remove the default value.

Error - Missing Quote in Variable (MISSING_QUOTE_IN_VARIABLE)

The finding includes the following message:

The default value of a policy variable must start and end with a single quote. Add the missing quote.

Resolving the error

When you add a variable to your policy, you can specify a default value for the variable. If a variable does not exist, the default text that you provide is used.

To add a default value to a variable, enclose the default value with a pair of single quotes ('') and separate the variable text from the default value with a comma and space (, ), for example, ${g:UserName, 'default'}.

Error - Invalid Condition Multiple Boolean (CONDITION_MULTIPLE_BOOLEAN)

The finding includes the following message:

Multiple Boolean values are not supported for condition values. Use a single Boolean value.

Resolving the error

Each key in the condition key-value pair requires a single Boolean value. When you provide multiple Boolean values, the condition may not be properly matched as you expect.

Error - Variable Unsupported in Element (VARIABLE_UNSUPPORTED_IN_ELEMENT)

The finding includes the following message:

Policy variables are supported only in resource elements or the values of condition elements. Please check the policy variable in this element.

Resolving the error

Use policy variables in the values of the "Resource" and "Condition" elements. Check whether the usage of the policy variable is correct.

Variables are marked using a $ prefix followed by a pair of curly braces ({ }) In the braces, include the value name in the request that you want to use in the policy, for example, ${g:DomainId}.

Error - Invalid URN Account (INVALID_URN_ACCOUNT)

The finding includes the following message:

The resource URN account ID {account_id} is not valid. Provide a correct account ID.

Resolving the error

Update the account ID in the resource URN. An account ID can be system or a string of 1 to 64 characters containing only uppercase letters, lowercase letters, digits, and hyphens (-).

Error - Invalid URN Resource Type (INVALID_URN_RESOURCE_TYPE_NAME)

The finding includes the following message:

Resource URN type name {resource_type} is not valid. Update the resource type name portion of the URN.

Resolving the error

Use a valid resource type in the resource URN.

Error - Invalid Condition Key Format (INVALID_CONDITION_KEY_FORMAT)

The finding includes the following message:

The condition key format is not valid. Use the format "<service-name>:<condition-name>".

Resolving the error

Use the standard format "<service-name>:<condition-name>" for the condition key.

Error - Condition Key Data Type Mismatch (TYPE_MISMATCH)

The finding includes the following message:

The condition key {key} uses the {type_1} operator type instead of the {type_2} operator type.

Resolving the error

Update the text to use the supported data type for operators. For example, the g:PrincipalIsRootUser global condition key requires a condition operator of the Boolean data type. If you provide an operator of the date or integer type, the operator does not match the condition key.

Error - Type Mismatch Boolean (TYPE_MISMATCH_BOOLEAN)

The finding includes the following message:

Add a valid Boolean value (true or false) for the condition operator {operator}.

Resolving the error

Update the text to use a Boolean data type (true or false).

Error - Type Mismatch IP Range (TYPE_MISMATCH_IP_RANGE)

The finding includes the following message:

Add a valid IP range value for the condition operator {operator}.

Resolving the error

Update the text to use the IP address condition operator data type.

Error - Type Mismatch Number (TYPE_MISMATCH_NUMBER)

The finding includes the following message:

Add a valid numeric value for the condition operator {operator}.

Resolving the error

Update the text to use the numeric data type.

Error - Type Mismatch Date (TYPE_MISMATCH_DATE)

The finding includes the following message:

The date condition operator is used with an invalid value. Specify a valid date using RFC 3339 date/time format.

Resolving the error

Update the text to use the date data type in RFC 3339 format.

Error - Duplicate Keys with Different Case (DUPLICATE_KEYS_WITH_DIFFERENT_CASE)

The finding includes the following message:

The condition key {keys} appears multiple times in the same condition block, differing only in case. Delete duplicate condition keys.

Resolving the error

Review similar condition keys within the same condition block to make sure that the same case is used for the same condition key.

A condition block is the text within the "Condition" element of a policy statement. Condition key names are not case-sensitive. The condition operator you use determines whether a condition value is case-sensitive or not.

Error - Invalid Service (INVALID_SERVICE)

The finding includes the following message:

The service {service} in {key} does not exist. Use a valid service name. Did you mean {valid_service} ?

Resolving the error

The service name in the condition key and resources must match a service name . Enter a valid service name.

Error - Invalid Service in Action (INVALID_SERVICE_IN_ACTION)

The finding includes the following message:

The service {service} specified in the action {action} does not exist. Use a valid service name. Did you mean {valid_service} ?

Resolving the error

The service name in the action must match a service name . Enter a valid service name.

Error - Invalid Service Condition Key (INVALID_SERVICE_CONDITION_KEY)

The finding includes the following message:

The service condition key {key} does not exist. Please use a valid service condition key. Did you mean {valid_key} ?

Resolving the error

Use a valid service condition key.

Error - Missing Qualifier (MISSING_QUALIFIER)

The finding includes the following message:

The condition key {key} in the request context has multiple values. Use the "ForAllValues" or "ForAnyValue" condition qualifier in the policy.

Resolving the error

For all operators except the Null operator, you can add the ForAllValues: or ForAnyValue: prefix to indicate set operators. For requests that include multiple values for a single condition key, you must add the ForAllValues: or ForAnyValue: prefix.

Error - URN Account Not Allowed (URN_ACCOUNT_NOT_ALLOWED)

The finding includes the following message:

The service {service} does not support specifying an account ID in the resource URN. Remove the account ID from the resource URN.

Resolving the error

Remove the account ID from the resource URN. The resource URNs for some services do not support specifying an account ID.

Error - URN Region Not Allowed (URN_REGION_NOT_ALLOWED)

The finding includes the following message:

The service {service} does not support specifying a region in the resource URN. Remove the region from the resource URN.

Resolving the error

Remove the region from the resource URN. The resource URNs for some services do not support specifying a region.

Error - Missing URN Region (MISSING_URN_REGION)

The finding includes the following message:

Add a region to service {service} URN.

Resolving the error

Specify the region in the URN.

Error - Null Operator Multiple Boolean (NULL_OPERATOR_MULTIPLE_BOOLEAN)

The finding includes the following message:

The condition value of the "Null" operator with multiple Boolean values will never match the request context. Use a single Boolean value.

Resolving the error

Each key in the condition key-value pair requires a single Boolean value. When you provide multiple Boolean values for the condition value of the Null operator, the request value cannot match all the condition values according to the condition operator, and the policy will never match the request context. Use a single Boolean value.

Error - Invalid VPC ID Format (INVALID_VPC_FORMAT)

The finding includes the following message:

The VPC ID format in the condition value is invalid. Specify a valid VPC ID.

Resolving the error

The VPC ID is in the 32-bit UUID format. Specify a valid VPC ID.

Error - Invalid VPCEP ID Format (INVALID_VPCEP_FORMAT)

The finding includes the following message:

The VPCEP ID format in the condition value is invalid. Specify a valid VPCEP ID.

Resolving the error

The VPCEP ID is in the 32-bit UUID format. Specify a valid VPCEP ID.

Error - Invalid Account ID in Condition Value (INVALID_ACCOUNT_ID_IN_CONDITION_VALUE)

The finding includes the following message:

Account ID {account_id} in the condition value is not valid. Enter a valid account ID.

Resolving the error

Enter a valid account ID in the condition value. The account ID must be a string of 1 to 64 characters that contain only uppercase letters, lowercase letters, digits, and hyphens (-).

Error - Invalid Service Principal in Condition Value (INVALID_SERVICE_PRINCIPAL_IN_CONDITION_VALUE)

The finding includes the following message:

The service principal {service_principal} does not exist. Use a valid service principal. Did you mean {valid_service_principal} ?

Resolving the error

The service principal must match a service principal on . Enter a valid service principal.

Error - Policy Size Exceeds Identity Policy Quota (POLICY_SIZE_EXCEEDS_IDENTITY_POLICY_QUOTA)

The finding includes the following message:

The identity policy size of {policy_size} bytes (excluding spaces) exceeds the identity policy's maximum {POLICY_SIZE_QUOTA_IDENTITY_POLICY} bytes. We recommend that you use multiple granular policies.

Resolving the error

An identity policy cannot exceed 6,144 bytes. Spaces are not counted in the policy size.

If your policy size exceeds the quota, you can organize your policy into multiple statements and group the statements into multiple policies.

Error - Policy Size Exceeds Service Control Policy Quota (POLICY_SIZE_EXCEEDS_SERVICE_CONTROL_POLICY_QUOTA)

The finding includes the following message:

The service control policy size of {policy_size} bytes (excluding spaces) exceeds the service control policy's maximum {POLICY_SIZE_QUOTA_SERVICE_CONTROL_POLICY} bytes. We recommend that you use multiple granular policies.

Resolving the error

A service control policy cannot exceed 5,120 bytes. Spaces are not counted in the policy size.

If your policy size exceeds the quota, you can organize your policy into multiple statements and group the statements into multiple policies.

Error - Policy Size Exceeds Trust Policy Quota (POLICY_SIZE_EXCEEDS_TRUST_POLICY_QUOTA)

The finding includes the following message:

The trust policy size of {policy_size} bytes (excluding spaces) exceeds the trust policy's maximum {POLICY_SIZE_QUOTA_TRUST_POLICY} bytes.

Resolving the error

A trust policy cannot exceed 6,144 bytes. Spaces are not counted in the policy size.

Error - SCP Not Allowed for Combination of Allow and NotAction (SCP_SYNTAX_ERROR_ALLOW_NOT_ACTION)

The finding includes the following message:

Service control policy syntax does not support "NotAction" when "Effect" is "Allow". Modify the "Effect" or "NotAction" element.

Resolving the error

Organizations SCPs do not support the "NotAction" element when the "Effect" is set to "Allow"

Error - SCP Not Allowed for Combination of Allow and Resource Not Using *(SCP_SYNTAX_ERROR_ALLOW_RESOURCE)

The finding includes the following message:

Service control policy syntax does not support "Resource" using resources other than "*" when "Effect" is "Allow". Modify the "Effect" or "Resource" element.

Resolving the error

Specify values for the "Resource" element only when "Effect" is set to "Deny". When "Effect" is set to "Allow", you can set "Resource" only to "*".

Error - SCP Not Allowed for Combination of Allow and Condition (SCP_SYNTAX_ERROR_ALLOW_CONDITION)

The finding includes the following message:

Service control policy syntax does not support "Condition" when "Effect" is "Allow", please modify "Effect" or "Condition" element.

Resolving the error

Specify values for the "Condition" element only when "Effect" is set to "Deny".

Error - SCP Not Allowed for NotResource (SCP_SYNTAX_ERROR_NOT_RESOURCE)

The finding includes the following message:

The "NotResource" element is not supported in the service control policy syntax. Delete the "NotResource" element.

Resolving the error

Remove the "NotResource" element from the policy statements.

Error - SCP Syntax Error Principal (SCP_SYNTAX_ERROR_PRINCIPAL)

The finding includes the following message:

The service control policy does not support specifying a principal. Delete the "Principal" element.

Resolving the error

Remove the "Principal" element. SCPs do not support the "Principal" element.

Error - SCP Syntax Error Allow Effect (SCP_SYNTAX_ERROR_ALLOW_EFFECT)

The finding includes the following message:

Service control policy syntax does not support the effect "Allow". Modify the "Effect" to "Deny".

Resolving the error

Set "Effect" to "Deny". Organizations SCPs do not support the "Allow" effect.

Error - SCP Syntax Error NotAction (SCP_SYNTAX_ERROR_NOT_ACTION)

The finding includes the following message:

The "NotAction" element is not supported in the service control policy syntax. Delete the "NotAction" element.

Resolving the error

Remove the "NotAction" element from the policy statements.

Error - SCP Syntax Error Missing Action Field (SCP_SYNTAX_ERROR_MISSING_ACTION_FIELD)

The finding includes the following message:

The action in service control policy must contain 3 fields and the following structure: "<service-name>:<type-name>:<action-name>".

Resolving the error

Ensure that the action in the Organizations SCP complies with the required format.

Error - SCP Syntax Error Wildcard in Service Name of Action (SCP_SYNTAX_ERROR_WILDCARD_IN_SERVICE_NAME_OF_ACTION)

The finding includes the following message:

It is not allowed to use wildcards "*", "?" in service names of actions in service control policy, because it may deny unintended other cloud services with similar names.

Resolving the error

When you include the name of a cloud service in the action of an Organizations SCP, do not include the wildcard characters "*" and "?". They may deny services that will be available for IAM. For example, there are several cloud services whose names contain gaussdb*.

Error - Empty Array Action for Trust Policy (EMPTY_ARRAY_ACTION_FOR_TRUST_POLICY)

The finding includes the following message:

This statement includes no actions and does not affect the policy. Specify actions.

Resolving the error

If the "Action" element is left empty, the policy statement provides no permissions. Specify actions for the "Action" element.

Error - Empty Array Statement for Trust Policy (EMPTY_ARRAY_STATEMENT_FOR_TRUST_POLICY)

The finding includes the following message:

This statement includes no policies. Specify policies.

Resolving the error

If the "Statement" element is left empty, the policy statement provides no permissions. Include standard permission text in the "Statement" element.

Error - Invalid Principal Key (INVALID_PRINCIPAL_KEY)

The finding includes the following message:

The principal key {key} is not valid.

Resolving the error

Use only "IAM" and "Service" as principal keys.

Error - Invalid Account Reference (INVALID_ACCOUNT_REFERENCE)

The finding includes the following message:

The account ID {account_id} in the principal is not valid. Provide a correct account ID.

Resolving the error

Change the account ID in the principal to a valid one. The account ID must be a string of 1 to 64 characters that contain only uppercase letters, lowercase letters, digits, and hyphens (-).

Error - Invalid Service Principal Format (INVALID_SERVICE_PRINCIPAL_FORMAT)

The finding includes the following message:

The service principal format is not valid. Use the format "service.<service-name>".

Resolving the error

The service principal format must meet the specified format.

Error - Invalid Service Principal (INVALID_SERVICE_PRINCIPAL)

The finding includes the following message:

The service principal {service_principal} does not exist. Use a valid service principal. Did you mean {valid_service_principal} ?

Resolving the error

The service principal must match that of a cloud service. Enter a valid service principal.

Error - Mismatched Action for Trust Policy (MISMATCHED_ACTION_FOR_TRUST_POLICY)

The finding includes the following message:

The {action} in "Action" is invalid with the trust policy.

Resolving the error

The trust policy only supports the following three actions: ["sts:agencies:assume","sts::tagSession","sts::setSourceIdentity"].

Error - Unsupported Wildcard in Principal (UNSUPPORTED_WILDCARD_IN_PRINCIPAL)

The finding includes the following message:

Wildcards "*", "?" are not supported in the principal. Please specify a valid principal.

Resolving the error

Do not use any wildcard in a principal. Specific a principal.

Error - UNSUPPORTED NotResource (UNSUPPORTED_NOT_RESOURCE)

The finding includes the following message:

The "NotResource" element is not supported for identity policy. Delete the "NotResource" element.

Resolving the error

Remove the "NotResource" element. Identity policies do not support the "NotResource" element.

Suggestion - Empty Sid Value (EMPTY_SID_VALUE)

The finding includes the following message:

Add a value to the empty string in the "Sid" element.

Resolving the suggestion

Set an identifier ("Sid") for a statement in your policy. A Sid must be a string.

Suggestion - Empty Array Action (EMPTY_ARRAY_ACTION)

The finding includes the following message:

This statement includes no actions and does not affect the policy. Specify actions.

Resolving the suggestion

Specify values for the "Action" or "NotAction" element in the statement. A policy statement must include an "Action" or "NotAction" element. If "Action" or "NotAction" element is left empty, the statement provides no permissions.

Suggestion - Empty Array Resource (EMPTY_ARRAY_RESOURCE)

The finding includes the following message:

This statement includes no resources and does not affect the policy. Specify resources.

Resolving the suggestion

When the "Resource" or "NotResource" element is left empty, the statement has no effect on the policy. Specify values for the "Resource" or "NotResource" element.

Suggestion - Empty Array Statement (EMPTY_ARRAY_STATEMENT)

The finding includes the following message:

This statement includes no policies. Specify policies.

Resolving the suggestion

If the "Statement" element is left empty, the policy statement provides no permissions. Include standard permission text in the "Statement" element.

Suggestion - Empty Object Condition (EMPTY_OBJECT_CONDITION)

The finding includes the following message:

This condition block is empty and it does not affect the policy. Specify conditions.

Resolving the suggestion

The "Condition" element requires condition operators and key-value pairs.

If you provide an empty object in the "Condition" element, the statement has no effect on the policy. Delete the optional object or specify the condition.

Suggestion - Empty Array Principal (EMPTY_ARRAY_PRINCIPAL)

The finding includes the following message:

This statement's principal element is empty array, it includes no principals and does not affect the policy. Specify principals.

Resolving the suggestion

If the value of the "Principal" element is an empty array, the statement has no effect on the policy. Specify the principal.

Suggestion - Unique Sids Required (UNIQUE_SIDS_REQUIRED)

The finding includes the following message:

Duplicate statement IDs are not recommended for statement. Update the "Sid" value.

Resolving the suggestion

Use a unique Sid value.

The "Sid" element allows you to set a unique identifier for a policy statement.

Suggestion - Missing URN Field (MISSING_URN_FIELD)

The finding includes the following message:

It is recommended that the resource URN contain 5 fields and the following structure: "<service-name>:<region>:<account-id>:<type-name>:<resource-path>".

Resolving the suggestion

Use standard URN format for all resources.

Suggestion - Variable in URN (VARIABLE_IN_URN)

The finding includes the following message:

Resource URN contains variable. It might grant unintended access to other resources with similar URNs.

Resolving the suggestion

If a variable is included in a resource URN, extended access permissions may be granted for resources with similar URNs. Review resource URNs to ensure right permission scope.

Suggestion - Wildcard in Service Name (WILDCARD_IN_SERVICE_NAME)

The finding includes the following message:

Avoid using wildcards "*", "?" in service names, because it may grant unintended access to other cloud services with similar names.

Resolving the suggestion

When you include the name of a cloud service in a policy, do not include the wildcard characters "*" and "?". This might add permissions for future services that you do not intend. For example, there are several cloud services whose names contain gaussdb*.

Suggestion - Redundant Empty Array Condition (REDUNDANT_EMPTY_ARRAY_CONDITION)

The finding includes the following message:

When the value of the condition key {key} is an empty array, this condition will always match the request context. Specify conditions.

Resolving the suggestion

The "Condition" element requires condition operators and key-value pairs.

If the value of a condition key is an empty array, the condition always matches the request context. The statement has no effect on the policy. You are advised to rewrite the condition.

Suggestion - Redundant Empty Array Condition with Null (REDUNDANT_EMPTY_ARRAY_CONDITION_WITH_NULL)

The finding includes the following message:

To determine if the request context is none, we recommend that you use the "Null" condition operator with the value of "true" instead.

Resolving the suggestion

The "Condition" element requires you to use condition operators and key-value pairs. The condition matches only if there are no corresponding keys in the request. If you need to test whether a request context is not present, use the "Null" condition operator instead.

Suggestion - Variable in Condition Value (VARIABLE_IN_CONDITION_VALUE)

The finding includes the following message:

Condition value contains variable. The variable replacement result may be different from the expected type. Check the data type of the escaped text.

Resolving the suggestion

When you use a non-string type operator and include policy variables in a condition value, the condition value type may be different from the expected type. Check the escaped text to ensure that the data type is your expected type.

Suggestion - Redundant Statement (REDUNDANT_STATEMENT)

The finding includes the following message:

Your policy contains redundant statements which provide same permissions. Delete those redundant statements.

Resolving the suggestion

Delete duplicate statements in your policy.

Suggestion - Redundant Action (REDUNDANT_ACTION)

The finding includes the following message:

The {count} action(s) are redundant because they grant similar permissions. Please remove the redundant action(s) such as: {actions}.

Resolving the suggestion

When you use the wildcard "*" in the "Action" element, you can include redundant permissions. We will provide suggestions on deleting redundant permissions to streamline the policy. For example, the iam:policies:* action is already included as part of iam:*:*. To remove the duplicate permissions, you can remove iam:policies:*.

Suggestion - Redundant Resource (REDUNDANT_RESOURCE)

The finding includes the following message:

The {count} resource URN(s) are redundant because they reference similar resources. Please remove the redundant resource URN(s) such as: {resources}.

Resolving the suggestion

When you use the wildcard "*" in resource URNs, you can create redundant resource permissions. We will provide suggestions on deleting redundant resource URNs to streamline the policy. For example, the iam::*:policy:* resource URN is already included as part of iam::*:*:*. To remove the duplicate permissions, you can remove iam::*:policy:*.

Suggestion - Improve IP Range (IMPROVE_IP_RANGE)

The finding includes the following message:

The non-zero bits in host identifier in the IP address are ignored. Replace the address with {ip_addr}.

Resolving the suggestion

An IP address consists of two parts: a prefix that identifies the network and an address of the host in the network. When you use an IP address in the standard CIDR format, the non-zero bits following the prefix that identifies the network in the IP address are ignored. For example, in 192.168.24.150/24, 150 would be ignored. You are advised to change it to 192.168.24.0/24.

Suggestion - Recommended Condition Key for Service Principal (RECOMMENDED_CONDITION_KEY_FOR_SERVICE_PRINCIPAL)

The finding includes the following message:

The attribute "g:SourceUrn" may not be included in the request. To restrict access of the service principal, we recommend you to use the condition key "g:SourceAccount".

Resolving the suggestion

You can specify the "Service" key in the "Principal" element of a resource policy to grant permissions to the service principal to perform operations on your behalf. You should use the condition key g:SourceAccount or g:SourceUrn to avoid lenient permissions and prevent confused deputy issues. In some requests, g:SourceUrn may not be contained. In this case, you are advised to use g:SourceAccount to restrict access.

Suggestion - Redundant Condition Value Within Single Operator (REDUNDANT_CONDITION_VALUE_WITHIN_SINGLE_OPERATOR)

The finding includes the following message:

There are redundant condition values in the condition because they grant similar permissions. Reduce the condition value to {condition_values}.

Resolving the suggestion

The OR operation is used between different condition key values of the same operator.

For condition operators that contain Not (such as StringNotEquals), the request value cannot match any of the condition values.

On the premise that only a specific operator is considered, we will provide suggestions on retaining specific condition values to streamline the policy.

Suggestion - Redundant ForAnyValue (REDUNDANT_FOR_ANY_VALUE)

The finding includes the following message:

The condition key {key} is a single-valued condition key, "ForAnyValue" is ignored when "ForAnyValue" and a single-valued condition key are used together. We recommend that you remove "ForAnyValue:".

Resolving the suggestion

For all operators except the Null operator, you can add the ForAllValues: or ForAnyValue: prefix to indicate set operators. For requests that include multiple values for a single condition key, you must add the ForAllValues: or ForAnyValue: prefix. If ForAnyValue is used together with a single-valued condition key, ForAnyValue will be ignored. We recommend that you delete the ForAnyValue: prefix.

Suggestion - Redundant IfExists with Negated Operator (REDUNDANT_IF_EXISTS_WITH_NEGATED_OPERATOR)

The finding includes the following message:

"IfExists" is ignored when being used with an operator containing "Not". We recommend that you remove "IfExists".

Resolving the suggestion

When the IfExists suffix is used together with an operator that contains Not, the IfExists suffix would be ignored. We recommend that you remove the IfExists suffix.

Suggestion - Redundant IfExists (REDUNDANT_IF_EXISTS)

The finding includes the following message:

"IfExists" is redundant when being used together with other condition operators that do not contain "IfExists" and "Not". We recommend that you remove "IfExists".

Resolving the suggestion

There is a condition key expected by operators that do not contain IfExists and Not. As a result, the IfExists suffix is redundant. We recommend that you remove the IfExists suffix.

Suggestion - Redundant Null (REDUNDANT_NULL)

The finding includes the following message:

The "Null" condition operator with the value of "false" is redundant when being used together with other condition operators that do not contain "IfExists" and "Not". We recommend that you remove "Null".

Resolving the suggestion

There is a condition key expected by the Null condition operator with the value false. The same condition key is also expected by operators that do not contain IfExists and Not. As a result, the Null condition operator is redundant. We recommend that you remove the Null condition operator.

Suggestion - Redundant IfExists with Null (REDUNDANT_IF_EXISTS_WITH_NULL)

The finding includes the following message:

The "Null" condition operator with the value of "false" makes "IfExists" in other condition operators redundant. We recommend that you remove "IfExists".

Resolving the suggestion

There is a condition key expected by the Null condition operator with the value false. As a result, the IfExists suffix in other operators is redundant. We recommend that you remove the IfExists suffix.

Suggestion - Redundant Operator (REDUNDANT_OPERATOR)

The finding includes the following message:

Without modifying anywhere else in the policy, just removing the condition key from the condition operator does not affect the policy. We recommend that you streamline the policy.

Resolving the suggestion

Considering all involved condition operators and condition values in the condition key, if you just remove the condition key from the condition operator without modifying other policy content, the authentication result does not change and the policy is not affected. We recommend that you streamline the policy.

Suggestion - Redundant Operator Replaced by Null (REDUNDANT_OPERATOR_REPLACED_BY_NULL)

The finding includes the following message:

Without modifying anywhere else in the policy, just removing the condition key from the condition operator, and adding a "Null" condition operator with the value of "false" does not affect the policy. We recommend that you streamline the policy.

Resolving the suggestion

Considering all involved condition operators and condition values in the condition key, if you just remove the condition key from the condition operator and add the Null condition operator with the value false without modifying other policy content, the authentication result does not change and the policy is not affected. We recommend that you streamline the policy. Here, adding the Null condition operator with the value false is to ensure that the specified condition key exists in the request context.

Suggestion - Redundant Condition Value in Array (REDUNDANT_CONDITION_VALUE_IN_ARRAY)

The finding includes the following message:

Without modifying anywhere else in the policy, just removing the condition value indexed at {index} from the condition value array does not affect the policy. We recommend that you streamline the policy.

Resolving the suggestion

Considering all involved condition operators and condition values in the condition key, if you just remove the condition value from the condition value array without modifying other policy content, the authentication result does not change and the policy is not affected. We recommend that you streamline the policy.

Suggestion - Redundant Private IP Addresses (REDUNDANT_PRIVATE_IP_ADDRESS)

The finding includes the following message:

The value of "g:SourceIp" contains private IP addresses. Update the value to include only public IP addresses.

Resolving the suggestion

The g:SourceIp value contains a private IP address. g:SourceIp refers to the source IP address of the request from the public network.

If you want to restrict access from private IP addresses, use g:VpcSourceIp.

g:VpcSourceIp is valid only if the request is initiated from a VPC through a VPC endpoint.

Suggestion - Not Recommended Operator for Random Value (NOT_RECOMMENDED_OPERATOR_FOR_RANDOM_VALUE)

The finding includes the following message:

You are not advised to use the condition key {operator} to restrict the randomly generated value. Use the operator "StringEquals" or "StringNotEquals" to specify the condition value.

Resolving the suggestion

You are not advised to use fuzzy match to restrict the randomly generated value (such as the account ID, organization ID, VPC ID, or VPCEP ID). Use StringEquals or StringNotEquals to precisely specify the condition value.

General Warning- Empty Object Principal (EMPTY_OBJECT_PRINCIPAL)

The finding includes the following message:

This statement includes no principals and does not affect the policy. Specify principals.

Resolving the general warning

Specify principals in your statements.

General Warning - Invalid Global Condition Key (INVALID_GLOBAL_CONDITION_KEY)

The finding includes the following message:

The global condition key {key} does not exist. Please use a valid global condition key. Did you mean {valid_key} ?

Resolving the general warning

Use valid global condition keys to replace the invalid ones. A global condition key starts with a g: prefix.

General Warning - Wildcard Without Match Operator (WILDCARD_WITHOUT_MATCH_OPERATOR)

The finding includes the following message:

Your condition value includes a "*" or "?" character. If you meant to use a wildcard, update the condition operator to include "Match". If you are going to use "*" or "?", which are not wildcard. You are advised to use the standard format "${*}" or "${?}".

Resolving the general warning

The "Condition" element requires condition operators and key-value pairs.

If you meant to use a wildcard, set the operator to one that includes "Match". For example, StringMatch is an operator that includes "match", and StringEquals does not.

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"vpc:*"
		],
		"Condition": {
			"StringMatch": {
				"g:PrincipalOrgPath": "o-a1b2c3d4e5/r-ab12/ou-ab12-11111111/ou-ab12-22222222/*"
			}
		}
	}]
}

If you meant to use literal characters "*" or "?" instead of wildcards, use the standard format ${*} or ${?}.

General Warning - Invalid Action (INVALID_ACTION)

The finding includes the following message:

The action {action} does not exist. Did you mean {valid_action} ?

Resolving the general warning

The action that you specified is not valid. Use the standard format "Service name:Resource type:Operation". The action supports wildcards "*" and "?". The wildcard "*" matches arbitrary many (including zero) occurrences of any character, and the wildcard "?" matches exactly one occurrence of any character.

General Warning - Create SLA with NotResource (CREATE_SLA_WITH_NOT_RESOURCE)

The finding includes the following message:

Using the "iam:agencies:createServiceLinkedAgencyV5" action with "NotResource" can allow creation of unintended service-linked agencies for multiple resources. We recommend that you specify resource URNs instead.

Resolving the general warning

The "iam:agencies:createServiceLinkedAgencyV5" action grants the permission to allow a cloud service to perform operations on your behalf. If you use "iam:agencies:createServiceLinkedAgencyV5" action with the "NotResource" element, you may allow creating unintended service-linked agencies for multiple resources. You are advised to specify allowed URNs in the "Resource" element.

General Warning - Create SLA with Star in Action and NotResource (CREATE_SLA_WITH_STAR_IN_ACTION_AND_NOT_RESOURCE)

The finding includes the following message:

Using an action with a wildcard "*" and "NotResource" can allow creation of unintended service-linked agencies because it can allow "iam:agencies:createServiceLinkedAgencyV5" permissions on multiple resources. We recommend that you specify resource URNs instead.

Resolving the suggestion

The "iam:agencies:createServiceLinkedAgencyV5" action grants the permission to allow a cloud service to perform operations on your behalf. If you use the wildcard "*" in the "Action" and "NotResource" elements in a policy, you may allow creating unintended service-linked agencies for multiple resources. You are advised to specify allowed URNs in the "Resource" element.

General Warning - Create SLA with NotAction and NotResource (CREATE_SLA_WITH_NOT_ACTION_AND_NOT_RESOURCE)

The finding includes the following message:

Using "NotAction" with "NotResource" can allow creation of unintended service-linked agencies because it allows "iam:agencies:createServiceLinkedAgencyV5" permissions on multiple resources. We recommend that you specify resource URNs instead.

Resolving the general warning

The "iam:agencies:createServiceLinkedAgencyV5" action grants the permission to allow a cloud service to perform operations on your behalf. If you use the "iam:agencies:createServiceLinkedAgencyV5" action with the "NotAction" and the "NotResource" elements, you may allow creating unintended service-linked agencies for multiple resources. You are advised to specify allowed URNs in the "Resource" element. You can also add the "iam:agencies:createServiceLinkedAgencyV5" action to the "NotAction" element.

General Warning - Create SLA with Star In Resource (CREATE_SLA_WITH_STAR_IN_RESOURCE)

The finding includes the following message:

Using the "iam:agencies:createServiceLinkedAgencyV5" action to allow all resources to be able to create unintended service-linked agencies. We recommend that you specify resource URNs instead.

Resolving the general warning

The "iam:agencies:createServiceLinkedAgencyV5" action grants the permission to allow a cloud service to perform operations on your behalf. If you use the "iam:agencies:createServiceLinkedAgencyV5" action and include only the wildcard "*" in the "Resource" element, you may allow creation of unintended service-linked agencies for multiple resources. If "Resource" or "NotResource" is not specified in a policy, all resources are included by default. You are advised to specify allowed URNs in the "Resource" element.

General Warning - Create SLA with Star in Action and Resource (CREATE_SLA_WITH_STAR_IN_ACTION_AND_RESOURCE)

The finding includes the following message:

Using wildcards "*" in the action to allow all resources to be able to create unintended service-linked agencies because it allows "iam:agencies:createServiceLinkedAgencyV5" permissions on all resources. We recommend that you specify resource URNs instead.

Resolving the general warning

The "iam:agencies:createServiceLinkedAgencyV5" action grants the permission to allow a cloud service to perform operations on your behalf. If you use the "iam:agencies:createServiceLinkedAgencyV5" action and include the wildcard "*" in the "Action" and the "Resource" elements, you may allow creation of unintended service-linked agencies for multiple resources. For example, actions "*", "iam:*", and "iam:agencies:*" allow the creation of unintended service-linked agencies. If "Resource" or "NotResource" is not specified in a policy, all resources are included by default. You are advised to specify allowed URNs in the "Resource" element.

General Warning - Create SLA with Star in Resource and NotAction (CREATE_SLA_WITH_STAR_IN_RESOURCE_AND_NOT_ACTION)

The finding includes the following message:

Using "NotAction" to allow all resources to be able to create unintended service-linked agencies because it allows "iam:agencies:createServiceLinkedAgencyV5" permissions on all resources. We recommend that you specify resource URNs instead.

Resolving the general warning

The "iam:agencies:createServiceLinkedAgencyV5" action grants the permission to allow a cloud service to perform operations on your behalf. If you use the "iam:agencies:createServiceLinkedAgencyV5" action and include the wildcard "*" in the "Resource" and the "NotAction" elements, you may allow creation of unintended service-linked agencies for multiple resources. If "Resource" or "NotResource" is not specified in a policy, all resources are included by default. You are advised to specify allowed URNs in the "Resource" element. You are advised to specify allowed URNs in the "Resource" element. You can also add the "iam:agencies:createServiceLinkedAgencyV5" action to the "NotAction" element.

General Warning - Missing Action for Condition Key (MISSING_ACTION_FOR_CONDITION_KEY)

The finding includes the following message:

There is a missing action to use with this condition key. Please enter an action to use with this condition key (For example {action}).

Resolving the general warning

To ensure that the condition keys you specify are effectively allowed or denied by your policy, add the action to the "Action" element.

General Warning - Allow Action with Unsupported Tag Condition Key (ALLOW_ACTION_WITH_UNSUPPORTED_TAG_CONDITION_KEY)

The finding includes the following message:

Using the effect Allow with the unsupported "g:ResourceTag" tag condition key does not affect the policy. It is recommended that you move this unsupported action to other statements which do not contain this tag condition key.

Resolving the general warning

Using unsupported tag condition keys in the "Condition" element of a policy with "Effect": "Allow" does not affect the permissions granted by the policy, because the tag condition key is ignored. You are advised to remove the actions that do not support the tag condition key and create another statement to allow access to specific resources in that service.

If you use the g:ResourceTag condition key and it is not supported by a service action, then the action is ignored and the policy is not affected. This happens even if the resource is tagged correctly.

When an action supports the g:ResourceTag condition key, you can use tags to control access to resources. This is known as attribute-based access control (ABAC). Services that do not support these condition keys require you to control access to resources using resource-based access control (RBAC).

For example, assume that you want to allow team members to view details and lists for VPCs tagged with {"team": "engineering"}. However, the action that allows for viewing VPC lists does not support the g:ResourceTag condition key. In this case, move this action to a new statement and specify the resources to be accessed.

{
	"Version": "5.0",
	"Statement": [{
			"Effect": "Allow",
			"Action": [
				"vpc:vpcs:get"
			],
			"Resource": [
				"*"
			],
			"Condition": {
				"StringEquals": {
					"g:ResourceTag/team": "engineering"
				}
			}
		},
		{
			"Effect": "Allow",
			"Action": [
				"vpc:vpcs:list"
			],
			"Resource": [
				"vpc:*:123456789:vpc:11111111-d755-4538-0000-111111111111"
			]
		}
	]
}

General Warning - Invalid Condition Key (INVALID_CONDITION_KEY)

The finding includes the following message:

The condition key will never match the request context. Please delete this condition key.

Resolving the general warning

All actions used together with the condition key are contained in NotAction, so the content in the condition key can never match the context. Remove the condition key.

General Warning - Confusing Permissive in Empty Array Condition (CONFUSING_PERMISSIVE_IN_EMPTY_ARRAY_CONDITION)

The finding includes the following message:

When the value of the multi-valued condition key {key} is an empty array, the semantics may be unclear when it is used together with the "ForAnyValue" operator and the operator containing "Not". We recommend that you remove the condition key.

Resolving the general warning

When the operator contains Not, for the ForAnyValue: prefix, the condition returns true if any key value in the request does not match at least one value in the policy. The condition also returns true if the condition key in the request does not exist. When the value of the multivalued condition key is an empty array, you are not advised to use it together with the ForAnyValue prefix and an operator containing Not. When the key value is resolved to an empty array, the condition returns false. Remove the condition key.

General Warning - Invalid Empty Array Condition (INVALID_EMPTY_ARRAY_CONDITION)

The finding includes the following message:

When the value of the condition key {key} is an empty array, this condition will never match the request context. Specify conditions.

Resolving the general warning

The "Condition" element requires condition operators and key-value pairs. If the value of a condition key is an empty array, the condition will never match the request context. This means that the statement will never be applied. You are advised to rewrite the condition.

General Warning - Invalid Variable Key Format (INVALID_VARIABLE_KEY_FORMAT)

The finding includes the following message:

The format of the key in the variable is invalid. Use valid conditional keys or special characters.

Resolving the general warning

You can use policy variables in the values of the "Resource" and "Condition" elements. These policy variables will be replaced with the values of the condition keys that contain the request context. If variables cannot be resolved, the entire statement may be invalid. The format of the condition key in the policy variable is incorrect. Enter valid condition keys or special characters.

General Warning - Invalid Global Condition Key in Variable (INVALID_GLOBAL_CONDITION_KEY_IN_VARIABLE)

The finding includes the following message:

The global condition key {key} in the policy variable does not exist. Use a valid global condition key. Did you mean {valid_key} ?

Resolving the general warning

You can use policy variables in the values of the "Resource" and "Condition" elements. These policy variables will be replaced with the values of the condition keys that contain the request context. If variables cannot be resolved, the entire statement may be invalid. Use a valid global condition key in the policy variable.

General Warning - Invalid Service Condition Key in Variable (INVALID_SERVICE_CONDITION_KEY_IN_VARIABLE)

The finding includes the following message:

The service condition key {key} in the policy variable does not exist. Use a valid service condition key. Did you mean {valid_key} ?

Resolving the general warning

You can use policy variables in the values of the "Resource" and "Condition" elements. These policy variables will be replaced with the values of the condition keys that contain the request context. If variables cannot be resolved, the entire statement may be invalid. Use a valid service condition key in the policy variable.

General Warning - Invalid Multi-valued Condition Key in Variable (INVALID_MULTIVALUED_CONDITION_KEY_IN_VARIABLE)

The finding includes the following message:

The condition key {key} in the variable is a multi-value condition key. Multi-value condition keys are not supported in the variable. Modify the variable.

Resolving the general warning

You can use policy variables in the values of the "Resource" and "Condition" elements. These policy variables will be replaced with the values of the condition keys that contain the request context. If variables cannot be resolved, the entire statement may be invalid. Only single-valued condition keys can be used in policy variables. Use a valid single-valued condition key in the policy variable.

General Warning - Redundant Variable Key with Default (REDUNDANT_VARIABLE_KEY_WITH_DEFAULT)

The finding includes the following message:

The key in the variable {key} will never match the request context. Remove the variable and use the default value you specify.

Resolving the general warning

You can use policy variables in the values of the "Resource" and "Condition" elements. These policy variables will be replaced with the values of the condition keys that contain the request context. If variables cannot be resolved, the entire statement may be invalid. Your policy variable will never match the request context because the variable is always resolved to the default value. Change the policy variable to the default value you specify.

General Warning - Conflicting Operator with Null (CONFLICTING_OPERATOR_WITH_NULL)

The finding includes the following message:

The "Null" condition operator with the value of "true" conflicts with other condition operators. Remove the conflicting condition operators.

Resolving the general warning

The condition key corresponding to the Null condition operator with the value true does not exist, but the condition key corresponding to other condition operators exists. The semantics expressed by the Null condition operator conflict. Remove the conflicting condition operators.

General Warning - Invalid Condition Combination (INVALID_CONDITION_COMBINATION)

The finding includes the following message:

When the condition key {key} exists, the combination of conditions about it will never match the request context. Use a valid combination of conditions.

Resolving the general warning

When the specified condition key exists in the request context, if multiple conditions that you specify are not met at the same time, the combination of these conditions will never match the request context. For example, if you require that the current date g:CurrentTime should be earlier than 2024-01-01T08:00:00Z and later than 2024-01-01T09:00:00Z at the same time, the combination of these conditions is invalid. Use a valid combination of conditions.

General Warning - Not Recommended Condition Key for Service Principal (NOT_RECOMMENDED_CONDITION_KEY_FOR_SERVICE_PRINCIPAL)

The finding includes the following message:

The condition key {condition_key} is not recommended when the principal is a service principal. Remove the condition key.

Resolving the general warning

Cloud services interwork with each other, and some cloud services are dependent on other services. To delegate a cloud service to access other services and perform resource O&M, create a trust agency for the service. You can specify a cloud service as the principal in the trust policy, but you cannot use certain condition keys to restrict the service principal. Remove those condition keys from the trust policy.

General Warning - Using Aliases in Action of Deny Statement (USING_ALIAS_IN_ACTION_OF_DENY_STATEMENT)

The finding includes the following message:

When the alias {alias} of the action {action} is included in "Action" of a deny statement, please note that action {action} will also be denied.

Resolving the general warning

Some actions are renamed to comply with name standards or for permission splitting and refined management. To be compatible with original actions, new actions are registered as aliases of the original ones.

For a policy statement with "Effect" set to "Deny", if an action or any of its aliases matches any pattern in the "Action" element, the action will be denied.

For example, vpc:vpcs:create is an alias of eip:vpcIgws:create. The following policy will also deny the eip:vpcIgws:create action.

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Deny",
		"Action": [
			"vpc:vpcs:create"
		]
	}]
}

General Warning - Excluding Aliases with NotAction in Allow Statement (EXCLUDING_ALIAS_WITH_NOT_ACTION_IN_ALLOW_STATEMENT)

The finding includes the following message:

When the alias {alias} of the action {action} is excluded with "NotAction" of an allow statement, action {action} will also be excluded. If it is not your intended authorization, please specify the action {action} in "Action" of other allow statements to grant permission.

Resolving the general warning

Some actions are renamed to comply with name standards or for permission splitting and refined management. To be compatible with original actions, new actions are registered as aliases of the original ones.

For a policy statement with "Effect" set to "Allow", if an action or any of its aliases matches any pattern in the "NotAction" element, the action will not be allowed.

For example, vpc:vpcs:create is an alias of eip:vpcIgws:create. The following policy will also exclude the eip:vpcIgws:create action.

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Allow",
		"NotAction": [
			"vpc:vpcs:create"
		]
	}]
}

If you do not want to exclude eip:vpcIgws:create, specify it in an action of other statements.

{
	"Version": "5.0",
	"Statement": [{
			"Effect": "Allow",
			"NotAction": [
				"vpc:vpcs:create"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"eip:vpcIgws:create"
			]
		}
	]
}

General Warning - Unsupported Service (UNSUPPORTED_SERVICE)

The finding includes the following message:

The service {service} in {key} does not exist. Use a valid service name. Did you mean {valid_service} ?

Resolving the general warning

Enter a valid service name. The service name specified in the condition key and resource must match a cloud service.

General Warning: Unsupported Service in Action (UNSUPPORTED_SERVICE_IN_ACTION)

The finding includes the following message:

The service {service} specified in the action {action} does not exist. Use a valid service name. Did you mean {valid_service} ?

Resolving the general warning

Enter a valid service name. The service name specified in the action must match a cloud service.

General Warning - Deprecated Operator (DEPRECATED_OPERATOR)

The finding includes the following message:

StringLike and StringNotLike are deprecated operators, if you want to use wildcard, please use StringMatch or StringNotMatch instead.

Resolving the general warning

The StringLike operator matches a string that contains a consecutive substring, regardless of the case. Use the combination of StringMatch and wildcard characters instead of using StringLike alone.

Example of using the StringLike operator: 
"StringLike": {
    "g:DomainName": "zhuzhu"
}
Example of using StringMatch: 
"StringMatch": {
    "g:DomainName": "*zhuzhu*"
}

General Warning - Action with Unsupported Requested Region (ACTION_WITH_UNSUPPORTED_REQUESTED_REGION)

The finding includes the following message:

This action does not support use with "g:RequestedRegion". It is recommended that you move this unsupported action to other statements which do not contain this condition key.

Resolving the general warning

Do not use the action with "g:RequestedRegion". Move the unsupported action to another statement that does not contain the condition key.

Security Warning - Pass Agency with NotResource (PASS_AGENCY_WITH_NOT_RESOURCE)

The finding includes the following message:

Using the "iam:agencies:pass" action with "NotResource" can be overly permissive because it can allow "iam:agencies:pass" permissions on multiple resources. We recommend that you specify resource URNs instead.

Resolving the security warning

To allow interaction among multiple cloud services, you must pass agencies or trust agencies to corresponding cloud services. To do so, you need to attach the "iam:agencies:pass" action to the principal (IAM user, user group, agency, or trust agency). Using iam:agencies:pass in a policy with the "NotResource" element allows the principal (IAM users, agencies, or trust agencies) to access more services or features than you intended. You are advised to specify allowed URNs in the "Resource" element.

Security Warning - Pass Agency with Star in Action and NotResource (PASS_AGENCY_WITH_STAR_IN_ACTION_AND_NOT_RESOURCE)

The finding includes the following message:

Using an action with a wildcard "*" and "NotResource" can be overly permissive because it can allow "iam:agencies:pass" permissions on multiple resources. We recommend that you specify resource URNs instead.

Resolving the security warning

To allow interaction among multiple cloud services, you must pass agencies or trust agencies to corresponding cloud services. To do so, you need to attach the "iam:agencies:pass" action to the principal (IAM user, user group, agency, or trust agency). Policies use the wildcard (*) in the "Action" and include the "NotResource" element can allow the principal to access more services or features than you intended. You are advised to specify allowed URNs in the "Resource" element.

Security Warning - Pass Agency with NotAction and NotResource (PASS_AGENCY_WITH_NOT_ACTION_AND_NOT_RESOURCE)

The finding includes the following message:

Using "NotAction" with "NotResource" can be overly permissive because it can allow "iam:agencies:pass" permissions on multiple resources. We recommend that you specify resource URNs instead.

Resolving the security warning

To allow interaction among multiple cloud services, you must pass agencies or trust agencies to corresponding cloud services. To do so, you need to attach the "iam:agencies:pass" action to the principal (IAM user, user group, agency, or trust agency). If you use the "NotAction" element and list some resources in the "NotResource" element, the principal (IAM user, agency, or trust agency) can access more services or features than you intended. You are advised to specify allowed URNs in the "Resource" element.

Security Warning - Pass Agency with Star in Resource (PASS_AGENCY_WITH_STAR_IN_RESOURCE)

The finding includes the following message:

Using the "iam:agencies:pass" action for all resources can be overly permissive because it allows "iam:agencies:pass" permissions on multiple resources. We recommend that you specify resource URNs instead.

Resolving the security warning

To allow interaction among multiple cloud services, you must pass agencies or trust agencies to corresponding cloud services. To do so, you need to attach the "iam:agencies:pass" action to the principal (IAM user, user group, agency, or trust agency). If iam:agencies:pass is allowed and "Resource" contains only the wildcard (*), the principal (IAM user, agency, or trust agency) can access more services or functions than expected. If "Resource" or "NotResource" is not specified in a policy, all resources are included by default. You are advised to specify allowed URNs in the "Resource" element.

Security Warning - Pass Agency with Star in Action and Resource (PASS_AGENCY_WITH_STAR_IN_ACTION_AND_RESOURCE)

The finding includes the following message:

Using wildcards "*" in the action for all resources can be overly permissive because it allows "iam:agencies:pass" permissions on all resources. We recommend that you specify resource URNs .

Resolving the security warning

To allow interaction among multiple cloud services, you must pass agencies or trust agencies to corresponding cloud services. To do so, you need to attach the "iam:agencies:pass" action to the principal (IAM user, user group, agency, or trust agency). Policies use the wildcard (*) in the "Action" and the "Resource" element can allow the principal (IAM user, agency, or trust agency) to access more services or features than you intended. If "Resource" or "NotResource" is not specified in a policy, all resources are included by default. You are advised to specify allowed URNs in the "Resource" element.

Security Warning - Pass Agency with Star in Resource and NotAction (PASS_AGENCY_WITH_STAR_IN_RESOURCE_AND_NOT_ACTION)

The finding includes the following message:

Allow all resources with "NotAction" can be overly permissive because it allows "iam:agencies:pass" permissions on all resources. We recommend that you specify resource URNs instead.

Resolving the security warning

To allow interaction among multiple cloud services, you must pass agencies or trust agencies to corresponding cloud services. To do so, you need to attach the "iam:agencies:pass" action to the principal (IAM user, user group, agency, or trust agency). Policies use the "NotAction" and use the wildcard (*) in the "Resource" element can allow the principal (IAM user, agency, or trust agency) to access more services or features than you intended. If "Resource" or "NotResource" is not specified in a policy, all resources are included by default. You are advised to specify allowed URNs in the "Resource" element.

Security Warning - ForAllValues with Single-valued Key (FORALLVALUES_WITH_SINGLE_VALUED_KEY)

The finding includes the following message:

The condition key {key} is a single-valued condition key. It can be overly permissive with condition qualifier "ForAllValues". We recommend that you remove "ForAllValues:".

Resolving the security warning

For all operators except the Null operator, you can add the ForAllValues: or ForAnyValue: prefix to indicate set operators. For requests that include multiple values for a single condition key, you must add the ForAllValues: or ForAnyValue: prefix.

If the ForAllValues: prefix is used, the condition returns true if every key value in the request matches at least one value in the policy. The condition also returns true if the key value is resolved to an empty array. If you use single-valued key with ForAllValues and if the key does not match the request, the value returned varies depending on whether the operator contains IfExists or Not.

Security Warning - Deny Action with Unsupported Tag Condition Key (DENY_ACTION_WITH_UNSUPPORTED_TAG_CONDITION_KEY)

The finding includes the following message:

Deny action with unsupported "g:ResourceTag" tag condition key does not affect the policy. It is recommended that you move this unsupported action to other statements which does not contain this tag condition key.

Resolving the security warning

Using unsupported tag condition keys in the "Condition" element of a policy with "Effect": "Deny" can be overly permissive, because the tag condition key is ignored. You are advised to remove the actions that do not support the tag condition key and create another statement to deny access to specific resources for those actions.

If you use the g:ResourceTag condition key and it is not supported by a service action, then the action is ignored and the policy is not affected. This happens even if the resource is tagged correctly.

When an action supports the g:ResourceTag condition key, you can use tags to control access to resources. This is known as attribute-based access control (ABAC). Services that do not support these condition keys require you to control access to resources using resource-based access control (RBAC).

For example, assume that you want to deny team members to view details and lists for VPCs tagged with {"team": "engineering"}. However, the action that allows for viewing VPC lists does not support the g:ResourceTag condition key. In this case, move this action to a new statement and specify the resources to be accessed.

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Deny",
		"Action": ["vpc:vpcs:get"],
		"Resource": ["*"],
		"Condition": {
			"StringEquals": {
				"g:ResourceTag/team": "engineering"
			}
		}
	}, {
		"Effect": "Deny",
		"Action": ["vpc:vpcs:list"],
		"Resource": ["vpc:*:123456789:vpc:11111111-d755-4538-0000-111111111111"]
	}]
}

Security Warning - Restrict Access to Service Principal (RESTRICT_ACCESS_TO_SERVICE_PRINCIPAL)

The finding includes the following message:

Granting access to a service principal of unknown source is overly permissive. Restrict the source by using condition keys like "g:SourceAccount" or "g:SourceUrn" to grant fine-grained access.

Resolving the security warning

You can specify the "Service" key in the "Principal" element of a resource policy to grant permissions to the service principal to perform operations on your behalf. You should use the condition key g:SourceAccount or g:SourceUrn to avoid lenient permissions and prevent confused deputy issues.

Security Warning - Overly Permissive in Empty Array Condition (OVERLY_PERMISSIVE_IN_EMPTY_ARRAY_CONDITION)

The finding includes the following message:

When the value of the multi-valued condition key {key} is an empty array, the combination of "ForAllValues" and operators that do not contain "Not" may be overly permissive. We recommend that you delete the condition key.

Resolving the security warning

For the ForAllValues operator that does not contain Not, the condition returns true if each key value in the request matches at least one value in the policy. If the condition key in the request does not exist, the return value depends on whether the operator contains IfExists. It is not recommended that you use a combination of ForAllValues and operators that do not contain "Not" when the value of the condition key is an empty array. This is because the condition returns true when the key value is resolved to as an empty array. You are advised to remove the condition key. If you want to test whether the request context is not present, use the Null condition operator.

Security Warning - Missing Paired Condition Keys (MISSING_PAIRED_CONDITION_KEYS)

The finding includes the following message:

When the condition key {paired_condition_key} is not used, it can be overly permissive to use {condition_key} alone. When used with a related condition key, such condition key is safer. It is recommended that you add related condition keys.

Resolving the security warning

Some condition keys are more secure when paired with other related condition keys. It is recommended that you include the related condition keys in the same condition block as the existing condition key. This makes the permissions granted through the policy more secure. For example, if you use the "g:VpcSourceIp" condition key to control access from the VPC, you are advised to add "g:SourceVpc" or "g:SourceVpce" for more refined control to make this policy more secure.

Condition keys "g:VpcSourceIp", "g:SourceVpc", and "g:SourceVpce" are valid only if the request is initiated from a VPC through a VPC endpoint.

Security Warning - Using Alias in Action of Allow Statement (USING_ALIAS_IN_ACTION_OF_ALLOW_STATEMENT)

The finding includes the following message:

When the alias {alias} of the action {action} is included in "Action" of an allow statement, action {action} will also be allowed. If it is not your intended authorization, please specify the action {action} in "Action" of other deny statements to deny unintended authorization.

Resolving the security warning

Some actions are renamed to comply with name standards or for permission splitting and refined management. To be compatible with original actions, new actions are registered as aliases of the original ones.

For a policy statement with "Effect" set to "Allow", if an action or any of its aliases matches any pattern in the "Action" element, the action will be allowed.

For example, vpc:vpcs:create is an alias of eip:vpcIgws:create. The following policy will also allow the eip:vpcIgws:create action.

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Allow",
		"Action": [
			"vpc:vpcs:create"
		]
	}]
}

If you do not want to allow eip:vpcIgws:create, specify it in an action of other Deny statements.

{
	"Version": "5.0",
	"Statement": [{
			"Effect": "Allow",
			"Action": [
				"vpc:vpcs:create"
			]
		},
		{
			"Effect": "Deny",
			"Action": [
				"eip:vpcIgws:create"
			]
		}
	]
}

"Effect: Deny" defines an explicit deny statement. If a policy does not have "Effect: Allow", it implicitly denies an action. The original implicit deny does not take effect due to aliases. You need to explicitly deny unexpected actions.

Security Warning - Excluding Alias with NotAction In Deny Statement (EXCLUDING_ALIAS_WITH_NOT_ACTION_IN_DENY_STATEMENT)

The finding includes the following message:

When the alias {alias} of the action {action} is excluded with "NotAction" of a deny statement, action {action} will also be excluded. If it is not your intended authorization, please specify the action {action} in "Action" of other deny statements to deny unintended authorization.

Resolving the security warning

Some actions are renamed to comply with name standards or for permission splitting and refined management. To be compatible with original actions, new actions are registered as aliases of the original ones.

For a policy statement with "Effect" set to "Deny", if an action or any of its aliases matches any pattern in the "NotAction" element, the action will not be denied.

For example, vpc:vpcs:create is an alias of eip:vpcIgws:create. The following policy will also exclude the eip:vpcIgws:create action.

{
	"Version": "5.0",
	"Statement": [{
		"Effect": "Deny",
		"NotAction": [
			"vpc:vpcs:create"
		]
	}]
}

If you do not want to exclude eip:vpcIgws:create, specify it in an action of other Deny statements.

{
	"Version": "5.0",
	"Statement": [{
			"Effect": "Deny",
			"NotAction": [
				"vpc:vpcs:create"
			]
		},
		{
			"Effect": "Deny",
			"Action": [
				"eip:vpcIgws:create"
			]
		}
	]
}
Parent topic: Validating Policies