Help Center/ Identity and Access Management_Identity and Access Management (New Edition)/ User Guide/ Access Analyzer/ Validating Policies/ Validating a Custom Identity Policy
Updated on 2025-11-07 GMT+08:00
View PDF
Share

Validating a Custom Identity Policy

IAM Access Analyzer helps you check IAM custom identity policies, IAM trust policies, and Service control policies (SCPs) in Organizations against policy grammar. Policy validation check findings include security warnings, errors, general warnings, and suggestions. You can use the findings to create policies that are functional and secure. Access analyzer provides check findings when you create or edit custom identity policies and trust policies on the IAM console and SCPs on the Organizations console in the JSON format, or by calling APIs. The following example describes how to validate a custom identity policy with Access Analyser on the IAM console.

Validating Identity Policies (IAM Console)

  1. Log in to the new IAM console.
  2. In the navigation pane, click Identity Policies. In the upper right corner, click Create Identity Policy.

    Figure 1 Creating an identity policy

  3. Select JSON for Policy View.
  4. (Optional) In the Policy Content area, click Select Existing Policy, select an existing policy (for example, EVSFullAccessPolicy), and click OK.

    You can select multiple policies of the same applicable scope (either Global services or Project-level services.) If you need permissions for both global and project-level services, create two policies for more refined access control.

  5. Modify policy statements.

    • Effect: Set it to Allow or Deny.
    • Action: Enter the actions listed in the API actions table (see Figure 2) of each service.
      Figure 2 API actions

  6. The access analyzer automatically checks the policy and displays the check findings in the lower part of the Policy Content. You can click a result category to view details.

    • Security: Indicates security risks, which may be caused by overly permissive access.
    • Errors: Indicate errors that prevent the policy from functioning, such as grammar errors or invalid parameters. If an error occurs, the policy cannot be created.
    • Warnings: Indicate errors that prevent the policy from functioning, such as a mismatch between a parameter type and a value. The policy can still be created even if there is a warning.
    • Suggestions: Indicate suggestions for the policy to achieve expected results. For example, suggestions are given when there are empty arrays or empty objects.

    You are advised to adjust the policy based on the suggestions. Access Analyzer Policy Check Reference provides the solutions.

    Figure 3 Viewing policy validation check findings

  7. (Optional) Enter a brief description for the identity policy.
  8. Click OK.
  9. Attach the identity policy to a user group. Users in the group then have the permissions defined in the policy.
Parent topic: Validating Policies