Checking New Access Granted by Policies

You can run a check on a custom policy to determine whether your updated policy grants new access compared to the original one. If the modified permissions grant new access and you do not intend to grant it, update the policy and click Check Policy until no new access is detected. If you intend to grant the new access, check that the policy meets your requirements and save the policy.

When using the JSON policy editor to edit policies on the IAM console, you can check identity policies as well as the trust policies of and trust agencies.

Constraints

A policy with only deny statements cannot be used to check for new access.
The check cannot run on policies with syntax errors.

Checking Whether Identity Policies Grant New Access

In the navigation pane of the IAM console, click Identity Policies.
Click the name of the target custom identity policy.
On the Policy Content tab, click Edit to edit the details about the identity policy.

Figure 1 Modifying a custom identity policy
Modify the custom identity policy as required. At the lower right corner of the displayed page, click Check for New Access.
Click Check Policy to view the findings.

Figure 2 Checking an identity policy

If new access is detected and you do not intend to grant it, update the identity policy and click Check Policy until no new access is detected.

Checking Whether Trust Policies Grant New Access

Log in to the new IAM console.
In the navigation pane, choose Agencies. Locate the target agency and click Modify in the Operation column.

Figure 3 Modifying a trust agency
In the lower part of the Basic Information page, locate the Trust Policy tab and click Edit Trust Policy.

Figure 4 Editing a trust policy
At the lower right corner of the displayed page, click Check for New Access.
Click Check Policy to view the findings.

Figure 5 Previewing external access

If new access is detected and you do not intend to grant it, update the trust policy and click Check Policy until no new access is detected.