Validate policies with IAM Access Analyzer custom policy checks (original) (raw)

You can use custom policy checks to check for new access based on your security standards. A charge is associated with each check for new access. For more details about pricing, seeIAM Access Analyzer pricing.

Validating policies with custom policy checks (console)

As an optional step, you can run a custom policy check when editing a policy in the JSON policy editor in the IAM console. You can check whether the updated policy grants new access compared to the existing version.

To check for new access when editing IAM JSON policies
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane on the left, choose Policies.
  3. In the list of policies, choose the policy name of the policy that you want to edit. You can use the search box to filter the list of policies.
  4. Choose the Permissions tab, and then chooseEdit.
  5. Choose the JSON option and make updates to your policy.
  6. In the policy validation pane below the policy, choose the Check for new access tab and then choose Check policy. If the modified permissions grant new access, the statement will be highlighted in the policy validation pane.
  7. If you don't intend to grant new access, update the policy statement and choose Check policy until no new access is detected.
  8. Choose Next.
  9. On the Review and save page, review Permissions defined in this policy and then choose Save changes.

Validating policies with custom policy checks (AWS CLI or API)

You can run IAM Access Analyzer custom policy checks from the AWS CLI or the IAM Access Analyzer API.

To run IAM Access Analyzer custom policy checks (AWS CLI)

To run IAM Access Analyzer custom policy checks (API)