How do I troubleshoot policy validation findings that I receive in the IAM visual editor?

Short description

The IAM visual editor uses IAM Access Analyzer to validate policies against IAM grammar and AWS best practices.

Validation findings appear in the following four categories:

• Security
• Errors
• Warnings
• Suggestions

If you receive the following error message when you try to view findings on the IAM console, then your IAM identity doesn't have the access-analyzer:ValidatePolicy permission:

"You need permissions. You do not have the permissions required to perform this operation"

To resolve this issue, add the permission to your identity-based policy or contact your IAM administrator to grant you the permission. Then, take the following actions to identify and resolve validation findings.

Resolution

Resolve errors, security warnings, and general warnings in the visual editor

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, confirm that you're using the most recent AWS CLI version.

If you get an error in the IAM visual editor, then you must resolve the issue before you can save the policy. If you get a security warning, then an IAM user might have more permissions than necessary. As a best practice, follow the principle of least privilege when you grant permissions to your IAM users. If you get a general warning, then you're non-compliant with IAM best practices but there's no security risk. 

To view and resolve these issues, see Validating policies in IAM (console). You can also use the AWS CLI or AWS API to view findings.

Resolve the "IAM does not recognize one or more actions" warning

When an action name doesn't match a known IAM action, then you receive the following warning message:

"IAM does not recognize one or more actions"

To resolve this issue, complete the following steps:

1. Open the IAM console.
2. In the navigation pane, choose Policies.
3. Choose the name of the policy, then choose Edit.
4. In the policy editor, choose the JSON tab.
5. Review the policy for typos in the service prefix, action name, or Amazon Resource Name (ARN) format.
6. Choose Next to review the policy summary and confirm that the policy provides the necessary permissions.
7. Choose Save changes.

For more information about correct action names, see Actions, resources, and condition keys for AWS services.

Note: IAM reviews service names, actions, and resource types for services that support policy summaries. It's a best practice to test your policies with the IAM policy simulator to confirm that the policy grants the necessary permissions.

Check whether an updated policy grants new access

When you edit an existing custom policy, choose the Check for new access tab to confirm that the updated policy doesn't grant new access.

To check for new access, see Validating policies with custom policy checks (console).

Note: You incur a charge with each check for new access. For information about pricing, see AWS IAM Access Analyzer pricing.