Đám mây

AWS IAM Policy Linter

Paste an AWS IAM policy JSON document to validate its structure and surface common security red flags — Allow "*" on Action and Resource, public Principals, conflicting Action/NotAction, missing Version, and malformed service:Operation names.

Tóm tắt công cụ

Công cụ này nhận đầu vào có cấu trúc và trả về đầu ra xác định ngay trong trình duyệt, không tải lên máy chủ.

Tên công cụ: AWS IAM Policy Linter
Mục đích đầu vào: Cung cấp nội dung nguồn để biến đổi, xác thực hoặc phân tích.
Mục đích đầu ra: Nhận đầu ra chuẩn hóa thuận tiện để sao chép, tái sử dụng hoặc gỡ lỗi.
Đầu vào ví dụ: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}
Đầu ra ví dụ: Error: Allow "*" on Action and Resource grants full administrator access — nearly always too broad.

Local processing / privacy notice

Inputs are processed in your browser session.
We do not send raw input/output values to our analytics endpoint.
Use reset/clear actions when working with confidential data.

The policy is parsed and checked entirely in your browser.

IAM policy JSONDrop file

Load example:

Statements

Errors

Warnings

No issues found. The policy is syntactically well-formed and free of common wildcard red flags.

Formatted policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadBucket",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}

Giới thiệu công cụ

Tổng quan công cụ

IAM policies are famous for failing silently: they parse fine, attach cleanly, and still grant everything in the account. This linter focuses on the misconfigurations that show up in real security reviews: full-wildcard Allow statements, public-Principal policies with no Condition, missing or outdated Version, and Resource values that do not look like ARNs. It does not resolve policy evaluation (no simulation across identity, resource, SCP, and session policies) — treat it as a fast first-pass editor check, not a replacement for IAM Access Analyzer.

Trường hợp sử dụng

Catch an accidental Action "*" / Resource "*" before you attach the policy
Flag publicly accessible S3 bucket policies before deploying
Enforce Version "2012-10-17" across all new policies
Spot typos in service:Operation strings during code review

Ví dụ đầu vào/đầu ra

Mục đích đầu vào

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}

Mục đích đầu ra

Error: Allow "*" on Action and Resource grants full administrator access — nearly always too broad.

Mục đích đầu vào

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::b/*"}]}

Mục đích đầu ra

Error: Principal "*" with Effect Allow and no Condition exposes the resource publicly.

Câu hỏi thường gặp

Is this a replacement for IAM Access Analyzer?+

No. Access Analyzer runs AWS-side, has the service vocabulary, and can simulate cross-account access. This tool is a client-side linter for the common mistakes you can catch in an editor — it never contacts AWS.

Does it check for deprecated actions or typos?+

It checks that action strings match the "service:Operation" shape. It does not cross-reference the live AWS action catalog — a typo like "s3:GetObjetc" would pass the shape test.

Does my policy leave the browser?+

No. Parsing and linting happen locally. Nothing is uploaded.