Cloud
AWS ARN Parser
Paste any AWS Amazon Resource Name (ARN) and instantly see its partition, service, region, account ID, and resource. Flags malformed ARNs and links you to the matching AWS console page.
Cloud
AWS IAM Policy Linter
Paste an AWS IAM policy JSON document to validate its structure and surface common security red flags — Allow "*" on Action and Resource, public Principals, conflicting Action/NotAction, missing Version, and malformed service:Operation names.
工具摘要
此工具接收结构化输入,在浏览器中返回确定性输出,无需上传到服务器。
- 工具名称
- AWS IAM Policy Linter
- 输入意图
- 提供需要转换、校验或分析的原始内容。
- 输出意图
- 获得可直接复制、复用或排错的规范化输出。
- 示例输入
- {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}
- 示例输出
- Error: Allow "*" on Action and Resource grants full administrator access — nearly always too broad.
Local processing / privacy notice
- Inputs are processed in your browser session.
- We do not send raw input/output values to our analytics endpoint.
- Use reset/clear actions when working with confidential data.
The policy is parsed and checked entirely in your browser.
Load example:
Statements
1
Errors
0
Warnings
0
No issues found. The policy is syntactically well-formed and free of common wildcard red flags.
Formatted policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadBucket",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}工具介绍
Paste an AWS IAM policy JSON document to validate its structure and surface common security red flags — Allow "*" on Action and Resource, public Principals, conflicting Action/NotAction, missing Version, and malformed service:Operation names.
工具概览
IAM policies are famous for failing silently: they parse fine, attach cleanly, and still grant everything in the account. This linter focuses on the misconfigurations that show up in real security reviews: full-wildcard Allow statements, public-Principal policies with no Condition, missing or outdated Version, and Resource values that do not look like ARNs. It does not resolve policy evaluation (no simulation across identity, resource, SCP, and session policies) — treat it as a fast first-pass editor check, not a replacement for IAM Access Analyzer.
使用场景
- Catch an accidental Action "*" / Resource "*" before you attach the policy
- Flag publicly accessible S3 bucket policies before deploying
- Enforce Version "2012-10-17" across all new policies
- Spot typos in service:Operation strings during code review
输入/输出示例
输入意图
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"*","Resource":"*"}]}输出意图
Error: Allow "*" on Action and Resource grants full administrator access — nearly always too broad.
输入意图
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::b/*"}]}输出意图
Error: Principal "*" with Effect Allow and no Condition exposes the resource publicly.
常见问题
Is this a replacement for IAM Access Analyzer?+
No. Access Analyzer runs AWS-side, has the service vocabulary, and can simulate cross-account access. This tool is a client-side linter for the common mistakes you can catch in an editor — it never contacts AWS.
Does it check for deprecated actions or typos?+
It checks that action strings match the "service:Operation" shape. It does not cross-reference the live AWS action catalog — a typo like "s3:GetObjetc" would pass the shape test.
Does my policy leave the browser?+
No. Parsing and linting happen locally. Nothing is uploaded.
探索更多工具
在下方的 Cloud 分类中发现相关工具。
相关工具
精选可能对你有用的实用工具