AWS Security Blog

Coming March 25, 2015: Upgrades to IAM Policy Validation

On March 25, 2015, we will upgrade the Identity and Access Management (IAM) policy validation to help ensure that your policies reflect your intentions. Starting on this day, to save changes to policies, you must first ensure that your policies comply with the IAM policy grammar. Your existing policies will continue to work as they currently do. This upgrade applies only when you update an existing policy or create a new one.

Over the last few months, we’ve added a number of new capabilities that make authoring and managing policies easier. We launched the policy validator that notifies you of noncompliant policies in the IAM console and guides you to a validation tool you can use to help correct your policies. In February, we released managed policies, which enable you to attach a single policy to multiple IAM users, groups, and roles. And last week, we made it easier to author policies in the IAM console with improved error messaging and policy autoformatting. Now, we are upgrading IAM policy validation to help you ensure that you author compliant policies. 

To check to see if you have noncompliant policies in your account, sign in to the IAM console. If you see a yellow banner (as shown following this paragraph), your AWS account has policies that require editing.

Image of yellow banner

If you have noncompliant policies in your AWS account after March 25, 2015, you must make them compliant before you can save changes to them. For example, let’s say you want to add an additional permission to the Action element of an existing noncompliant policy. Before you can save this change, you will need to update the policy by using the policy validator in the IAM console or by making the changes to the policy on your own. If you have created your own policy templates or use automated scripts to create or update policies, you might need to update them if they are generating noncompliant policies.

For help updating noncompliant IAM policies, refer to Using Policy Validator and Grammar of the IAM Policy Language. As always, if you have questions or suggestions, visit our AWS IAM forum.

– Brigid