# Policy summary (list of services) Policy summary (list of services) Policies are summarized in three tables: the policy summary, the [service summary](access_policies_understand-service-summary.md), and the [action summary](access_policies_understand-action-summary.md). The *policy summary* table includes a list of services and summaries of the permissions that are defined by the chosen policy. ![\[Policy summaries diagram image that illustrates the 3 tables and their relationship\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policy_summaries-pol-sum.png) The policy summary table is grouped into one or more **Uncategorized services**, **Explicit deny**, and **Allow** sections. If the policy includes a service that IAM does not recognize, then the service is included in the **Uncategorized services** section of the table. If IAM recognizes the service, then it is included under the **Explicit deny** or **Allow** sections of the table, depending on the effect of the policy (`Deny` or `Allow`). ## Understanding the elements of a policy summary In the following example of a policy details page, the **SummaryAllElements** policy is a managed policy (customer managed policy) that is attached directly to the user. This policy is expanded to show the policy summary. ![\[Policy summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-user-page-dialog.png) In the preceding image, the policy summary is visible from within the **Policies** page: 1. The **Permissions** tab includes the permissions defined in the policy. 1. If the policy does not grant permissions to all the actions, resources, and conditions defined in the policy, then a warning or error banner appears at the top of the page. The policy summary then includes details about the problem. To learn how policy summaries help you to understand and troubleshoot the permissions that your policy grants, see [My policy does not grant the expected permissions](troubleshoot_policies.md#policy-summary-not-grant-permissions). 1. Use the **Summary** and **JSON** buttons to toggle between the policy summary and the JSON policy document. 1. Use the **Search** box to reduce the list of services and find a specific service. 1. The expanded view shows additional details of the **SummaryAllElements** policy. The following policy summary table image shows the expanded **SummaryAllElements** policy on the policy details page. ![\[Policy summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-table-dialog.png) In the preceding image, the policy summary is visible from within the **Policies** page: 1. For those services that IAM recognizes, it arranges services according to whether the policy allows or explicitly denies the use of the service. In this example, the policy includes a `Deny` statement for the Amazon S3 service and `Allow` statements for the Billing, CodeDeploy, and Amazon EC2 services. 1. **Service** – This column lists the services that are defined within the policy and provides details for each service. Each service name in the policy summary table is a link to the *service summary* table, which is explained in [Service summary (list of actions)](access_policies_understand-service-summary.md). In this example, permissions are defined for the Amazon S3, Billing, CodeDeploy, and Amazon EC2 services. 1. **Access level** – This column tells whether the actions in each access level (`List`, `Read`, `Write`, `Permission Management`, and `Tagging`) have `Full` or `Limited` permissions defined in the policy. For additional details and examples of the access level summary, see [Access levels in policy summaries](access_policies_understand-policy-summary-access-level-summaries.md). + **Full access** – This entry indicates that the service has access to all actions within all four of the access levels available for the service. + If the entry does not include **Full access**, then the service has access to some but not all of the actions for the service. The access is then defined by following descriptions for each of the access level classifications (`List`, `Read`, `Write`, `Permission Management`, and `Tagging`): **Full**: The policy provides access to all actions within each access level classification listed. In this example, the policy provides access to all of the Billing `Read` actions. **Limited**: The policy provides access to one or more but not all actions within each access level classification listed. In this example, the policy provides access to some of the Billing `Write` actions. 1. **Resource** – This column shows the resources that the policy specifies for each service. + **Multiple** – The policy includes more than one but not all of the resources within the service. In this example, access is explicitly denied to more than one Amazon S3 resource. + **All resources** – The policy is defined for all resources within the service. In this example, the policy allows the listed actions to be performed on all Billing resources. + Resource text – The policy includes one resource within the service. In this example, the listed actions are allowed on only the `DeploymentGroupName` CodeDeploy resource. Depending on the information that the service provides to IAM, you might see an ARN or you might see the defined resource type. **Note** This column can include a resource from a different service. If the policy statement that includes the resource does not include both actions and resources from the same service, then your policy includes mismatched resources. IAM does not warn you about mismatched resources when you create a policy, or when you view a policy in the policy summary. If this column includes a mismatched resource, then you should review your policy for errors. To better understand your policies, always test them with the [policy simulator](access_policies_testing-policies.md). 1. **Request condition** – This column indicates whether the services or actions associated with the resource are subject to conditions. + **None** – The policy includes no conditions for the service. In this example no conditions are applied to the denied actions in the Amazon S3 service. + Condition text – The policy includes one condition for the service. In this example, the listed Billing actions are allowed only if the IP address of the source matches `203.0.113.0/24`. + **Multiple** – The policy includes more than one condition for the service. To view each of the multiple conditions for the policy, choose **JSON** to view the policy document. 1. **Show remaining services** – Toggle this button to expand the table to include the services that are not defined by the policy. These services are *implicitly denied* (or denied by default) within this policy. However, a statement in another policy might still allow or explicitly deny using the service. The policy summary summarizes the permissions of a single policy. To learn about how the AWS service decides whether a given request should be allowed or denied, see [Policy evaluation logic](reference_policies_evaluation-logic.md). When a policy or an element within the policy does not grant permissions, IAM provides additional warnings and information in the policy summary. The following policy summary table shows the expanded **Show remaining services** services on the **SummaryAllElements** policy details page with the possible warnings. ![\[Policy summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-table-showremaining-dialog.png) In the preceding image, you can see all services that include defined actions, resources, or conditions with no permissions: 1. **Resource warnings** – For services that do not provide permissions for all of the included actions or resources, you see one of the following warnings in the **Resource** column of the table: + **![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) No resources are defined.** – This means that the service has defined actions but no supported resources are included in the policy. + **![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) One or more actions do not have an applicable resource.** – This means that the service has defined actions, but that some of those actions don't have a supported resource. + **![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) One or more resources do not have an applicable action.** – This means that the service has defined resources, but that some of those resources don't have a supporting action. If a service includes both actions that do not have an applicable resource and resources that do have an applicable resource, then only the **One or more resources do not have an applicable action.** warning is shown. This is because when you view the service summary for the service, resources that do not apply to any action are not shown. For the `ListAllMyBuckets` action, this policy includes the last warning because the action does not support resource-level permissions, and does not support the `s3:x-amz-acl` condition key. If you fix either the resource problem or the condition problem, the remaining issue appears in a detailed warning. 1. **Request condition warnings** – For services that do not provide permissions for all of the included conditions, you see one of the following warnings in the **Request condition** column of the table: + **![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) One or more actions do not have an applicable condition.** – This means that the service has defined actions, but that some of those actions don't have a supported condition. + **![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) One or more conditions do not have an applicable action.** – This means that the service has defined conditions, but that some of those conditions don't have a supporting action. 1. **Multiple \$1 ![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) One or more actions do not have an applicable resource.** – The `Deny` statement for Amazon S3 includes more than one resource. It also includes more than one action, and some actions support the resources and some do not. To view this policy, see [**SummaryAllElements** JSON policy document](#policy-summary-example-json). In this case, the policy includes all Amazon S3 actions, and only the actions that can be performed on a bucket or bucket object are denied. 1. **![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) No resources are defined** – The service has defined actions, but no supported resources are included in the policy, and therefore the service provides no permissions. In this case, the policy includes CodeCommit actions but no CodeCommit resources. 1. **DeploymentGroupName \$1 string like \$1 All, region \$1 string like \$1 us-west-2 \$1 ![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) One or more actions do not have an applicable resource.** – The service has a defined action, and at least one more action that does not have a supporting resource. 1. **None \$1 ![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) One or more conditions do not have an applicable action.** – The service has at least one condition key that does not have a supporting action. ## **SummaryAllElements** JSON policy document The **SummaryAllElements** policy is not intended for you to use to define permissions in your account. Rather, it is included to demonstrate the errors and warnings that you might encounter while viewing a policy summary. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "billing:Get*", "payments:List*", "payments:Update*", "account:Get*", "account:List*", "cur:GetUsage*" ], "Resource": [ "*" ], "Condition": { "IpAddress": { "aws:SourceIp": "203.0.113.0/24" } } }, { "Effect": "Deny", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::customer", "arn:aws:s3:::customer/*" ] }, { "Effect": "Allow", "Action": [ "ec2:GetConsoleScreenshots" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "codedploy:*", "codecommit:*" ], "Resource": [ "arn:aws:codedeploy:us-west-2:123456789012:deploymentgroup:*", "arn:aws:codebuild:us-east-1:123456789012:project/my-demo-project" ] }, { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetObject", "s3:DeletObject", "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket", "arn:aws:s3:::amzn-s3-demo-bucket/*", "arn:aws:autoscling:us-east-2:123456789012:autoscalgrp" ], "Condition": { "StringEquals": { "s3:x-amz-acl": [ "public-read" ], "s3:prefix": [ "custom", "other" ] } } } ] } ``` ------ # View policy summaries View policy summaries You can view the policy summaries for any policies that are attached to an IAM user or role. For managed policies, you can view policy summaries on the **Policies** page. If your policy does not include a policy summary, see [Missing policy summary](troubleshoot_policies.md#missing-policy-summary) to learn why. ## Viewing policy summaries from the **Policies** page You can view the policy summary for managed policies on the **Policies** page. **To view the policy summary from the **Policies** page** 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane, choose **Policies**. 1. In the list of policies, choose the name of the policy that you want to view. 1. On the **Policy details** page for the policy, view the **Permissions** tab to see the policy summary. ## Viewing a policy summary for a policy attached to a user You can view the policy summary for any policies that are attached to an IAM user. **To view the summary for a policy attached to a user** 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. Choose **Users** from the navigation pane. 1. In the list of users, choose the name of the user whose policy you want to view. 1. On the **Summary** page for the user, view the **Permissions** tab to see the list of policies that are attached to the user directly or from a group. 1. In the table of policies for the user, expand the row of the policy that you want to view. ## Viewing a policy summary for a policy attached to a role You can view the policy summary for any policies that are attached to a role. **To view the summary for a policy attached to a role** 1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/). 1. In the navigation pane, choose **Roles**. 1. In the list of roles, choose the name of the role whose policy you want to view. 1. On the **Summary** page for the role, view the **Permissions** tab to see the list of policies that are attached to the role. 1. In the table of policies for the role, expand the row of the policy that you want to view. ## Editing policies to fix warnings While viewing a policy summary, you might find a typo or notice that the policy does not provide the permissions that you expected. You cannot edit a policy summary directly. However, you can edit a customer managed policy using the visual policy editor, which catches many of the same errors and warnings that the policy summary reports. You can then view the changes in the policy summary to confirm that you fixed all of the issues. To learn how to edit an inline policy, see [Edit IAM policies](access_policies_manage-edit.md). You cannot edit AWS managed policies. You can edit a policy for your policy summary using the **Visual** option. **To edit a policy for your policy summary using the **Visual** option** 1. Open the policy summary as explained in the previous procedures. 1. Choose **Edit**. If you are on the **Users** page and choose to edit a customer managed policy that is attached to that user, you are redirected to the **Policies** page. You can edit customer managed policies only on the **Policies** page. 1. Choose the **Visual** option to view the editable visual representation of your policy. IAM might restructure your policy to optimize it for the visual editor and to make it easier for you to find and fix any problems. The warnings and error messages on the page can guide you to fix any issues with your policy. For more information about how IAM restructures policies, see [Policy restructuring](troubleshoot_policies.md#troubleshoot_viseditor-restructure). 1. Edit your policy and choose **Next** to see your changes reflected in the policy summary. If you still see a problem, choose **Previous** to return to the editing screen. 1. Choose **Save changes** to save your changes. You can edit a policy for your policy summary using the **JSON** option. **To edit a policy for your policy summary using the **JSON** option** 1. Open the policy summary as explained in the previous procedures. 1. You can use the **Summary** and **JSON** buttons to compare the policy summary to the JSON policy document. You can use this information to determine which lines in the policy document you want to change. 1. Choose **Edit** and then choose the **JSON** option to edit the JSON policy document. **Note** You can switch between the **Visual** and **JSON** editor options any time. However, if you make changes or choose **Next** in the **Visual** editor option, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](troubleshoot_policies.md#troubleshoot_viseditor-restructure). If you are on the **Users** page and choose to edit a customer managed policy that is attached to that user, you are redirected to the **Policies** page. You can edit customer managed policies only on the **Policies** page. 1. Edit your policy. Resolve any security warnings, errors, or general warnings generated during [policy validation](access_policies_policy-validator.md), and then choose **Next**. If you still see a problem, choose **Previous** to return to the editing screen. 1. Choose **Save changes** to save your changes.