IAM Policy Validator

How to use

1. 1Paste your IAM policy JSON into the input on the left. Pick a sample to see how a clean read-only policy, a risky iam:PassRole on Resource *, full administrative access, or a public S3 read pattern is reported.
2. 2Read the banner: Awaiting input, Invalid JSON, the count of errors, the count of warnings, or Valid when the policy parses cleanly and matches the grammar with no risky patterns.
3. 3Use the summary tiles to confirm the policy version, the kind (identity-based vs resource-based), the number of Allow and Deny statements, and the wildcard action and resource counts.
4. 4Filter findings by severity (errors block the policy, warnings flag risky patterns, info is a best-practice nudge) and scroll the list. Each finding shows the exact JSON path and a one-line fix hint.
5. 5Click Reformat (2 spaces) to pretty-print the input, or Copy report to grab a plain-text findings list for a code review, ticket, or compliance binder.

About this tool

IAM Policy Validator parses an AWS IAM JSON policy in your browser and reports the issues that real reviewers and Access Analyzer actually flag. The validator covers the policy grammar (Version 2012-10-17 vs the legacy 2008-10-17, the single-object and array-of-objects forms of Statement, the Id top-level key, and the documented set of statement keys) and the per-statement rules: Effect must be exactly Allow or Deny, Action and NotAction are mutually exclusive, Resource and NotResource are mutually exclusive, Principal and NotPrincipal are mutually exclusive, identity-based statements require Resource (or NotResource) and reject Principal, action strings must look like service:OperationName or the literal *, Resource strings should be ARNs (arn:partition:service:region:account:resource) or *, Principal must be a string, *, or an object whose values use the AWS, Service, Federated, or CanonicalUser keys, and Condition must be an object keyed by a documented operator (StringEquals, NumericLessThan, Bool, ArnLike, IpAddress, Null, and the ForAllValues / ForAnyValue / IfExists variants). On top of grammar, a security pass flags the patterns that lead to incidents: Allow with Action * and Resource * (full administrative access), Allow with a service wildcard like iam:* or s3:* on Resource * (especially on security-critical services), iam:PassRole on Resource * (lets a principal hand any role to any service), Allow combined with NotAction or NotResource (which grants everything not listed), public access patterns where Principal is * with no Condition, NotPrincipal combined with Allow, and duplicate Sids across statements. A summary panel shows the policy version, the kind (identity-based vs resource-based), the count of Allow and Deny statements, and the number of wildcard actions and resources, and a filterable findings list lets you copy a plain-text report straight into a ticket or audit doc. Everything runs locally on your device; the policy you paste here, including account IDs, role names, and ARNs, never leaves the browser tab.

Free to use. Works in your browser. No signup, no login.