Get human-readable explanations of IAM policy statements.
Last verified: April 2026
IAM policies use a JSON-based domain-specific language with effects, actions, resources, and conditions that can be difficult to interpret — especially when policies include NotAction, NotResource, or complex Condition operators like StringNotEquals with multiple values. This tool translates each policy statement into plain English so engineers, auditors, and managers can understand exactly what permissions are being granted or denied without needing deep IAM expertise. It flags common anti-patterns like Allow with wildcard resources or missing condition constraints.
NotAction with Allow means 'allow every action EXCEPT these.' This is dangerously broad because it grants access to all current and future AWS actions not listed. A Deny with a specific Action explicitly blocks only those actions. NotAction is typically used in Deny statements as a safe pattern — for example, denying everything except IAM actions to prevent permission escalation outside of IAM management.
AWS evaluates policies in this order: first, all applicable policies are collected. The default is implicit deny. Then, if any policy has an explicit Deny that matches the request, access is denied regardless of any Allow statements. If no explicit Deny exists, AWS checks for an explicit Allow. If no Allow is found, the implicit deny stands. This means Deny always wins, which is why the explainer highlights Deny statements prominently.
The explainer flags statements that grant sensitive IAM actions like iam:CreatePolicy, iam:AttachRolePolicy, iam:PutRolePolicy, or sts:AssumeRole with broad resource scope, which are the building blocks of privilege escalation. It also warns about iam:PassRole without resource constraints, which allows passing any role to a service like EC2 or Lambda to gain that role's permissions.
During a SOC 2 audit preparation, your compliance lead asks for plain-English documentation of all IAM policies attached to production roles. You have 23 roles with a combined 47 policy documents. Instead of manually interpreting each one, you paste them through the explainer and get human-readable summaries that the auditor can review directly. The tool flags two policies with iam:PassRole on Resource '*' that the team didn't realize were there — a finding you fix before the auditor ever sees it.
The explainer parses the JSON policy document into an AST of statements, then walks each statement translating Effect, Action/NotAction, Resource/NotResource, and Condition blocks into natural language clauses. It uses a curated mapping of AWS action prefixes to human-readable descriptions and applies heuristics to detect anti-patterns like wildcard resources combined with sensitive actions, missing condition constraints on cross-account access, and NotAction with Allow effect.
The most misunderstood part of IAM policies is the Condition block. A Condition with multiple keys uses AND logic between keys but OR logic between values within the same key. So StringEquals with {"s3:prefix": ["home/", "shared/"]} allows EITHER prefix, but adding a second key like "aws:PrincipalOrgID" requires BOTH conditions to be true.
Watch for NotAction with Allow — it's the most dangerous pattern in IAM. Unlike Deny with Action, this grants access to every AWS action not listed, including services that didn't exist when the policy was written. The explainer flags this, but many security reviews miss it because NotAction looks restrictive when it's actually permissive.
When reviewing policies for least privilege, focus on iam:PassRole without resource constraints first. It's the most common privilege escalation vector — it lets someone pass any role to any service, effectively granting themselves that role's permissions.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.