What is the difference between NotAction and Deny with Action?

NotAction with Allow means 'allow every action EXCEPT these.' This is dangerously broad because it grants access to all current and future AWS actions not listed. A Deny with a specific Action explicitly blocks only those actions. NotAction is typically used in Deny statements as a safe pattern — for example, denying everything except IAM actions to prevent permission escalation outside of IAM management.

How does IAM policy evaluation order work?

AWS evaluates policies in this order: first, all applicable policies are collected. The default is implicit deny. Then, if any policy has an explicit Deny that matches the request, access is denied regardless of any Allow statements. If no explicit Deny exists, AWS checks for an explicit Allow. If no Allow is found, the implicit deny stands. This means Deny always wins, which is why the explainer highlights Deny statements prominently.

Can this tool detect privilege escalation risks?

The explainer flags statements that grant sensitive IAM actions like iam:CreatePolicy, iam:AttachRolePolicy, iam:PutRolePolicy, or sts:AssumeRole with broad resource scope, which are the building blocks of privilege escalation. It also warns about iam:PassRole without resource constraints, which allows passing any role to a service like EC2 or Lambda to gain that role's permissions.

IAM Policy Explainer

IAM & SecurityAWS

Get human-readable explanations of IAM policy statements.

Policy JSON

About This Tool

IAM policies use a JSON-based domain-specific language with effects, actions, resources, and conditions that can be difficult to interpret — especially when policies include NotAction, NotResource, or complex Condition operators like StringNotEquals with multiple values. This tool translates each policy statement into plain English so engineers, auditors, and managers can understand exactly what permissions are being granted or denied without needing deep IAM expertise. It flags common anti-patterns like Allow with wildcard resources or missing condition constraints.

When to Use This Tool

•Helping developers understand the effective permissions of a role before assuming it in a production environment
•Preparing human-readable policy summaries for compliance audits that require documentation of access controls
•Reviewing pull requests that modify IAM policies by generating plain-language diffs of permission changes
•Onboarding new team members to existing IAM configurations by translating organizational policies into understandable terms

Frequently Asked Questions

What is the difference between NotAction and Deny with Action?: NotAction with Allow means 'allow every action EXCEPT these.' This is dangerously broad because it grants access to all current and future AWS actions not listed. A Deny with a specific Action explicitly blocks only those actions. NotAction is typically used in Deny statements as a safe pattern — for example, denying everything except IAM actions to prevent permission escalation outside of IAM management.
How does IAM policy evaluation order work?: AWS evaluates policies in this order: first, all applicable policies are collected. The default is implicit deny. Then, if any policy has an explicit Deny that matches the request, access is denied regardless of any Allow statements. If no explicit Deny exists, AWS checks for an explicit Allow. If no Allow is found, the implicit deny stands. This means Deny always wins, which is why the explainer highlights Deny statements prominently.
Can this tool detect privilege escalation risks?: The explainer flags statements that grant sensitive IAM actions like iam:CreatePolicy, iam:AttachRolePolicy, iam:PutRolePolicy, or sts:AssumeRole with broad resource scope, which are the building blocks of privilege escalation. It also warns about iam:PassRole without resource constraints, which allows passing any role to a service like EC2 or Lambda to gain that role's permissions.

Related Learning Guides

AWS IAM Best Practices25 min read

Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.