Last update:2022-06-03 15:06:29
The policy structure includes the following components:
Each statement contains the following elements: effect, action and resource, and condition.
The following conventions are used in the policy syntax:
Characters in a policy
-The following characters are JSON tokens in the policy syntax: { } [ ] " , :.
-The following characters are special characters in the policy syntax: = < > ( ) |.
Use of characters
-If an element can have more than one value, you can use a comma (,) as the delimiter to separate each value, and an ellipsis (…) to describe the remaining values, for example, [ , , …].
-A question mark (?) that follows an element indicates that the element is optional.
-A vertical bar (|) between elements indicates multiple options, for example, (“Allow” | “Deny”).
-Strings are enclosed in double quotation marks ("), for example, <version_block> = “Version” : (“1”).
Version: The current policy version is 1. The version cannot be changed.
Statement: The policy can have multiple statements.
1.The effect of each statement can be Allow or Deny.
Note: Each statement comprises the action and resource
2.elements can have multiple values.
Each statement can have its own conditions.
Note: A condition block can contain multiple conditions with different operators.
Permission precedence: You can attach multiple policies to a IAM user. If policies that apply to a request include an Allow statement and a Deny statement, the Deny statement takes precedence over the Allow statement.
Element value:
1.If an element value is a string, number, date, time, a Boolean value, or an IP address, it must be enclosed in double quotation marks (").
2.If an element value is a string, wildcard characters such as the asterisk () and question mark (?) can be used.
3.The asterisk () indicates a number (including zero) of allowed characters. For example, ecs: Describe* indicates all ECS API operations that start with Describe.
? indicates an allowed character.
Policies are stored in IAM as JSON files. When you create or edit a policy, IAM first checks whether the JSON syntax is valid. We recommend that you use tools such as JSON validators and editors to check whether policies meet JSON syntax standards. For more information about JSON syntax standards, see RFC 7159.