Troubleshooting a Missing IAM Policy Summary -- AWSInsider

Troubleshooting a Missing IAM Policy Summary

By Brien Posey
03/30/2026

Key Takeaways

If an IAM policy summary is missing, first check that you haven't toggled to the JSON view -- and if a summary truly isn't being generated, review the JSON for structural problems or unsupported elements like Principal, NotPrincipal, or NotResource.
A summary won't be generated if the policy contains contradictory or meaningless permissions (such as NotAction set to *), an unrecognized action, service, or resource type, or a simple spelling error in the JSON.
Services that are in preview, custom services, or services that simply don't support policy summaries can also prevent the summary from appearing -- and AWS documentation does not publish a definitive list of incompatible services.

For an organization that uses AWS, it's sometimes easy to lose track of what IAM policies were designed to do. Fortunately, AWS provides a handy policy summary that can help you to get a feel of the permissions associated with a policy. To view this summary, you need only to open the Identity and Access Management (IAM) dashboard, click on the Policies tab, and click the policy you want to examine. The policy summary will be displayed on the Permissions tab, as shown in Figure 1.

**[Click on image for larger view.]** *Figure 1:* IAM Provides a Summary of the Permissions Associated with a Policy.

Although this policy summary feature normally works pretty well, you may occasionally find that the summary is missing. When that happens, you are likely to see a JSON document where the summary should be. This JSON document looks something like what you see in Figure 2.

**[Click on image for larger view.]** *Figure 2:* If a Policy Summary Cannot Be Displayed, AWS May Display a JSON Document Instead.

It is worth noting that the Permissions tab contains a toggle that you can use to switch back and forth between the summary and the JSON document. That being the case, if you can't see the policy summary, then the first step in fixing the problem is to make sure that you haven't accidentally clicked on the JSON option as I did in the figure above.

If you find that a JSON document is shown and that no summary is available, then the best way to address the problem is to review the JSON document to see if it contains a structural problem or if the document includes an element that AWS does not like.

A JSON document is essentially a hierarchical collection of elements. You will notice in the previous figure, for example, that the JSON document starts by listing a version and a statement. Both Version and Statement are elements, as are Action and Resource, both of which are used in the JSON document shown in the figure. Interestingly, there are only a handful of policy elements that are supported by AWS and not all supported elements work with summaries.

As a general rule, the elements that you can use within an IAM JSON policy file include Version, Id, Statement, Sid, Effect, Principal, NotPrincipal, Action, NotAction, Resource, NotResource, and Condition. However, if your JSON file uses Principal, NotPrincipal, or NotResource, then a summary will not be generated. The only way to fix this problem is to remove the offending element from the JSON file.

In the real world, a missing IAM policy summary more often stems from a JSON file that lacks any meaningful permissions, or if the permissions are somehow contradictory to one another. The example provided by Amazon applies to a policy that only includes one statement. In this example, NotAction is set to *. This causes access to be granted to all of the actions except for "all actions." Although a bit convoluted, the end result is that the policy does not actually grant or deny access to anything. The end result is that IAM does not know how to interpret the policy and therefore can't create the summary.

Another possibility is that a summary is not being generated because the policy contains an unrecognized action, service, or resource type. When this happens, you will typically see a warning icon, which is a good indication that the policy contains something that AWS does not recognize. Keep in mind that it's entirely possible that an otherwise valid policy simply contains a spelling error somewhere within the JSON.

It's also possible that the policy would normally be considered valid except that the referenced service is not compatible with policy summaries. Custom services, for example, do not work with policy summaries. Likewise, if a service is still in preview and has not yet been made generally available, then there is a good chance that it won't work with policy summaries. It's also possible that a service just does not work with summaries. The Amazon documentation lists this as a possibility, although Amazon does not go so far as to list any specific services as being incompatible with policy summaries.

While a reference to an unsupported service is one of the most likely causes for a policy summary not being created, the same thing can happen if you link an unrecognized action to a supported service, or a supported action to an unrecognized resource type.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.