A Resource Access Management (RAM) policy is a JSON document that defines permissions. This topic explains the structure of a policy and the syntax for its elements.
Policy structure
A RAM policy has two top-level elements: Version and Statement.
|
Element |
Required |
Description |
|
|
Yes |
The version of the policy language. The only valid value is |
|
|
Yes |
A list of one or more permission statements. Each statement defines what actions are allowed or denied on which resources. |
Each Statement object contains the following elements:
|
Element |
Required |
Format |
Description |
|
|
Yes |
|
Whether the statement grants or denies access. |
|
|
Yes |
|
The API operations the statement covers. Use |
|
|
Yes |
|
The resources the statement applies to. Use |
|
|
No |
|
Restrictions that must be met for the statement to take effect. |
The following example shows the basic structure of a policy with a single statement:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "service:ActionName",
"Resource": "resource_arn",
"Condition": {
"Operator": {
"ConditionKey": "ConditionValue"
}
}
}
]
}
General syntax rules
JSON format: Policies must be valid JSON. Element names (such as
Effect), operators, and predefined values are case-sensitive and must be enclosed in double quotation marks (").-
Single value or array: Elements that accept multiple values — such as
ActionandResource— can be a single string or an array of strings. Both of the following are valid:"Action": "ecs:DescribeInstances" "Action": [ "ecs:DescribeInstances", "ecs:StopInstance" ] Wildcards: Use wildcards in
ActionandResourcevalues to match multiple targets:An asterisk (
*) matches zero or more characters. For example,ecs:Describe*matches all ECS actions that start withDescribe.A question mark (
?) matches any single character.
Formal syntax definition
The following Backus-Naur Form (BNF) style grammar provides a formal definition of the policy language.
Notation conventions
|
Symbol |
Meaning |
|
|
A grammar rule (non-terminal). Replaced by the rule's definition. |
|
|
Defines a grammar rule. |
|
|
Groups alternatives. |
|
|
Separates alternatives — choose one. |
|
|
An array (JSON list). Not optional. |
|
|
The element is optional. |
|
|
A literal string that appears in the policy as-is. |
policy = {
<version_block>,
<statement_block>
}
<version_block> = "Version" : ("1")
<statement_block> = "Statement" : [ <statement>, <statement>, ... ]
<statement> = {
<effect_block>,
<action_block>,
<resource_block>,
<condition_block?>
}
<effect_block> = "Effect" : ("Allow" | "Deny")
<action_block> = "Action" | "NotAction" :
("*" | <action_string> | [<action_string>, <action_string>, ...])
<resource_block> = "Resource" :
("*" | <resource_string> | [<resource_string>, <resource_string>, ...])
<condition_block> = "Condition" : <condition_map>
<condition_map> = {
<condition_type_string> : {
<condition_key_string> : <condition_value_list>,
<condition_key_string> : <condition_value_list>,
...
},
<condition_type_string> : {
<condition_key_string> : <condition_value_list>,
<condition_key_string> : <condition_value_list>,
...
}, ...
}
<condition_value_list> = (<condition_value> | [<condition_value>, <condition_value>, ...])
<condition_value> = ("String" | "Number" | "Boolean" | "Date and time" | "IP address")