All Products
Search
Document Center

Resource Access Management:Policy structure and syntax

Last Updated:May 27, 2026

A Resource Access Management (RAM) policy is a JSON document that defines permissions. This topic explains the structure of a policy and the syntax for its elements.

Policy structure

A RAM policy has two top-level elements: Version and Statement.

Element

Required

Description

Version

Yes

The version of the policy language. The only valid value is "1".

Statement

Yes

A list of one or more permission statements. Each statement defines what actions are allowed or denied on which resources.

Each Statement object contains the following elements:

Element

Required

Format

Description

Effect

Yes

"Allow" or "Deny"

Whether the statement grants or denies access.

Action or NotAction

Yes

"service:ActionName" or ["service:ActionName", ...]

The API operations the statement covers. Use Action to explicitly list permitted or denied operations. Use NotAction with "Effect": "Allow" to grant access to everything except the listed operations — a shorthand for subtracting from a wildcard (*). NotAction is not the same as "Effect": "Deny": deny blocks access even when another statement grants it, while NotAction narrows the scope of the effect.

Resource

Yes

"resource_arn" or ["resource_arn", ...]

The resources the statement applies to. Use "*" to match all resources.

Condition

No

{ "Operator": { "ConditionKey": "ConditionValue" } }

Restrictions that must be met for the statement to take effect.

image

The following example shows the basic structure of a policy with a single statement:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "service:ActionName",
            "Resource": "resource_arn",
            "Condition": {
                "Operator": {
                    "ConditionKey": "ConditionValue"
                }
            }
        }
    ]
}

General syntax rules

  • JSON format: Policies must be valid JSON. Element names (such as Effect), operators, and predefined values are case-sensitive and must be enclosed in double quotation marks (").

  • Single value or array: Elements that accept multiple values — such as Action and Resource — can be a single string or an array of strings. Both of the following are valid:

    "Action": "ecs:DescribeInstances"
    
    "Action": [
        "ecs:DescribeInstances",
        "ecs:StopInstance"
    ]
  • Wildcards: Use wildcards in Action and Resource values to match multiple targets:

    • An asterisk (*) matches zero or more characters. For example, ecs:Describe* matches all ECS actions that start with Describe.

    • A question mark (?) matches any single character.

Formal syntax definition

The following Backus-Naur Form (BNF) style grammar provides a formal definition of the policy language.

Notation conventions

Symbol

Meaning

< >

A grammar rule (non-terminal). Replaced by the rule's definition.

=

Defines a grammar rule.

( )

Groups alternatives.

|

Separates alternatives — choose one.

[ ]

An array (JSON list). Not optional.

? after an element

The element is optional.

" "

A literal string that appears in the policy as-is.

policy  = {
     <version_block>,
     <statement_block>
}
<version_block> = "Version" : ("1")
<statement_block> = "Statement" : [ <statement>, <statement>, ... ]
<statement> = { 
    <effect_block>,
    <action_block>,
    <resource_block>,
    <condition_block?>
}
<effect_block> = "Effect" : ("Allow" | "Deny")  
<action_block> = "Action" | "NotAction" : 
    ("*" | <action_string> | [<action_string>, <action_string>, ...])
<resource_block> = "Resource" : 
    ("*" | <resource_string> | [<resource_string>, <resource_string>, ...])
<condition_block> = "Condition" : <condition_map>
<condition_map> = {
  <condition_type_string> : { 
      <condition_key_string> : <condition_value_list>,
      <condition_key_string> : <condition_value_list>,
      ...
  },
  <condition_type_string> : {
      <condition_key_string> : <condition_value_list>,
      <condition_key_string> : <condition_value_list>,
      ...
  }, ...
}  
<condition_value_list> = (<condition_value> | [<condition_value>, <condition_value>, ...])
<condition_value> = ("String" | "Number" | "Boolean" | "Date and time" | "IP address")

References