IAM Policy Visualizer

Visualize AWS IAM policy permissions as a tree structure showing statements, actions by service, resources, and conditions

Enter an AWS IAM policy document (JSON format) to visualize as a permission tree

What is the IAM Policy Visualizer?

The IAM Policy Visualizer is a client-side tool that takes AWS IAM policy JSON documents and renders them as an interactive tree structure. It makes complex policies easier to understand by grouping actions by service, showing resources, and displaying conditions — all in a clear hierarchical layout.

How to Use

  1. Paste your IAM policy JSON into the input field
  2. Click "Visualize" or wait for automatic processing
  3. Review the tree showing statements, actions by service, resources, and conditions
  4. Use the summary to get a quick count of statements, services, and resources
  5. Copy the tree representation for documentation or code reviews

Example: Multi-Statement Policy

This policy with two statements would display as a tree with services grouped:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadS3",
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    },
    {
      "Sid": "DenyDelete",
      "Effect": "Deny",
      "Action": "s3:DeleteObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "aws:PrincipalTag/department": "admin"
        }
      }
    }
  ]
}

What the Tree Shows

  • Policy root — Shows the policy version
  • Statements — Each statement with its Effect (Allow/Deny) and Sid
  • Actions by service — Actions grouped under their AWS service prefix
  • Resources — All resource ARNs or wildcards
  • Conditions — Condition operators with their keys and values

When to Use the Visualizer

  • Reviewing a policy before applying it to an IAM role or user
  • Documenting permissions for compliance or architecture reviews
  • Understanding inherited or cross-account policies
  • Communicating policy structure to team members
  • Comparing what different statements allow or deny

Privacy and Security

All processing happens entirely in your browser using JavaScript. Your IAM policies — which may contain internal account IDs, resource ARNs, and infrastructure details — are never transmitted to any server. No data is stored, logged, or shared.

Frequently Asked Questions

What does the IAM Policy Visualizer do?

The IAM Policy Visualizer takes an AWS IAM policy JSON document and renders it as a tree structure. It shows statements (Allow/Deny), actions grouped by AWS service, resources, and conditions in a hierarchical view — making it easier to understand what a policy grants or denies at a glance.

How is this different from the IAM Policy Analyzer?

The IAM Policy Analyzer focuses on detecting security issues and providing a risk score. The IAM Policy Visualizer focuses on presenting the policy structure clearly — showing how permissions are organized by statement, service, and resource. Use the Analyzer to find problems, and the Visualizer to understand the policy layout.

Is my IAM policy sent to a server?

No. All processing happens entirely in your browser using JavaScript. Your IAM policy JSON never leaves your device and is not stored, logged, or transmitted to any server. This is critical for security since IAM policies often reference internal resource ARNs and account IDs.

What format does the input need to be?

The input must be a valid JSON document representing an IAM policy. It should contain a Version field and a Statement array. Both inline policies and managed policy documents are supported, including single-statement and multi-statement policies.

How are actions grouped in the tree view?

Actions are grouped by their AWS service prefix. For example, s3:GetObject, s3:PutObject, and s3:DeleteObject would appear under an 's3' service group. Wildcard actions (*) are displayed separately as 'ALL: * (all actions)'.

Does it show conditions and their operators?

Yes. The Visualizer displays all condition operators (StringEquals, IpAddress, Bool, etc.) with their keys and values in a hierarchical structure, making it easy to see what constraints apply to each statement.

What is the maximum input size?

The tool warns when input exceeds 500KB and rejects input larger than 5MB. Most IAM policies are well under 10KB. If you are visualizing a policy larger than 500KB, the tool will still work but may be slower.

Can I copy the tree output?

Yes. The Copy Results button copies the tree representation as indented text, which you can paste into documentation, tickets, or code reviews. The format uses tree markers (├─) for readability.

Related Tools

IAM Policy Analyzer

Analyze AWS IAM policies for security issues, overly permissive actions, and privilege escalation risks

Aws Iam

JWT Security Auditor

Audit JWT tokens for algorithm vulnerabilities, missing claims, excessive expiration, and sensitive data exposure

Security

Terraform Security Analyzer

Analyze Terraform HCL code for security misconfigurations, open ports, and unencrypted resources

Terraform

Kubernetes YAML Validator

Validate Kubernetes resource YAML with resource type detection

Devops Tools