AWS
IAMMalformedPolicyDocument - IAM Malformed Policy Document
Getting an **IAMMalformedPolicyDocument** error means your IAM policy document is malformed or invalid—the JSON syntax might be wrong, required policy elements are missing, or the policy statement structure doesn't follow IAM policy language syntax. This client-side error (4xx) happens when AWS validates IAM policy documents. Most common when JSON syntax is invalid, but also appears when required policy elements are missing, policy statement structures are invalid, action or resource values are malformed, or policy document encoding issues occur.
#Common Causes
- →Identity: IAM policy document format invalid. Service Control Policy (SCP) enforces policy validation.
- →Network: VPC endpoint IAM policy restrictions. Policy document encoding issues.
- →Limits: Invalid JSON syntax. Missing required policy elements (Version, Statement). Invalid policy statement structure. Malformed action or resource values. Policy document encoding issues.
✓Solutions
- 1Step 1: Diagnose - Validate JSON syntax: echo POLICY_JSON | jq '.'. Verify JSON is valid. Check for syntax errors. Verify JSON structure.
- 2Step 2: Diagnose - Check required policy elements: Verify Version field exists: "Version": "2012-10-17". Check Statement field exists. Verify Statement is an array.
- 3Step 3: Diagnose - Check policy statement structure: Verify each statement has Effect (Allow/Deny). Check Action field exists. Verify Resource field exists.
- 4Step 4: Fix - Validate JSON before use: Use jq to validate: echo POLICY_JSON | jq '.' > /dev/null. Fix JSON syntax errors. Ensure proper UTF-8 encoding.
- 5Step 5: Fix - Use IAM Policy Simulator: Test policy: aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::ACCOUNT:user/USER --action-names s3:GetObject --resource-arns arn:aws:s3:::bucket/*. Or review IAM policy language syntax documentation.
</>Code Examples
Validate IAM Policy JSON Syntax
1#!/bin/bash
2POLICY_FILE="policy.json"
3
4echo "=== Validating IAM Policy JSON ==="
5
6# Check if file exists
7if [ ! -f ${POLICY_FILE} ]; then
8 echo "✗ Policy file not found: ${POLICY_FILE}"
9 exit 1
10fi
11
12# Validate JSON syntax with jq
13if command -v jq &> /dev/null; then
14 echo "\n=== Validating JSON Syntax ==="
15 jq '.' ${POLICY_FILE} > /dev/null 2>&1
16
17 if [ $? -eq 0 ]; then
18 echo "✓ JSON syntax valid"
19 else
20 echo "✗ Invalid JSON syntax (IAMMalformedPolicyDocument)"
21 echo "Errors:"
22 jq '.' ${POLICY_FILE} 2>&1 | head -5
23 exit 1
24 fi
25else
26 echo "jq not installed - cannot validate JSON"
27 echo "Install: sudo apt-get install jq (Linux) or brew install jq (macOS)"
28fi
29
30# Check required policy elements
31echo "\n=== Checking Required Policy Elements ==="
32if grep -q '"Version"' ${POLICY_FILE}; then
33 echo "✓ Version field present"
34else
35 echo "✗ Missing Version field"
36 exit 1
37fi
38
39if grep -q '"Statement"' ${POLICY_FILE}; then
40 echo "✓ Statement field present"
41else
42 echo "✗ Missing Statement field"
43 exit 1
44fi
45
46echo "\n✓ Policy structure valid"Check Policy Statement Structure
1#!/bin/bash
2POLICY_FILE="policy.json"
3
4echo "=== Validating Policy Statement Structure ==="
5
6# Use jq to check structure
7if command -v jq &> /dev/null; then
8 # Check Version
9 VERSION=$(jq -r '.Version' ${POLICY_FILE} 2>/dev/null)
10 if [ "${VERSION}" != "null" ] && [ ! -z "${VERSION}" ]; then
11 echo "✓ Version: ${VERSION}"
12 else
13 echo "✗ Missing or invalid Version field"
14 fi
15
16 # Check Statement array
17 STATEMENT_COUNT=$(jq '.Statement | length' ${POLICY_FILE} 2>/dev/null)
18 if [ "${STATEMENT_COUNT}" -gt 0 ] 2>/dev/null; then
19 echo "✓ Statement count: ${STATEMENT_COUNT}"
20
21 # Check each statement
22 for i in $(seq 0 $((STATEMENT_COUNT - 1))); do
23 echo "\n=== Statement ${i} ==="
24 EFFECT=$(jq -r ".Statement[${i}].Effect" ${POLICY_FILE} 2>/dev/null)
25 ACTION=$(jq -r ".Statement[${i}].Action" ${POLICY_FILE} 2>/dev/null)
26 RESOURCE=$(jq -r ".Statement[${i}].Resource" ${POLICY_FILE} 2>/dev/null)
27
28 if [ "${EFFECT}" != "null" ]; then
29 echo "Effect: ${EFFECT}"
30 else
31 echo "✗ Missing Effect field"
32 fi
33
34 if [ "${ACTION}" != "null" ]; then
35 echo "Action: ${ACTION}"
36 else
37 echo "✗ Missing Action field"
38 fi
39
40 if [ "${RESOURCE}" != "null" ]; then
41 echo "Resource: ${RESOURCE}"
42 else
43 echo "⚠ Resource field may be optional (for some actions)"
44 fi
45 done
46 else
47 echo "✗ Missing or empty Statement array"
48 fi
49else
50 echo "jq not installed - install to validate policy structure"
51fiCreate Valid IAM Policy Document
1#!/bin/bash
2POLICY_FILE="policy.json"
3
4echo "=== Creating Valid IAM Policy Document ==="
5
6# Create example valid policy
7cat > ${POLICY_FILE} <<'EOF'
8{
9 "Version": "2012-10-17",
10 "Statement": [
11 {
12 "Effect": "Allow",
13 "Action": "s3:GetObject",
14 "Resource": "arn:aws:s3:::my-bucket/*"
15 }
16 ]
17}
18EOF
19
20echo "Policy document created: ${POLICY_FILE}"
21
22# Validate the policy
23if command -v jq &> /dev/null; then
24 echo "\n=== Validating Policy ==="
25 jq '.' ${POLICY_FILE} > /dev/null 2>&1
26
27 if [ $? -eq 0 ]; then
28 echo "✓ Policy JSON is valid"
29
30 echo "\n=== Policy Structure ==="
31 jq '.' ${POLICY_FILE}
32
33 echo "\n=== Test Policy with IAM Policy Simulator ==="
34 echo "aws iam simulate-principal-policy \"
35 echo " --policy-source-arn arn:aws:iam::ACCOUNT:user/test-user \"
36 echo " --action-names s3:GetObject \"
37 echo " --resource-arns arn:aws:s3:::my-bucket/*"
38
39 echo "\n=== Create Policy ==="
40 echo "aws iam create-policy \"
41 echo " --policy-name my-policy \"
42 echo " --policy-document file://${POLICY_FILE}"
43 else
44 echo "✗ Policy validation failed"
45 fi
46else
47 echo "jq not installed - cannot validate"
48fi↗Related Errors
Provider Information
This error code is specific to AWS services. For more information, refer to the official AWS documentation.