Policy Analyzer is used to analyze the JSON statements of your created policies, and perform validation checks on the policies, including errors, warnings, and recommendations. It helps you write policies that align better with the Security Practice Tutorial.
version
1. Errors - Missing Version
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Errors - Missing version. The version describes the policy syntax version (version), and this element is mandatory.
Resolve the error: Version describes the policy syntax version. This element is mandatory. Currently, only the values "2.0" or "3.0" (Version 3.0 User Guide) are allowed. To use all available policy features, the following Version element must be included before the Statement element in all policies. Only one version element is allowed for each policy.
2. Errors - Invalid Version
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Errors - Invalid version. The version describes the policy syntax version (version), and this element is mandatory. Currently, only the values "2.0" or "3.0" are allowed.
Resolve the error: Version describes the policy syntax version. This element is mandatory. Currently, only the values "2.0" or "3.0" (Version 3.0 User Guide) are allowed. To use all available policy features, the following Version element must be included before the Statement element in all policies. Only one version element is allowed for each policy.
3. Error - Redundant Version
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Redundant version. The version describes the policy syntax version (version), and this element is mandatory. Only one version value is allowed for each policy.
Resolve the error: Version describes the policy syntax version. This element is mandatory. Currently, only the values "2.0" or "3.0" (Version 3.0 User Guide) are allowed. To use all available policy features, the following Version element must be included before the Statement element in all policies. Only one version element is allowed for each policy.
statement
4. Error - Missing Statement
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Missing statement. The statement describes the details of one or more permissions.
Resolve the error: The statement describes the details of one or more permissions. This element includes permissions or a permission set defined by other elements such as principal, action, resource, condition, and effect. One policy has only one statement element.
5. Error - Invalid Statement
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid statement. The statement includes permissions or a permission set defined by other elements such as principal, action, resource, condition, and effect.
Resolve the error: The statement describes the details of one or more permissions. This element includes permissions or a permission set defined by other elements such as principal, action, resource, condition, and effect. One policy has only one statement element.
6. Error - Redundant Statement
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Redundant statement. The statement describes the details of one or more permissions, and one policy has only one statement element.
Resolve the error: The statement describes the details of one or more permissions. This element includes permissions or a permission set defined by other elements such as principal, action, resource, condition, and effect. One policy has only one statement element.
effect
7. Error - Missing Effect
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Missing effect. The effect describes whether the result produced by the statement is "allow" or "deny".
Resolve the error: The effect describes whether the result produced by the statement is "allow" or "deny". Including allow (allow) and deny (deny). This element is mandatory.
8. Error - Invalid Effect
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid effect. This element is mandatory. The effect only includes allow (allow) and deny (deny).
Resolve the error: The effect describes whether the result produced by the statement is "allow" or "deny". Including allow (allow) and deny (deny). This element is mandatory.
principal
9. Error - Missing Principal
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Missing principal. The principal describes the entity authorized by the policy. Resource-based policies must include the principal element.
Resolve the error: The principal describes the entity authorized by the policy. Including users (main account, sub account, roles, federated users, and other entities). Resource-based policies must include the principal element.
10. Error - Invalid Principal
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid principal. The principal describes the entity authorized by the policy.
Resolve the error: The principal describes the entity authorized by the policy. Including users (root account, sub-account, roles, federated users, and other entities). This element is only supported in resource-based policies.
Example:
"principal": {
"qcs": [
"qcs::cam::uin/100000000001:uin/100000000002"
]
}
11. Error - SCP Does Not Support Principal
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Organizations Service Control Policy (SCP) does not support Principal.
Resolve the error: Organizations Service Control Policy (SCP) does not support the Principal element. Please remove the Principal element.
12. Recommendation - Principal Is Empty
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Recommendation - Principal not specified.
Resolve the error: The Principal element needs to be used in the role's Trust Policy and Resource-based Policy. A resource-based policy is directly embedded in the resource. When the Principal element of the statement is empty, it does not affect the policy, but Tencent recommends specifying the principal.
resource
13. Error - Missing Resource
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Missing resource. The resource is specific data that describes the authorization.
Resolve the error: The resource is specific data that describes the authorization. The resource is described in a six-segment method. This element is mandatory. Detailed resource definitions vary by product.
14. Error - Resource Is Empty
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Resource is empty. The resource is specific data that describes the authorization. This element is mandatory.
Resolve the error: The resource is specific data that describes the authorization. The resource is described in a six-segment method. This element is mandatory. Detailed resource definitions vary by product.
15. Error - First Segment Error of Six-Segment Resource Description
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - First segment error of six-segment resource description. The prefix of the six-segment resource description is fixed as qcs.
Resolve the error: The prefix of the six-segment resource description is fixed as qcs, which stands for qcloud service, indicating that it is a Tencent Cloud resource. Six-segment resource description: qcs:project_id:service_type:region:account:resource.
16. Error - Second Segment Error of Six-Segment Resource Description
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Second segment error of six-segment resource description.
Resolve the error: Second segment error of six-segment resource description. The second segment of the six-segment resource description describes project information, which is only compatible with legacy CAM logic. It cannot be entered in the current policy syntax and can be left empty.
17. Error - Third Segment Invalid Service of Six-Segment Resource Description
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Third segment invalid service of six-segment resource description.
Resolve the error: The third segment of the six-segment resource description describes the product abbreviation. For more details, see "Abbreviation in CAM" under Products that support CAM. 18. Error - Fourth Segment Invalid Region of Six-Segment Resource Description
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Fourth segment invalid region of six-segment resource description.
Resolve the error: The fourth segment of the six-segment resource description describes region information. If this value is empty, it indicates all regions.
19. Error - Fifth Segment Invalid uin of Six-Segment Resource Description
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Fifth segment invalid uin of six-segment resource description.
Resolve the error: The fifth segment of six-segment resource description describes the main account information of the resource owner. Currently, two methods are supported: uin and uid. The uin method, which is the account ID of the main account, is represented as uin/${uin}. The uid method, which is the APPID of the main account, is represented as uid/${appid} and is used only for COS and CAS service resource owners. If this value is empty, it indicates the main account of the CAM user who created the policy.
20. Error - Fifth Segment Invalid uid of Six-Segment Resource Description
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Fifth segment invalid uid of six-segment resource description.
Resolve the error: The fifth segment of six-segment resource description describes the main account information of the resource owner. Currently, two methods are supported: uin and uid. The uin method, which is the account ID of the main account, is represented as uin/${uin}. The uid method, which is the APPID of the main account, is represented as uid/${appid} and is used only for COS and CAS service resource owners. If the value is empty, it indicates the main account of the CAM user who created the policy.
21. Error - Fifth Segment Invalid Account Format of Six-Segment Resource Description
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Fifth segment invalid account format of six-segment resource description.
Resolve the error: The fifth segment of six-segment resource description describes the main account information of the resource owner. Currently, two methods are supported: uin and uid. The uin method, which is the account ID of the main account, is represented as uin/${uin}. The uid method, which is the APPID of the main account, is represented as uid/${appid} and is used only for COS and CAS service resource owners. If the value is empty, it indicates the main account of the CAM user who created the policy.
22. Error - Sixth Segment Invalid Resource Format of Six-Segment Resource Description
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Sixth segment invalid resource format of six-segment resource description.
Resolve the error: The sixth segment of the six-segment resource description describes the specific resource details of each product. Currently, two methods are supported: resource_type/${resourceid} and <resource_type>/<resource_path>.
resource_type/${resourceid}: resourcetype is the resource prefix, describing the resource type. For details, see the six-segment resource description of the products in Service Interfaces that Support CAM; ${resourceid} is the specific resource ID, which can be viewed in each product console. When the value is *, it represents all resources of that type. <resource_type>/<resource_path>: resourcetype is the resource prefix, describing the resource type; <resource_path> is the resource path. In this method, directory-level prefix matching is supported. For details, see the six-segment resource description of the products in Service Interfaces that Support CAM. 23. Error - Sixth Segment Wildcard Error of Six-Segment Resource Description
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Sixth segment wildcard error of six-segment resource description.
Resolve the error: The sixth segment of six-segment resource description describes the specific resource details of each product and does not support the formats qcs::ckafka:bj:check:/ckafka-37zqnevtest or qcs::ckafka:bj:check:/*.
24. Error - If the Six Segment of Six-Segment Resource Description Has a Prefix, the Third Segment Service Cannot Be Empty
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - If the sixth segment of six-segment resource description has a prefix, the third segment service cannot be empty.
Resolve the error: The sixth segment of six-segment resource description describes the specific resource details of each product. When the sixth segment of six-segment resource description has a prefix, the third segment must be filled with the corresponding service abbreviation.
25. Error - Format Error of Six-Segment Resource Description
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Format error of six-segment resource description.
Resolve the error: The six-segment resource description must contain 6 fields and the following structure: qcs:project_id:service_type:region:account:resource.
26. Error - Six - Length Exceeding the Limit of Six-Segment Resource Description
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Length exceeding the limit of six-segment resource description.
Resolve the error: The maximum length if six-segment resource description is 500 characters.
27. Suggestion - Resource Redundancy
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Suggestion - Resource redundancy.
Resolve the error: The specified resource and resource wildcard "*" are redundant.
Example:
"Resource": [
"qcs::cam::uin/111122223333:rolename/admin",
"qcs::cam::uin/1111122223333:rolename/readonly",
"qcs::cam::uin/1111122223333:rolename/*"
]
In the example, the third six-segment resource description has already described all rolename resources. Other roles like admin and readonly are included in the wildcard "*".
action
28. Error - Missing Action
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Missing action. The action describes the allowed or denied operation.
Resolve the error: The action describes the allowed or denied operation. An action can be an API (prefixed with name) or a feature set (a group of specific APIs prefixed with actionName). This element is mandatory.
Example:
{
"version": "2.0",
"statement": [
{
"effect": "allow",
"action": [
"ES:CreateServerlessSpace",
"ES:CreateServerlessInstance",
"ES:DescribeServerlessInstances",
"ES:CreateServerlessInstanceUser",
"ES:DescribeServerlessInstanceUsers",
"ES:CreateServerlessDi",
"ES:DescribeServerlessDi",
"ES:DeleteServerlessInstanceUser",
"ES:DeleteServerlessDi",
"ES:DeleteServerlessInstance",
"ES:DescribeServerlessSpaces",
"ES:SearchServerlessData"
],
"resource": [
"*"
]
}
]
}
29. Error - Invalid Action
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid action.
Resolve the error: The action describes the allowed or denied operation. The input action is invalid, please check the action prefix and action name you entered.
30. Error - Invalid Service Prefix in Action
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid service prefix in action.
Resolve the error: The action describes the allowed or denied operation. The service prefix in the action is invalid, please check the action prefix you entered.
31. Suggestion - Action Redundancy
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Suggestion - action redundancy.
Resolve the error: The action has redundancy, the specified action and the wildcard "*" are redundant.
Example:
"Action": [
"cam:Get*",
"cam:List*",
"cam:Getrole"
],
In the example, the wildcard "cam:Get*" already includes the Getrole permission.
condition
32. Error - Data Type Mismatch
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Data type mismatch.
Resolve the error: The input condition value does not match the data type required by the conditional operator and the conditional key.
33. Error - Invalid Global Conditional Key
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid conditional key.
Resolve the error: Global conditional keys are conditional keys with the qcs: prefix. Currently, qcs:current_time, qcs:ip, qcs:resource_tag, and qcs:request_tag are supported as global conditional keys.
34. Error - Invalid Service Conditional Key
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid service conditional key.
Resolve the error: Service conditional keys are prefixes with the service abbreviation, such as conditional keys with the vpc: prefix.
35. Error - Multiple Boolean Values Are Not Supported
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Multiple Boolean values are not supported.
Resolve the error: Boolean conditional operators support only one Boolean value.
36. Error - Condition Length Exceeding the Limit
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Condition length exceeding the limit.
Resolve the error: The maximum supported length for condition is 4095 characters.
37. Error - Invalid Conditional Operator
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid conditional operator.
38. Recommendation - Conditional Keys and Conditional Operators Do Not Match
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Conditional keys and conditional operators do not match.
Other
39. Error - Invalid Policy Element
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Invalid policy element.
Resolve the error: Policy statements support only the elements version, statement, principal, action, resource, condition, and effect.
40. Error - JSON Syntax Error
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - JSON syntax error.
Resolve the error: Your policy contains syntax errors. Please check your JSON syntax.
41. Error - Policy Length Exceeding the Limit
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Policy length exceeding the limit.
Resolve the error: The policy length exceeds the limit. The maximum supported policy length is 6144.
42. Error - ACL Policy Length Exceeding the Limit
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - ACL policy length exceeding the limit.
43. Error - Custom Policy Quantities Exceeding the Limit
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Error - Custom policy quantities exceeding the limit.
Resolve the error: The maximum number of custom policies for a Tencent Cloud account is 1,500.
44. Warning - Invalid Date Value
In the Tencent Cloud console, the error message from the Policy Analyzer indicates: Warning - Invalid date value.
Resolve the warning: Unix Epoch time denotes the number of seconds that have elapsed since January 1, 1970, excluding leap seconds. Epoch time may not resolve to the precise moment you anticipate. Tencent Cloud recommends adhering to the W3C Date and Time Formats. For instance, you may specify a complete date such as YYYY-MMM-DD (1997-07-16), or append the time to the second, such as YYYY-MM-DDThh:mm:ssTZD (1997-07-16T19:20:30+01:00).