AWS Policy Diff Tool - Statement-Level IAM / S3 Bucket / KMS Key Policy Comparison

First Published: 2026-04-19
Last Updated: 2026-04-19

This tool compares two AWS policy documents (IAM identity policies, S3 bucket policies, KMS key policies, and similar resource policies) at the Statement level. Unlike plain JSON diff, it normalizes the order of Action, Resource, Principal, and Condition, and matches statements by Sid or structural similarity so that cosmetic rewrites don't appear as changes.

All processing is performed entirely in your browser using client-side JavaScript. No data is transmitted to any server. Your policy JSON never leaves your device.

This tool is provided "AS IS" without any warranties of any kind.
The author accepts no responsibility for missed privilege changes or misinterpreted diff results.
This tool performs structural comparison only; it does not evaluate the effective permissions (policy simulation, permission boundaries, SCPs, resource-level conditions, or service control).
Always review the raw policy JSON before applying any changes to production.
By using this tool, you accept full responsibility for any outcomes.

This tool uses client-side JavaScript for all processing. No data is transmitted to servers, no files are uploaded online, all processing happens locally in your browser. Once loaded, this tool continues to work even without an internet connection. For more details, please refer to our Web Tools Disclaimer.

Original Policy (Before)

Modified Policy (After)

Treat missing Effect as Allow Match statements by Sid when present Case-insensitive Action comparison

Features

🔍 Statement-Level Comparison — Matches Statements by Sid or structural similarity so cosmetic rewrites (reordered Actions, normalized Principal shape) are not reported as changes.
🔧 Policy-Aware Normalization — Unifies the single/array forms of Action, Resource, Principal, and Condition; sorts keys; de-duplicates values; treats a missing Effect as Allow (optional).
🔑 Sid-Based Matching — When both documents use Sid values, matches them first, then falls back to structural similarity.
🧪 Field-Level Diff — Shows added / removed Actions, Resources, Principals, and Condition entries inside each modified Statement with color coding.
⚠️ Privilege Scope Heuristics — Flags newly introduced wildcards in Action / Resource, NotAction / NotPrincipal usage, and Principal "*" Allow.
📊 Three Views — Statement cards, side-by-side normalized JSON panels, and a flat change table listing every delta with a path.
📋 Sample Pairs — Six presets: IAM permission added / removed, MFA Condition added, Sid rename, S3 bucket scope broadened, KMS key policy admin added.
⇄ Swap Sides — Quickly reverse the comparison direction.
🔒 Complete Privacy — All processing happens in your browser; policy data never leaves your device.

How to Use

Paste your original policy JSON in the left panel and the modified policy JSON in the right panel, or use the Load Sample Pair selector.
(Optional) Adjust the three options: Treat missing Effect as Allow, Match statements by Sid, Case-insensitive Action comparison.
Click "Compare" to run the Statement-level diff.
Review the summary badges for Added / Removed / Modified / Identical counts and any privilege scope warnings.
Switch between the three views:
- Statement Diff: Per-Statement cards with color-coded field-level changes.
- Side-by-Side: Normalized JSON of both policies with changed Statement lines highlighted.
- Change Table: Flat table listing every Path / Change / Before / After row.
Use "Swap Sides" to reverse the comparison, "Clear All" to reset, or "Copy Summary" to copy a plain-text summary to the clipboard.

Important Notes

Both inputs must be valid JSON policy documents (an object with a Statement key; Statement may be a single object or an array).
This tool performs structural comparison only. It does not simulate the evaluation of effective permissions (IAM policy simulation, permission boundaries, SCPs, resource-level Conditions, or cross-account access) and should not be treated as a substitute for AWS IAM Access Analyzer or the Policy Simulator.
The privilege scope warnings are heuristics based on wildcards and NotAction / NotPrincipal usage only. A missing warning does not imply the change is safe.
Condition comparison normalizes the order of condition operators and keys but does not evaluate operator semantics (e.g., StringEquals versus StringEqualsIgnoreCase are treated as different operators).
Very large policies with hundreds of statements may take a moment to normalize and match.

References:
Tech Blog with curated related content
Web Tools Collection

Written by Hidekazu Konishi