Example: Excluding Actions

In basic CRUD mode, Policy Sentry provides a "granular select all" approach, so to speak, by identifying all Access Levels for actions under a Resource ARN.

However, there are sometimes cases where you don't want to select all of those actions - you just want some of them.

The exclude-actions section allows you to do this.

You can specify actions that you don't want to include in the resulting policy, no matter what. See the example below.


mode: crud
- arn:aws:kms:us-east-1:123456789012:key/aaaa-bbbb-cccc
- "kms:Delete*"
- "kms:Disable*"
- "kms:Schedule*"


As you can see in the exclude-actions section above, we are telling Policy Sentry to not include kms:Delete*, kms:Disable*, and kms:Schedule*. Notice that each line includes a wildcard (*) so you can tell Policy Sentry to exclude actions matching that pattern. The resulting policy should not include any of these actions that would normally be generated if the exclude-actions section were not used:

  • kms:DeleteAlias
  • kms:DeleteImportedKeyMaterial
  • kms:DisableKey
  • kms:DisableKeyRotation
  • kms:ScheduleKeyDeletion

Notice how none of those actions are included in the resulting JSON policy output below:

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "KmsWriteKey",
            "Effect": "Allow",
            "Action": [
            "Resource": [