Free IAM Trust Policy Explainer

A role's trust policy decides who is allowed to assume it. Paste one below to get a plain-English list of who can assume the role, plus flags for the risks that cause real incidents: wildcard principals, whole-account trust without an ExternalId, and service principals missing a SourceArn / SourceAccount condition. It runs entirely in your browser — nothing is uploaded or logged.

Runs entirely in your browser. Nothing is sent anywhere or logged. Static checks only — for AI-Powered reasoning and a fixed policy, use the full analyzer below.

Why trust policies are easy to get wrong

Trust policies are evaluated independently of the role's permissions, so an over-broad principal quietly widens who can step into the role's access. The most common mistakes are a Principal: "*" with no condition, trusting an entire account for third-party access without an sts:ExternalId (the confused deputy problem), and service roles with no aws:SourceArn guard.

For the full picture — and a corrected policy — paste the role into Shieldly's AI-Powered analyzer. See also the IAM policy linter for permission policies, and the trust policy glossary entry.

Get AI-Powered analysis + the fix

The full analyzer explains every finding and returns a tightened policy in seconds. Free, no signup. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.

Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.