How do I use the IAM policy simulator to test IAM policies and permissions?

4 minute read
0

I want to test AWS Identity and Access Management (IAM) policies and permissions outside of my live AWS production environment.

Resolution

You can use the IAM policy simulator console or the AWS Command Line Interface (AWS CLI) to test identity-based policies and permissions boundaries.

Note:

For more information, see How the IAM policy simulator works.

IAM policy simulator permissions

You must provide permission to test policies that are attached to IAM identities (users, groups, roles) in your AWS account. Attach a policy to your IAM user or role to grant permissions to simulate policies similar to the following:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "iam:GetContextKeysForPrincipalPolicy",
        "iam:SimulatePrincipalPolicy"
      ],
      "Effect": "Allow",
      "Resource": [
        "*"
      ]
    }
  ]
}

For more example policies to allow access to use the IAM policy simulator, see Example policies: IAM.

For more information on IAM policy simulator permissions, see Permissions required for using the IAM policy simulator.

Use the IAM policy simulator with the console

By default, you can test policies that aren't attached yet to IAM users and groups without additional permissions. To test policies that are attached to IAM users or groups, you must have permissions.

For instructions to use the IAM policy simulator with the console, see Using the IAM policy simulator (console).

Use the IAM policy simulator with the AWS CLI

Follow these steps to simulate existing IAM policies, resource-based policies, and permissions boundaries, and to get a list of policy documents.

In the following AWS CLI commands, replace 123456789012 with your AWS account ID and example-policy.json with your JSON file.

  • 123456789012 with your AWS account ID
  • example-policy.json with your JSON file
  • example-bucket with your Amazon Simple Storage Service (Amazon S3) bucket
  • example-user with your IAM user

Simulate existing IAM policy entities

To simulate an existing IAM policy entity, run the AWS CLI command simulate-principal-policy similar to the following:

aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/example-user --action-names "s3:PutObject" "ec2:DescribeInstances"

Simulate resource-based policies

IAM policy simulator supports resource-based policies for the following AWS services:

  • Amazon Simple Storage Service (Amazon S3)
  • Amazon Simple Queue Service (Amazon SQS)
  • Amazon Simple Notification Service (Amazon SNS)
  • Unlocked Amazon S3 Glacier vaults
  1. To define the contents of the resource-based policy, copy and paste the following statement into a text editor and save it as a JSON file:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": "arn:aws:iam::123456789012:user/example-user",
          "Action": "s3:PutObject",
          "Resource": [
            "arn:aws:s3:::example-bucket",
            "arn:aws:s3:::example-bucket/*"
          ]
        }
      ]
    }
  2. Run the AWS CLI command simulate-principal-policy with the JSON file that you created in the previous step.

    aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/example-user --action-names "s3:PutObject" --resource-policy file://resource-policy.json --resource-arns arn:aws:s3:::example-bucket

Get a list of additional policy documents to simulate

In addition to the policy documents already included for your IAM entities, you can get a list of additional policy documents to simulate.

  1. To define the contents of the additional policy, copy and paste the following statement into a text editor and save it as a JSON file:

    {"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": "arn:aws:iam::123456789012:user/example-user", "Action": "s3:", "Resource": ["arn:aws:s3:::example-bucket", "arn:aws:s3:::example-bucket/*"], "Condition": {"Bool": {"aws:SecureTransport": "false"}}}]}
  2. Run the AWS CLI command simulate-principal-policy with the JSON file that you created in the previous step:

    aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/example-user --action-names "s3:PutObject" --resource-policy file://resource-policy.json --resource-arns arn:aws:s3:::example-bucket

Get a list of permissions boundaries to simulate

You can include a list of permissions boundaries to simulate for your IAM entities.

  1. To define the contents of the permissions boundaries, copy and paste the following statement into a text editor and save it as a JSON file:

    ["{\"Version\": \"2012-10-17\", \"Statement\": [{\"Effect\": \"Allow\", \"Action\": [\"ec2:*\", \"iam:*\", \"s3:*\"], \"Resource\": \"*\"}]}"]
  2. Run the AWS CLI command simulate-principal-policy with the JSON file that you created in the previous step:

    aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/example-user --action-names "s3:PutObject" "ec2:DescribeInstances" --permissions-boundary-policy-input-list file://example-policy.json 

Related information

Policy evaluation logic

IAM: Access the policy simulator API

Troubleshooting IAM policies

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago