I want to test AWS Identity and Access Management (IAM) policies and permissions outside of my live AWS production environment.
Resolution
You can use the IAM policy simulator console or the AWS Command Line Interface (AWS CLI) to test identity-based policies and permissions boundaries.
Note:
For more information, see How the IAM policy simulator works.
IAM policy simulator permissions
You must provide permission to test policies that are attached to IAM identities (users, groups, roles) in your AWS account. Attach a policy to your IAM user or role to grant permissions to simulate policies similar to the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:GetContextKeysForPrincipalPolicy",
"iam:SimulatePrincipalPolicy"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}
For more example policies to allow access to use the IAM policy simulator, see Example policies: IAM.
For more information on IAM policy simulator permissions, see Permissions required for using the IAM policy simulator.
Use the IAM policy simulator with the console
By default, you can test policies that aren't attached yet to IAM users and groups without additional permissions. To test policies that are attached to IAM users or groups, you must have permissions.
For instructions to use the IAM policy simulator with the console, see Using the IAM policy simulator (console).
Use the IAM policy simulator with the AWS CLI
Follow these steps to simulate existing IAM policies, resource-based policies, and permissions boundaries, and to get a list of policy documents.
In the following AWS CLI commands, replace 123456789012 with your AWS account ID and example-policy.json with your JSON file.
- 123456789012 with your AWS account ID
- example-policy.json with your JSON file
- example-bucket with your Amazon Simple Storage Service (Amazon S3) bucket
- example-user with your IAM user
Simulate existing IAM policy entities
To simulate an existing IAM policy entity, run the AWS CLI command simulate-principal-policy similar to the following:
aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/example-user --action-names "s3:PutObject" "ec2:DescribeInstances"
Simulate resource-based policies
IAM policy simulator supports resource-based policies for the following AWS services:
- Amazon Simple Storage Service (Amazon S3)
- Amazon Simple Queue Service (Amazon SQS)
- Amazon Simple Notification Service (Amazon SNS)
- Unlocked Amazon S3 Glacier vaults
-
To define the contents of the resource-based policy, copy and paste the following statement into a text editor and save it as a JSON file:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "arn:aws:iam::123456789012:user/example-user",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::example-bucket",
"arn:aws:s3:::example-bucket/*"
]
}
]
}
-
Run the AWS CLI command simulate-principal-policy with the JSON file that you created in the previous step.
aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/example-user --action-names "s3:PutObject" --resource-policy file://resource-policy.json --resource-arns arn:aws:s3:::example-bucket
Get a list of additional policy documents to simulate
In addition to the policy documents already included for your IAM entities, you can get a list of additional policy documents to simulate.
-
To define the contents of the additional policy, copy and paste the following statement into a text editor and save it as a JSON file:
{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Principal": "arn:aws:iam::123456789012:user/example-user", "Action": "s3:", "Resource": ["arn:aws:s3:::example-bucket", "arn:aws:s3:::example-bucket/*"], "Condition": {"Bool": {"aws:SecureTransport": "false"}}}]}
-
Run the AWS CLI command simulate-principal-policy with the JSON file that you created in the previous step:
aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/example-user --action-names "s3:PutObject" --resource-policy file://resource-policy.json --resource-arns arn:aws:s3:::example-bucket
Get a list of permissions boundaries to simulate
You can include a list of permissions boundaries to simulate for your IAM entities.
-
To define the contents of the permissions boundaries, copy and paste the following statement into a text editor and save it as a JSON file:
["{\"Version\": \"2012-10-17\", \"Statement\": [{\"Effect\": \"Allow\", \"Action\": [\"ec2:*\", \"iam:*\", \"s3:*\"], \"Resource\": \"*\"}]}"]
-
Run the AWS CLI command simulate-principal-policy with the JSON file that you created in the previous step:
aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/example-user --action-names "s3:PutObject" "ec2:DescribeInstances" --permissions-boundary-policy-input-list file://example-policy.json
Related information
Policy evaluation logic
IAM: Access the policy simulator API
Troubleshooting IAM policies