tyates author setup & IAM policy simulator blog #308
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
||
| The AWS IAM policy simulator allows theoretical evaluation of policies to determine if an action will be allowed or denied. It can be useful for ad-hoc testing of a user or role's access to resources such as S3 buckets and objects, but the console UI is clunky (if not downright infuriating) and the API imposes limitations when testing more complex, real-world situations involving both principal and resource policies. With only a small amount of shenanigans, it's possible to leverage the simulator API for more useful testing. | ||
|
|
||
| ### Why |
There was a problem hiding this comment.
Fine to leave these as h3 headers if you prefer it stylistically, though we would normally start with h2.
|
|
||
| ### Why | ||
|
|
||
| In the majority of cases where I've used the policy simulator console UI, I've been troubleshooting a role's access (or denial of access) to S3 objects at specific paths, which requires evaluating the result using both the role's policies and the S3 bucket policy. Adding a set of context values, test actions and S3 object ARNs (Amazon Resource Names, specify a resource unambiguously across all of AWS) is fine for a one off, but it's not something you want to repeat often and isn't feasible for ongoing verification. |
There was a problem hiding this comment.
Suggested change
| In the majority of cases where I've used the policy simulator console UI, I've been troubleshooting a role's access (or denial of access) to S3 objects at specific paths, which requires evaluating the result using both the role's policies and the S3 bucket policy. Adding a set of context values, test actions and S3 object ARNs (Amazon Resource Names, specify a resource unambiguously across all of AWS) is fine for a one off, but it's not something you want to repeat often and isn't feasible for ongoing verification. | |
| In the majority of cases where I've used the policy simulator console UI, I've been troubleshooting a role's access (or denial of access) to S3 objects at specific paths, which requires evaluating the result using both the role's policies and the S3 bucket policy. Adding a set of context values, test actions and S3 object ARNs (Amazon Resource Names, which specify a resource unambiguously across all of AWS) is fine for a one off, but it's not something you want to repeat often and isn't feasible for ongoing verification. |
|
|
||
| The other API simulation method is `simulate custom policy`, where we provide both principal and resource policies in the request. This, too, won't work with resource policies if using a role entity, but as it doesn't cause the simulator to go off and find the policies attached to a role, we can trick it by simply providing any old user ARN as the `CallerArn` in the request. | ||
|
|
||
| As a little up-front disclaimer: this solution requires resource policies to identify applicable principals using conditions in statements (e.g. checking the role matches the `aws:PrincipalArn` context key) rather than declaring explicit roles in the `Principals` block itself. The reason for this is that our dummy user ARN needs to match the principal(s) that the permissions apply to, so if you're using something like `AWS: *` or `AWS: <your-account-id>` then that will match the dummy user, and the nitty-gritty bits in conditions will evaluate against our test role specified in `aws:PrincipalArn`. It might well be possible to adapt policies to specify the dummy user as a principal before including in the API request, but I haven't tried. |
There was a problem hiding this comment.
Suggested change
| As a little up-front disclaimer: this solution requires resource policies to identify applicable principals using conditions in statements (e.g. checking the role matches the `aws:PrincipalArn` context key) rather than declaring explicit roles in the `Principals` block itself. The reason for this is that our dummy user ARN needs to match the principal(s) that the permissions apply to, so if you're using something like `AWS: *` or `AWS: <your-account-id>` then that will match the dummy user, and the nitty-gritty bits in conditions will evaluate against our test role specified in `aws:PrincipalArn`. It might well be possible to adapt policies to specify the dummy user as a principal before including in the API request, but I haven't tried. | |
| As a little up-front disclaimer: this solution requires resource policies to identify applicable principals using conditions in statements (e.g. checking the role matches the `aws:PrincipalArn` context key), rather than declaring explicit roles in the `Principals` block itself. The reason for this is that our dummy user ARN needs to match the principal(s) that the permissions apply to, so if you're using something like `AWS: *` or `AWS: <your-account-id>` then that will match the dummy user, and the nitty-gritty bits in conditions will evaluate against our test role specified in `aws:PrincipalArn`. It might well be possible to adapt policies to specify the dummy user as a principal before including in the API request, but I haven't tried. |
|
|
||
| To that end, we need to: | ||
|
|
||
| - pull all inline (a policy directly tied to this role only) and managed (a policy entity that can be attached to multiple users or roles) policies for the role - these are the principal policies |
There was a problem hiding this comment.
Suggested change
| - pull all inline (a policy directly tied to this role only) and managed (a policy entity that can be attached to multiple users or roles) policies for the role - these are the principal policies | |
| - Pull all Inline (a policy directly tied to this role only) and Managed (a policy entity that can be attached to multiple users or roles) policies for the role - these are the principal policies. |
I think these should be capitalised to make it clear these are used as descriptions. I would also capitalise the first word of each bullet point and use full stops at the end.
added 2 commits
April 15, 2025 08:55
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please add a direct link to your post here:
https://timkins666.github.io/blog/2025/04/03/automated-iam-policy-simulator-testing.html
Have you (please tick each box to show completion):
npm installfollowed bynpx mdspell "**/{FILE_NAME}.md" --en-gb -a -n -x -tif that's your thing)Posts are reviewed / approved by your Regional Tech Lead.