AWS Security Blog

Test Your Managed Policies by Using the Identity and Access Management Policy Simulator

Recently, AWS launched managed policies, which simplify policy management by enabling you to attach a single policy to multiple AWS Identity and Access Management (IAM) entities such as users, groups, and roles. When you update a managed policy, the permissions in that policy apply to every entity to which the managed policy is attached.

We also have added the ability to test managed policies by using the IAM policy simulator. This blog post will show you how to use the policy simulator to test a managed policy. 

Note: If you have not already created a managed policy, make sure to follow the tutorial in the IAM documentation to create a managed policy before you read further. This post uses the UsersManageOwnCredentials managed policy example from that tutorial.

First, navigate to the IAM console, and then click Policy Simulator on the right side of the page under Additional Information (highlighted in the following image). Alternatively, you can also go directly to the policy simulator. If you have not already signed in to your AWS account, you will be prompted to do so.

Image of the Policy Simulator link in the IAM console

Next, select the IAM user to which you attached the UsersManageOwnCredentials managed policy in step 5 of part 2 of the Create and Attach Your First Customer Managed Policy tutorial. In this example, I will refer to a user named Jeff.

Image of user Jeff in the IAM policy simulator

The policy simulator shows you a list of policies attached to Jeff. In this list, click UsersManageOwnCredentials.

Image of the UsersManageOwnCredentials policy in the policy simulator

To simulate the policy, you need to do the following:

  1. Click Identity and Access Management in the Select service dropdown list.
  2. Click Select All to test all IAM actions for your user.
  3. Under Simulation Settings for the Resource: field, type the Amazon Resource Name (ARN) specified in the Resource element of the UsersManageOwnCredentials policy. Make sure to update the account number and user name. For this example, I will type: arn:aws:iam::123456789123:user/Jeff.
  4. Type the name of the user you are testing (Jeff) in the aws:username box.

After you have typed the specified information, your policy simulator screen should look like the following image (but the account number shown should be yours).

Image of how your policy simulator should look if you have followed this walkthrough

  1. Click Run Simulation.

Image of the Results table that shows allowed and denied permissions

If you sort by Permission in the Results table, you will see the results shown in the previous image. These results assume you do not have any other policies attached to your user that allow or deny access to IAM actions. By scrolling through the table, you can see that Jeff has been allowed access to the following actions:

  • iam:ChangePassword
  • iam:CreateAccessKey
  • iam:DeleteAccessKey
  • iam:GetLoginProfile
  • iam:ListAccessKeys
  • iam:ListUsers
  • iam:UpdateAccessKey
  • iam:UpdateLoginProfile

You can also see that Jeff has been denied access to other actions such as iam:CreatePolicy and iam:CreateUser. You can experiment by making modifications to this policy and running the simulation to test that your policy sets the desired permissions. After you have a policy that grants the desired permissions, return to the IAM console to update your managed policy.

To get started, sign in to the IAM console or go directly to the IAM policy simulator. You can learn more about the policy simulator by visiting Testing IAM Policies. If you have any questions or suggestions, submit them on the IAM forum.

– Brigid