AWS Security Blog

Verify Resource-Based Permissions Using the IAM Policy Simulator

Today, AWS Identity and Access Management (IAM) made it easier to help you verify your permissions by adding support for resource-based policies in the IAM policy simulator. This extends the capabilities of the IAM policy simulator console and APIs to help you understand, test, and validate how your resource-based policies and IAM policies work together to grant or deny access to AWS resources.

In this blog post, I will walk through an example that uses an Amazon S3 bucket policy and an IAM managed policy. In this example, IAM users Jesse and Casey need read access to all S3 buckets, but only Casey should be able to access the production-data-iam bucket because it contains sensitive data. To grant read access to all S3 buckets in the account, you can attach the AWS managed policy AmazonS3ReadOnlyAccess to both Jesse and Casey. To restrict access to production-data-iam to only Casey, attach the following policy directly to the production-data-iam bucket. To learn more about the following policy, go to How to Create a Policy That Whitelists Access to Sensitive Amazon S3 Buckets. (Replace the placeholder account information with your account information.)

{
      "Version": "2012-10-17",
      "Statement": [
            {
                  "Sid": "DenyAllExceptCaseyListBucket",
                  "Effect": "Deny",
                  "NotPrincipal": {
                        "AWS": "arn:aws:iam::ACCOUNTID:user/Casey"
                  },
                  "Action": "s3:ListBucket",
                  "Resource": "arn:aws:s3:::production-data-iam"
            },
            {
                  "Sid": " DenyAllExceptCaseyReadAccess",
                  "Effect": "Deny",
                  "NotPrincipal": {
                        "AWS": "arn:aws:iam::ACCOUNTID:user/Casey"
                  },
                  "Action": [
                        "s3:get*",
                        "s3:list*"
                  ],
                  "Resource": "arn:aws:s3:::production-data-iam/*"
            }
      ]
}

Now that you have attached the policies, you will validate that Jesse is denied access to the production-data-iam bucket and Casey is allowed to read objects in the bucket by simulating access for the following actions:

  • ListBucket 
  • GetBucketLocation
  • GetObject

To do this, you will need to run two simulations, one for Jesse and one for Casey. In these simulations, you will see both the IAM policies and resource policies for the specified bucket in the IAM policy simulator console. To simulate the access policies for Jesse, follow these steps.

1. After signing in to the IAM console, navigate to the policy simulator, which is shown in the following image.

Image of the IAM policy simulator

2. From the list of users, select Jesse.

Image of selecting Jesse from the list of users

3. Then, select the actions you want to simulate. Select S3 as the service and the following actions:

  • ListBucket
  • GetBucketLocation
  • GetObject

4. To include resource policies in your simulation, specify the S3 bucket’s Amazon Resource Name (ARN) in Simulation Settings. In this case the ARN value is arn:aws:s3:::production-data-iam/*. After you specify an ARN and select the Include Resource Policy check box, the policy simulator will retrieve any resource-based policies. Any identified resource-based policies will appear in the Policies pane, as shown in the following image.

Image of S3 bucket ARN and resource-based policy

5. Click Run Simulation to see the results.

Image of Results table

The Results table (see previous image) shows that Jesse is denied access to the read-only actions ListBucket, GetBucketLocation, and GetObject. In addition, by clicking List in the Description column for GetObject and then clicking the Show statement link, we can see that the resource policy is denying access to the production-data-iam bucket.

Now, let’s see what happens when we simulate the access policies for Casey. You can do this by keeping the same Simulation Settings and actions mentioned previously, but also by changing the user by clicking Back in the left pane and then selecting Casey.

Image of selecting Casey for policy simulation

Looking at Casey’s simulation results, you can see that the read-only actions are allowed for Casey. Digging deeper into the results by clicking List in the Description column, we can see that AmazonS3ReadOnlyAccess is allowing that access and no other policy is denying it.

To get started, sign in to the IAM console and click Policy Simulator in the right pane, or go directly to the IAM policy simulator. You can learn more about the IAM policy simulator by visiting Testing IAM Policies with the IAM Policy Simulator. If you wish to use either of the policy simulator APIs with resource-based policies, you first need to retrieve the resource-based policies and then pass them in as inputs to the API. You can find more information by referencing the API documentation for SimulatePrincipalPolicy and SimulateCustomPolicy.

If you have any questions or suggestions, you can submit them below or on the IAM forum.

– Brigid