Amazon Web Services announced two new APIs for AWS Identity and Access Management (IAM) that lets you automate validation and auditing of permissions for IAM users, groups, and roles. They let you call the IAM policy simulator with the AWS CLI or any AWS SDK.
The new iam:SimulatePrincipalPolicy API lets you programmatically test existing IAM policies to verify that policies work properly and identify specific statements in a policy that grant or deny access to specific resources or actions.
Amazon explains:
Simulate the set of IAM policies attached to an IAM entity against a list of API actions and AWS resources to determine the policies’ effective permissions. The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies attached to groups that the user is a member of.
You can optionally include a list of one or more additional policies specified as strings to include in the simulation. If you want to simulate only policies specified as strings, use SimulateCustomPolicy instead.
The simulation does not perform the API actions, it only checks the authorization to determine if the simulated policies allow or deny the actions.
The iam:SimulateCustomPolicy API will let you test the effects of new and/or updated policies that aren’t attached to users, groups, or roles.
Brigid Johnson from Amazon Web Services walks you through utilizing the APIs in a blog post here. You can find documentation here and further discussion in a forum here.
Image via Amazon