AWS Security Blog

Test Your Roles’ Access Policies Using the AWS Identity and Access Management Policy Simulator

You can now use the AWS Identity and Access Management (IAM) policy simulator to test and validate your roles’ access control policies. The policy simulator is a tool to help you author and validate the policies that set permissions on your AWS resources. This tool provides a “playground” where you can iteratively author least privilege policies on your AWS resources and test the effects of your policy updates before actually applying the changes to your users, groups, and roles. Also, you may have attached multiple policies to a role and want to know which final permissions are granted across all these policies—the simulator is a great tool for this! To help you get started using the policy simulator for roles, this blog post will walk through an example.

For the example in this blog post I will use an EC2 instance role named EC2_DB_Role that has read access from Amazon DynamoDB and write access to an Amazon Relational Database Service (RDS) instance. To walk through the example in this blog post, first create an IAM role for EC2 named EC2_DB_Role, and then attach the AmazonDynamoDBReadOnlyAccess and AmazonRDSFullAccess AWS managed policies to that role. After you have created the role and attached the policies, you can simulate the policies that are attached to this role in order to see the permissions granted. 

To simulate the access policies for this role, after signing in to the IAM console, navigate to the policy simulator, which is shown in the following image.

Image of the policy simulator

Next select Roles from the dropdown list in the left pane, as shown in the following image.

Image of selecting Roles from the dropdown list

From the list of roles, select EC2_DB_Role.

Image of selecting EC2_DB_Role

You next need to select the actions you are interested in simulating. For this example, I am interested in simulating access to DynamoDB and RDS. Follow these steps to select the actions you want to simulate:

  1. Click Amazon DynamoDB in the Select service dropdown list.
  2. Click Select All to simulate all DynamoDB actions for your role.
    Image of simulating all DynamoDB actions for your role
  3. Click RDS in the Select service dropdown list.
  4. Click Select All to test all RDS actions for your role.
    Image of testing all RDS actions for your role
  5. Click Run Simulation.
    Image of running the simulation

In the Results table (see previous image), you can see that the read-only actions such as BatchGetItem, DescribeTable, and GetItem are allowed by the role for Amazon DynamoDB; however, CreateTable, DeleteItem, and DeleteTable are not allowed. We can also see that all actions are allowed for Amazon RDS. If you want to dig deeper into the statement that is either allowing or denying access to an action, click List in the Description column for an action. This will show you the policy with the contributing statements that is setting the permission.

To get started, sign in to the IAM console, or go directly to the IAM policy simulator. You can learn more about the policy simulator by visiting Working with the IAM Policy Simulator. If you have any questions or suggestions, you can submit them on the IAM forum.

–Brigid