Skip to content

Instantly share code, notes, and snippets.

@jpbarto
Created August 20, 2020 09:40
Show Gist options
  • Save jpbarto/14a681f835ab226a17831168a49e9ce6 to your computer and use it in GitHub Desktop.
Save jpbarto/14a681f835ab226a17831168a49e9ce6 to your computer and use it in GitHub Desktop.
Example of how to use IAM Policy Simulator to test IAM policy effects on permissions (also works for SCPs)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*"
}
]
}
#!/bin/bash
# https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
CUSTOM_POLICY=$(cat stop_run_instance.json)
ROLE_ARN='arn:aws:iam::012345678901:role/SAML-readonly-role'
ADMIN_ROLE_ARN='arn:aws:iam::012345678901:role/SAML-admin-role'
echo Determine if ec2:RunInstance is possible with a custom policy
aws iam simulate-custom-policy --polity-input-list "$CUSTOM_POLICY" --action-names 'ec2:RunInstances'
echo Determine if ec2:CreateVpc is possible with a custom policy
aws iam simulate-custom-policy --polity-input-list "$CUSTOM_POLICY" --action-names 'ec2:CreateVpc'
echo Check if a role can perform ec2:CreateVpc
aws iam simulate-principal-policy --policy-source-arn $ROLE_ARN --action-names 'ec2:CreateVpc'
echo Check if an admin role can perform ec2:CreateVpc
aws iam simulate-principal-policy --policy-source-arn $ADMIN_ROLE_ARN --action-names 'ec2:CreateVpc'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment