Validate AWS IAM Policy programmatically

Question

Is there a way by which I could check if an IAM User with some permissions satisfy a given policy set ?

Example. I want to check if a user could trigger all the actions mentioned in the below policy. That too via some api calls or using the amazon sdk(Basically not manually). One way would be to try triggering some of the operations and do a check, but I was looking for some other method.

{
    "Version": Ignore,
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:key-pair/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:image/*"
            ]
        } 
     ] 
}

score 1 · Answer 1 · answered Feb 17 '22 at 22:35

1

There is simulate-custom-policy which:

The simulation does not perform the API operations; it only checks the authorization to determine if the simulated policies allow or deny the operations. You can simulate resources that don't exist in your account

answered Feb 17 '22 at 22:35

Marcin

215,873
14
235
294

Yes this would suffice. Thanks a lot. – Manuj Narang Feb 27 '22 at 06:14

Validate AWS IAM Policy programmatically

1 Answers1