Two ways to simulate IAM policies – IAM Policy Simulator / –dryrun
This section describes how to check in advance whether the IAM policy you have prepared has sufficient privileges when executing AWS APIs, or how they actually work.
This page explains how to use the IAM Policy Simulator and how to enable the –dryrun option in the AWS CLI.
Environment
Validate the Policy Simulator and –dryrun options against the S3 API.
An EC2 instance is placed on a private subnet within the VPC.
This instance accesses the S3 bucket via NAT Gatway.
Associate an IAM role with permissions on S3 buckets to this instance.
Also, verify the IAM role permissions mentioned above with the IAM Policy Simulator.
CloudFormation template files
The above configuration is built with CloudFormation.
The CloudFormation templates are placed at the following URL
Explanation of key points of template files
EC2 Instance
Resources:
Instance:
Type: AWS::EC2::Instance
Properties:
IamInstanceProfile: !Ref InstanceProfile
ImageId: !Ref ImageId
InstanceType: !Ref InstanceType
NetworkInterfaces:
- DeviceIndex: 0
SubnetId: !Ref InstanceSubnet
GroupSet:
- !Ref InstanceSecurityGroup
UserData: !Base64 |
#!/bin/bash -xe
curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
Code language: YAML (yaml)Create an EC2 instance.
Set the initialization process at the time of instance creation using user data.
Please refer to the following page for initialization process using user data.
As an initialization process, install the latest version of the AWS CLI.
The commands to be executed were configured with reference to the following page.
IAM Role
Resources:
InstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
Service:
- ec2.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Policies:
- PolicyName: AccessS3Policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- s3:PutObject
Resource:
- !Sub "arn:aws:s3:::${BucketName}/*"
Code language: YAML (yaml)IAM role to be associated with the EC2 instance.
Set permissions on a S3 bucket as an inline policy.
Specifically, the policy allows uploading of objects to the test bucket.
Architecting
Use CloudFormation to build this environment and check its actual behavior.
Create CloudFormation stacks and check the resources in the stacks
Create CloudFormation stacks.
For information on how to create stacks and check each stack, please refer to the following pages.
After reviewing the resources in each stack, information on the main resources created in this case is as follows
- EC2 Instance: i-03d7ae8bb2366711f
- IAM Role: dva-02-003-EC2Stack-1PUIWNGAOWZ9R-InstanceRole-RXZNG70RRR4A
- S3 bucket: dva-02-003
Check each resource from the AWS Management Console.
Check the IAM role.
An IAM role has been created for the EC2 instance.
As an inline policy, you can see that you have been given permission to store objects in the S3 bucket.
Operation Check
IAM Policy Simulator
Now that you are ready, check permissions in the IAM Policy Simulator.
Click the “Simulate” button.
You can now access the IAM Policy Simulator page.
Search for the IAM role you have just created.
The relevant one was found, and this is pressed.
The IAM policies associated with the IAM roles are displayed.
In this case, the inline policy “AccessS3Policy” is specified.
Validate the action against this inline policy.
Set the IAM action you want to validate.
In this case, we will verify the following two actions in S3
- DeleteObject
- PutObject
Both actions are set to run against the test bucket dva-02-003.
When settings are complete, press “Run Simulator”.
The following are the results of the execution.
The result of the execution is displayed in the “Permission” column.
The DeleteObject one failed and the PutObject one succeeded.
The result of this execution matches the inline policy setting.
By using the IAM Policy Simulator in this way, you can check in advance whether the IAM policy you have created has sufficient permissions.
–dryrun option
Then check the –dryrun option of the AWS CLI.
Confirmation is done by accessing the EC2 instance.
SSM Session Manager is used to access the instance.
% aws ssm start-session --target i-03d7ae8bb2366711f
...
sh-4.2$
Code language: Bash (bash)For more information on SSM Session Manager, please refer to the following page.
Check the execution status of the instance initialization process with user data.
Check the version of AWS CLI.
sh-4.2$ aws --version
aws-cli/2.9.23 Python/3.9.11 Linux/4.14.301-224.520.amzn2.aarch64 exe/aarch64.amzn.2 prompt/off
Code language: Bash (bash)In the case of Amazon Linux 2, by default, the Series 1 AWS CLI is installed, but now the Series 2 is installed, indicating that the initialization process was successfully executed.
Create a file for testing.
sh-4.2$ touch /home/ssm-user/test.txt
Code language: Bash (bash)Consider uploading this file to a test bucket.
Check the command options for upload.
sh-4.2$ aws s3 cp help
...
--dryrun (boolean) Displays the operations that would be performed
using the specified command without actually running them.
Code language: Bash (bash)The –dryrun option can be used to simulate upload behavior.
Execute the upload command with the –dryrun option enabled.
sh-4.2$ aws s3 cp /home/ssm-user/test.txt s3://dva-02-003 --dryrun
(dryrun) upload: ../../home/ssm-user/test.txt to s3://dva-02-003/test.txt
Code language: Bash (bash)The upload has been simulated.
The “(dryrun)” at the beginning of the output message indicates that the upload was not actually executed.
The next step is to upload the file without options.
sh-4.2$ aws s3 cp /home/ssm-user/test.txt s3://dva-02-003
upload: ../../home/ssm-user/test.txt to s3://dva-02-003/test.txt
Code language: Bash (bash)The upload was executed as usual here.
Next, consider deleting an object.
Review the command options for deletion.
sh-4.2$ aws s3 rm help
...
--dryrun (boolean) Displays the operations that would be performed
using the specified command without actually running them.
Code language: Bash (bash)We can see that we can also simulate the behavior of deletion here.
Execute the delete command with the –dryrun option enabled.
sh-4.2$ aws s3 rm s3://dva-02-003/hoge.txt --dryrun
(dryrun) delete: s3://dva-02-003/hoge.txt
Code language: Bash (bash)The delete action has been simulated.
The IAM role associated with this EC2 instance does not originally grant delete permissions (DeleteObject), but it was simulated nonetheless.
This indicates that the –dryrun option related to S3 simulates the action regardless of the IAM policy permissions granted.
Perform the deletion without options.
sh-4.2$ aws s3 rm s3://dva-02-003/hoge.txt
delete failed: s3://dva-02-003/hoge.txt An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied
Code language: Bash (bash)Deletion failed.
It still failed because the IAM role associated with this instance does not have permission to delete.
This also shows that the result of enabling the –dryrun option is not necessarily the result of an IAM policy being evaluated.
Summary
We introduced how to use the IAM Policy Simulator and how to enable the –dryrun option in the AWS CLI as a way to check in advance whether the IAM policy you have prepared is sufficient to run the AWS API or how it will actually work.