AWS Custom Policies: Testing Permissions via CLI

Test Permissions for AWS Custom Policies

Prev Question Next Question

Question

You have defined some custom policies in AWS.

You need to test out the permissions assigned to those policies.

Which of the following can be used for this purpose via the CLI? Choose 2 answers from the options given below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and B.

This is mentioned in the AWS Documentation.

Policy simulator commands typically require calling API operations to do two things.

Evaluate the policies and return the list of context keys that they reference.

You need to know what context keys are referenced so that you can supply values for them in the next step.

Simulate the policies, providing a list of actions, resources, and context keys that are used during the simulation.

Because of the right command used in the documentation, all other options are incorrect.

For more information on policy simulation, please refer to the below URL-

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html

The correct answers are A and B.

To test the permissions assigned to custom policies in AWS using the CLI, you can follow these steps:

  1. Get the context keys first: Context keys are variables that define the context of a request, such as the time of day, the IP address, or the user agent. To test permissions, you need to specify the context in which the request is being made. You can use the aws iam get-context-keys-for-custom-policy command to retrieve the context keys required for testing.

  2. Use the aws iam simulate-custom-policy command: This command allows you to simulate a request to AWS services to test the permissions assigned to a custom policy. You can specify the context keys retrieved in step 1, as well as the actions and resources to be tested. The command will return a report that shows whether the policy allows or denies access to the specified actions and resources.

For example, suppose you have created a custom policy that allows access to an S3 bucket. You can use the following commands to test the policy:

csharp
aws iam get-context-keys-for-custom-policy --policy-input-list file://policy.json

Here, policy.json is the JSON file containing the policy you want to test.

c
aws iam simulate-custom-policy --policy-input-list file://policy.json \ --action-names s3:GetObject \ --resource-arns arn:aws:s3:::example-bucket/* \ --context-entry-keys ContextKey1,ContextKey2 \ --context-entry-values value1,value2

Here, action-names specifies the actions to test, resource-arns specifies the resources to test, and context-entry-keys and context-entry-values specify the context in which the request is being made.

It's important to note that testing policies using the CLI is a best practice for ensuring that policies are working as expected before assigning them to users or groups. It can help you catch any errors or unintended consequences of the policy before they cause problems.