TL;DR Policy Tester is a new, free tool that instantly evaluates IAM policies client side as you type them. It’s powered by iam-simulate and provides:

• Real-time evaluation of policies
• Detailed “Explain” views showing exactly why a statement applies or doesn’t
• One-click sharing for your team and automated policy documentation

What it lets you do that the AWS Policy Simulator doesn’t:

• Use a code editor with syntax highlighting and validation
• Run multiple tests of an action with different resources or context keys at once
• Set expectations for your policies and test them properly
• See line by line why a statement applied or didn’t
• Share your policy and test cases with a link

Use it right here or watch a 3 minute video

Why Do I Need This?

Get the Right Policy Faster

IAM is the foundation of security in AWS. You can learn all the fundamentals in an hour, but it gets complicated fast and there are lots of corner cases to remember.

Speed for learning and development is largely driven by the speed of your feedback loop. Running locally lets you move faster than having to deploy a pipeline every change; running unit tests enable faster development than manual testing.

Policy tester evaluates your tests and policies as you type them. If you get faster feedback you get the right policy faster; but most importantly you learn faster making you a better practitioner. Better IAM practitioners make us all safer.

Share Policies with Automated Documentation

Like I said, IAM policies get complicated fast. Even when you create and test the perfect policy; eventually it will need to change. When that time comes, how do you know what the policy was meant to do in the first place?

When you share a policy in Policy Tester, you also share the behavior that policy is expected to achieve. You can test and share any combination of actions, resources, and context keys with the expected outcome.

This way you document your policy AND the expectations it was meant to achieve. When it needs to change you can change your expectations along with your policy and have automated verification.

See What Happens and Why

You can see the final answer, what statements caused that answer, and exactly why each statement did or didn’t apply.

EXPLAIN: noun. A text display of an IAM statement, annotated with how it was interpreted for a single request.

this EXPLAIN shows that the request for s3:GetObject didn’t match because there are no matching actions in the policy:

And in an unmatched statement you can see exactly why it didn’t match:

We do these things not because they are easy, but because we thought they were going to be easy.

- The programmers credo

There are many corner cases displaying a useful EXPLAIN. In an Action statement you only need one value out of 100 to have a statement apply, in a NotAction you need just one statement out of 100 to have the statement not apply.

For a positive operator set operator like ForAnyValue:StringEquals we highlight which values match the values in the policy:

For a negative one such as ForAnyValue:StringNotLike we are focused on the values that are not in our policy:

We have over 70 tests of individual policy elements to ensure the display is correct in every possible form of positive and negative operators and condition keys.

How To Use Policy Tester

1. Edit one of the example policies or put in your own. The editor validates policy syntax and much of the policy content.
2. Add as many test cases as you want, they are evaluated instantly:
   • If the action is a wildcard only action, that will be put in for you, no need to remember.
   • You can add any valid context keys that were found in the policy. The tool knows which keys are single values or lists and will adjust the ui appropriately.
3. You can choose the expected outcome. If you do, the answer will be highlighted green if it matches or red if it doesn’t.
4. Click the answer or the “Explain” link to see how any answer was determined. Deny/Allow statements that apply are automatically shown. Statements that did not apply can be shown.
5. Save the policy and scenarios to a unique URL for sharing. Send it to the intern, Jacob, I think we can trust him to copy and paste.

What’s Next

Expanded User Interface

Add UI support for additional policy types: resource policies, service control policies, resource control policies, and permission boundaries.

Get All the Policies In The Simulator

To fully understand your environment a simulator needs access to all policies across all accounts. When complete, iam-download will download all IAM information from any number of accounts. With that as a data source iam-simulate will be able to get the right policies for any combination of principal and resource to produce a quick, accurate, and detailed answer to a permissions question.

Commercial Use

The site is free for any any and all uses. The library is currently licensed AGPL, if you’re interested in using it in a commercial setting please reach out.

Feedback

I’m grateful for any and all feedback. You won’t say anything worse than my preteen son. If you have thoughts on where we should go next or want to help out please open an issue on the iam-simulate repo or email iam-helping@cloudcopilot.io

Please follow us on the socials and add stars on Github, it makes a big difference!