With policy simulations, you tell the framework to interact with AWS IAM simulate_principal_policy or simulate_custom_policy. Using policy simulations you can verify the configuration of your access management ensuring IAM roles, users and groups have access to the resources you want them to and do not have permission to those actions for which they should not have access to.
Using the framework you can run simulations in parallel across many regions of many accounts quickly and easily.
This tutorial will walk you through how to use the “Using policy simulations” feature.
We will assume you have:
We are going to perform the following steps to “Using policy simulations”:
Here are the steps you need to follow to “Using policy simulations”
Add the following snippet to your manifest file:
You will most likely need to update the tag from role:all to whatever you are using in your environment.
In each region of each account in your simulate_for you asked service catalog puppet to do the following:
If the EvalDecisionDetails was not “explicitDeny” a failure would occur, anything depending on the simulate policy would not execute and if AWS OpsCentre support was enabled an OpsIssue would have been created.
You have now successfully executed a principal policy simulation!