2015/09/10 - AWS Identity and Access Management - 4 new api methods
Simulate the set of IAM policies attached to an IAM entity against a list of API actions and AWS resources to determine the policies' effective permissions. The entity can be an IAM user, group, or role. If you specify a user, then the simulation also includes all of the policies attached to groups that the user is a member of.
You can optionally include a list of one or more additional policies specified as strings to include in the simulation. If you want to simulate only policies specified as strings, use SimulateCustomPolicy instead.
The simulation does not perform the API actions, it only checks the authorization to determine if the simulated policies allow or deny the actions.
Note: This API discloses information about the permissions granted to other users. If you do not want users to see other user's permissions, then consider allowing them to use SimulateCustomPolicy instead.
Context keys are variables maintained by AWS and its services that provide details about the context of an API query request, and can be evaluated by using the Condition element of an IAM policy. To get the list of context keys required by the policies to simulate them correctly, use GetContextKeysForPrincipalPolicy.
If the output is long, you can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.simulate_principal_policy(
PolicySourceArn='string',
PolicyInputList=[
'string',
],
ActionNames=[
'string',
],
ResourceArns=[
'string',
],
ContextEntries=[
{
'ContextKeyName': 'string',
'ContextKeyValues': [
'string',
],
'ContextKeyType': 'string'|'stringList'|'numeric'|'numericList'|'boolean'|'booleanList'|'ip'|'ipList'|'binary'|'binaryList'|'date'|'dateList'
},
],
MaxItems=123,
Marker='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) of a user, group, or role whose policies you want to include in the simulation. If you specify a user, group, or role, the simulation includes all policies associated with that entity. If you specify a user, the simulation also includes all policies attached to any groups the user is a member of.
list
An optional list of additional policy documents to include in the simulation. Each document is specified as a string containing the complete, valid JSON text of an IAM policy.
(string) --
list
[REQUIRED]
A list of names of API actions to evaluate in the simulation. Each action is evaluated for each resource. Each action must include the service identifier, such as iam:CreateUser .
(string) --
list
A list of ARNs of AWS resources to include in the simulation. If this parameter is not provided then the value defaults to * (all resources). Each API in the ActionNames parameter is evaluated for each resource in this list. The simulation determines the access result (allowed or denied) of each combination and reports it in the response.
(string) --
list
A list of context keys and corresponding values that are used by the simulation. Whenever a context key is evaluated by a Condition element in one of the simulated IAM permission policies, the corresponding value is supplied.
(dict) --
Contains information about a condition context key. It includes the name of the key and specifies the value (or values, if the context key supports multiple values) to use in the simulation. This information is used when evaluating the Condition elements of the input policies.
This data type is used as an input parameter to SimulatePolicy .
ContextKeyName (string) --
The full name of a condition context key, including the service prefix. For example, aws:SourceIp or s3:VersionId .
ContextKeyValues (list) --
The value (or values, if the condition context key supports multiple values) to provide to the simulation for use when the key is referenced by a Condition element in an input policy.
(string) --
ContextKeyType (string) --
The data type of the value (or values) specified in the ContextKeyValues parameter.
integer
Use this only when paginating results to indicate the maximum number of items you want in the response. If there are additional items beyond the maximum you specify, the IsTruncated response element is true .
This parameter is optional. If you do not include it, it defaults to 100. Note that IAM might return fewer results, even when there are more results available. If this is the case, the IsTruncated response element returns true and Marker contains a value to include in the subsequent call that tells the service where to continue from.
string
Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response you received to inform the next call about where to start.
dict
Response Syntax
{
'EvaluationResults': [
{
'EvalActionName': 'string',
'EvalResourceName': 'string',
'EvalDecision': 'allowed'|'explicitDeny'|'implicitDeny',
'MatchedStatements': [
{
'SourcePolicyId': 'string',
'SourcePolicyType': 'user'|'group'|'role'|'aws-managed'|'user-managed'|'none',
'StartPosition': {
'Line': 123,
'Column': 123
},
'EndPosition': {
'Line': 123,
'Column': 123
}
},
],
'MissingContextValues': [
'string',
]
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the response to a successful SimulatePrincipalPolicy or SimulateCustomPolicy request.
EvaluationResults (list) --
The results of the simulation.
(dict) --
Contains the results of a simulation.
This data type is used by the return parameter of SimulatePolicy .
EvalActionName (string) --
The name of the API action tested on the indicated resource.
EvalResourceName (string) --
The ARN of the resource that the indicated API action was tested on.
EvalDecision (string) --
The result of the simulation.
MatchedStatements (list) --
A list of the statements in the input policies that determine the result for this scenario. Remember that even if multiple statements allow the action on the resource, if only one statement denies that action, then the explicit deny overrides any allow, and the deny statement is the only entry included in the result.
(dict) --
Contains a reference to a Statement element in a policy document that determines the result of the simulation.
This data type is used by the MatchedStatements member of the EvaluationResult type.
SourcePolicyId (string) --
The identifier of the policy that was provided as an input.
SourcePolicyType (string) --
The type of the policy.
StartPosition (dict) --
The row and column of the beginning of the Statement in an IAM policy.
Line (integer) --
The line containing the specified position in the document.
Column (integer) --
The column in the line containing the specified position in the document.
EndPosition (dict) --
The row and column of the end of a Statement in an IAM policy.
Line (integer) --
The line containing the specified position in the document.
Column (integer) --
The column in the line containing the specified position in the document.
MissingContextValues (list) --
A list of context keys that are required by the included input policies but that were not provided by one of the input parameters. To discover the context keys used by a set of policies, you can call GetContextKeysForCustomPolicy or GetContextKeysForPrincipalPolicy.
If the response includes any keys in this list, then the reported results might be untrustworthy because the simulation could not completely evaluate all of the conditions specified in the policies that would occur in a real world request.
(string) --
IsTruncated (boolean) --
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all of your results.
Marker (string) --
When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Simulate a set of IAM policies against a list of API actions and AWS resources to determine the policies' effective permissions. The policies are provided as a list of strings.
The simulation does not perform the API actions, it only checks the authorization to determine if the simulated policies allow or deny the actions.
If you want to simulate existing policies attached to an IAM user, group, or role, use SimulatePrincipalPolicy instead.
Context keys are variables maintained by AWS and its services that provide details about the context of an API query request, and can be evaluated by using the Condition element of an IAM policy. To get the list of context keys required by the policies to simulate them correctly, use GetContextKeysForCustomPolicy.
If the output is long, you can paginate the results using the MaxItems and Marker parameters.
Request Syntax
client.simulate_custom_policy(
PolicyInputList=[
'string',
],
ActionNames=[
'string',
],
ResourceArns=[
'string',
],
ContextEntries=[
{
'ContextKeyName': 'string',
'ContextKeyValues': [
'string',
],
'ContextKeyType': 'string'|'stringList'|'numeric'|'numericList'|'boolean'|'booleanList'|'ip'|'ipList'|'binary'|'binaryList'|'date'|'dateList'
},
],
MaxItems=123,
Marker='string'
)
list
[REQUIRED]
A list of policy documents to include in the simulation. Each document is specified as a string containing the complete, valid JSON text of an IAM policy.
(string) --
list
[REQUIRED]
A list of names of API actions to evaluate in the simulation. Each action is evaluated for each resource. Each action must include the service identifier, such as iam:CreateUser .
(string) --
list
A list of ARNs of AWS resources to include in the simulation. If this parameter is not provided then the value defaults to * (all resources). Each API in the ActionNames parameter is evaluated for each resource in this list. The simulation determines the access result (allowed or denied) of each combination and reports it in the response.
(string) --
list
A list of context keys and corresponding values that are used by the simulation. Whenever a context key is evaluated by a Condition element in one of the simulated IAM permission policies, the corresponding value is supplied.
(dict) --
Contains information about a condition context key. It includes the name of the key and specifies the value (or values, if the context key supports multiple values) to use in the simulation. This information is used when evaluating the Condition elements of the input policies.
This data type is used as an input parameter to SimulatePolicy .
ContextKeyName (string) --
The full name of a condition context key, including the service prefix. For example, aws:SourceIp or s3:VersionId .
ContextKeyValues (list) --
The value (or values, if the condition context key supports multiple values) to provide to the simulation for use when the key is referenced by a Condition element in an input policy.
(string) --
ContextKeyType (string) --
The data type of the value (or values) specified in the ContextKeyValues parameter.
integer
Use this only when paginating results to indicate the maximum number of items you want in the response. If there are additional items beyond the maximum you specify, the IsTruncated response element is true .
This parameter is optional. If you do not include it, it defaults to 100. Note that IAM might return fewer results, even when there are more results available. If this is the case, the IsTruncated response element returns true and Marker contains a value to include in the subsequent call that tells the service where to continue from.
string
Use this parameter only when paginating results and only after you receive a response indicating that the results are truncated. Set it to the value of the Marker element in the response you received to inform the next call about where to start.
dict
Response Syntax
{
'EvaluationResults': [
{
'EvalActionName': 'string',
'EvalResourceName': 'string',
'EvalDecision': 'allowed'|'explicitDeny'|'implicitDeny',
'MatchedStatements': [
{
'SourcePolicyId': 'string',
'SourcePolicyType': 'user'|'group'|'role'|'aws-managed'|'user-managed'|'none',
'StartPosition': {
'Line': 123,
'Column': 123
},
'EndPosition': {
'Line': 123,
'Column': 123
}
},
],
'MissingContextValues': [
'string',
]
},
],
'IsTruncated': True|False,
'Marker': 'string'
}
Response Structure
(dict) --
Contains the response to a successful SimulatePrincipalPolicy or SimulateCustomPolicy request.
EvaluationResults (list) --
The results of the simulation.
(dict) --
Contains the results of a simulation.
This data type is used by the return parameter of SimulatePolicy .
EvalActionName (string) --
The name of the API action tested on the indicated resource.
EvalResourceName (string) --
The ARN of the resource that the indicated API action was tested on.
EvalDecision (string) --
The result of the simulation.
MatchedStatements (list) --
A list of the statements in the input policies that determine the result for this scenario. Remember that even if multiple statements allow the action on the resource, if only one statement denies that action, then the explicit deny overrides any allow, and the deny statement is the only entry included in the result.
(dict) --
Contains a reference to a Statement element in a policy document that determines the result of the simulation.
This data type is used by the MatchedStatements member of the EvaluationResult type.
SourcePolicyId (string) --
The identifier of the policy that was provided as an input.
SourcePolicyType (string) --
The type of the policy.
StartPosition (dict) --
The row and column of the beginning of the Statement in an IAM policy.
Line (integer) --
The line containing the specified position in the document.
Column (integer) --
The column in the line containing the specified position in the document.
EndPosition (dict) --
The row and column of the end of a Statement in an IAM policy.
Line (integer) --
The line containing the specified position in the document.
Column (integer) --
The column in the line containing the specified position in the document.
MissingContextValues (list) --
A list of context keys that are required by the included input policies but that were not provided by one of the input parameters. To discover the context keys used by a set of policies, you can call GetContextKeysForCustomPolicy or GetContextKeysForPrincipalPolicy.
If the response includes any keys in this list, then the reported results might be untrustworthy because the simulation could not completely evaluate all of the conditions specified in the policies that would occur in a real world request.
(string) --
IsTruncated (boolean) --
A flag that indicates whether there are more items to return. If your results were truncated, you can make a subsequent pagination request using the Marker request parameter to retrieve more items. Note that IAM might return fewer than the MaxItems number of results even when there are more results available. We recommend that you check IsTruncated after every call to ensure that you receive all of your results.
Marker (string) --
When IsTruncated is true , this element is present and contains the value to use for the Marker parameter in a subsequent pagination request.
Gets a list of all of the context keys referenced in Condition elements in the input policies. The policies are supplied as a list of one or more strings. To get the context keys from policies associated with an IAM user, group, or role, use GetContextKeysForPrincipalPolicy.
Context keys are variables maintained by AWS and its services that provide details about the context of an API query request, and can be evaluated by using the Condition element of an IAM policy. Use GetContextKeysForCustomPolicy to understand what key names and values you must supply when you call SimulateCustomPolicy. Note that all parameters are shown in unencoded form here for clarity, but must be URL encoded to be included as a part of a real HTML request.
Request Syntax
client.get_context_keys_for_custom_policy(
PolicyInputList=[
'string',
]
)
list
[REQUIRED]
A list of policies for which you want list of context keys used in Condition elements.
(string) --
dict
Response Syntax
{
'ContextKeyNames': [
'string',
]
}
Response Structure
(dict) --
Contains the response to a successful GetContextKeysForPrincipalPolicy or GetContextKeysForCustomPolicy request.
ContextKeyNames (list) --
The list of context keys that are used in the Condition elements of the input policies.
(string) --
Gets a list of all of the context keys referenced in Condition elements in all of the IAM policies attached to the specified IAM entity. The entity can be an IAM user, group, or role. If you specify a user, then the request also includes all of the policies attached to groups that the user is a member of.
You can optionally include a list of one or more additional policies, specified as strings. If you want to include only a list of policies by string, use GetContextKeysForCustomPolicy instead.
Note: This API discloses information about the permissions granted to other users. If you do not want users to see other user's permissions, then consider allowing them to use GetContextKeysForCustomPolicy instead.
Context keys are variables maintained by AWS and its services that provide details about the context of an API query request, and can be evaluated by using the Condition element of an IAM policy. Use GetContextKeysForPrincipalPolicy to understand what key names and values you must supply when you call SimulatePrincipalPolicy.
Request Syntax
client.get_context_keys_for_principal_policy(
PolicySourceArn='string',
PolicyInputList=[
'string',
]
)
string
[REQUIRED]
The ARN of a user, group, or role whose policies contain the context keys that you want listed. If you specify a user, the list includes context keys that are found in all policies attached to the user as well as to all groups that the user is a member of. If you pick a group or a role, then it includes only those context keys that are found in policies attached to that entity. Note that all parameters are shown in unencoded form here for clarity, but must be URL encoded to be included as a part of a real HTML request.
list
A optional list of additional policies for which you want list of context keys used in Condition elements.
(string) --
dict
Response Syntax
{
'ContextKeyNames': [
'string',
]
}
Response Structure
(dict) --
Contains the response to a successful GetContextKeysForPrincipalPolicy or GetContextKeysForCustomPolicy request.
ContextKeyNames (list) --
The list of context keys that are used in the Condition elements of the input policies.
(string) --