momius - Fotolia

How do new AWS APIs simulate IAM policies for cloud security?

The newly released AWS APIs simulate IAM policies for security testing. Expert Dan Sullivan explains how to make the most of these APIs.

Amazon Web Services has released two new APIs for identity and access management that simulate IAM policies. How do these AWS APIs work? And how often should IAM policies and permissions for cloud access be tested to ensure they are working properly?

These AWS APIs allow users to test a set of actions -- such as changing a password on a user account -- against a set of policies before they are pushed into production through the use of an IAM policy simulator. The AWS APIs show what would happen if someone actually tried to execute an action with a particular set of credentials. The simulator does not make any changes to the AWS environment or to its configuration.

The IAM policy simulator's two APIs are iam:SimulatePrinciplePolicy and iam:SimulateCustomPolicy. The first is used to evaluate existing policies on users and resources, while the second is designed for use on policies not yet attached to a user, group or role.

When making a simulation call, a user, group or role Amazon Resource Name (ARN) and a set of IAM policies are tested in the simulator. The call must also include API action names to be called during the simulation. Optionally, a list of ARNs can be specified, listing the objects to test the actions against. If a list of ARNs to test is not specified, all existing resources will be tested. Some policies contain checks on particular conditions. For these policies, a list of context keys and values can be provided to use as evaluation criteria during the simulation.

As with other AWS APIs, these functions can be called from the command line. The usual AWS command-line configuration is required (e.g., specifying AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY). The API functions generate as output the result of the simulation. These include details such as the evaluation decision (i.e., allowed or denied), action name, matched statements in the IAM policy and the evaluated resource name.

Testing frequency will depend on security requirements and risk tolerance. It is good practice to run simulations after a large number of changes, and then at regular intervals to test additional changes. Users concerned about specific events, such as changes to an account with administrator privileges, should consider setting up a CloudTrail alert.

Next Steps

Read about using AWS to meet compliance standards.

Learn more about the Amazon Web Services platform for the cloud.

Find out more about AWS IAM.

Which AWS Command Line tool is the right one?

Dig Deeper on Cloud Provisioning and Cloud Identity Management Issues