Demonstrations
These step-by-step demonstrations walk you through complete workflows using the access-policy module. Each demonstration includes prerequisites, detailed instructions, and verification steps.
Getting Started
To follow any demonstration, ensure you have:
- Prerequisites met:
Terraform >= 1.0, AWS CLI configured - Authenticate with the registry:
terraform login registry.patterneddesigns.ca - Clone the demonstration repository:
git clone <demo-repo-url> - Follow the step-by-step instructions below
Step-by-Step Guides
Test and validate access policies using the IAM Policy Simulator
Prerequisites
- AWS account with appropriate permissions
- Terraform >= 1.0
- AWS CLI configured
Step 1: Create the Policy
module "test_policy" {
source = "registry.patterneddesigns.ca/governance/access-policy/aws"
version = "2.1.0"
policy_name = "test-developer-policy"
policy_type = "iam"
allowed_services = ["s3", "dynamodb"]
denied_actions = [
"s3:DeleteBucket",
"dynamodb:DeleteTable"
]
resource_restrictions = {
s3 = ["arn:aws:s3:::test-bucket-*/*"]
dynamodb = ["arn:aws:dynamodb:*:*:table/test-*"]
}
}
output "policy_arn" {
value = module.test_policy.policy_arn
}
Step 2: Deploy the Policy
terraform init
terraform apply
Step 3: Test with Policy Simulator
Use the AWS CLI to simulate policy evaluation:
# Test allowed action
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::123456789012:policy/test-developer-policy \
--action-names s3:GetObject \
--resource-arns arn:aws:s3:::test-bucket-dev/data.json
# Test denied action
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::123456789012:policy/test-developer-policy \
--action-names s3:DeleteBucket \
--resource-arns arn:aws:s3:::test-bucket-dev
Step 4: Review Results
The simulator returns:
allowed- Action is permittedimplicitDeny- No statement allows the actionexplicitDeny- A deny statement blocks the action
Step 5: Iterate and Refine
Based on simulation results, adjust your policy configuration and re-deploy until the policy matches your security requirements.
Set up permission boundaries for delegated IAM administration
Prerequisites
- AWS account with IAM administrative access
- Terraform >= 1.0
- Understanding of IAM permission boundaries
Step 1: Create the Permission Boundary
module "developer_boundary" {
source = "registry.patterneddesigns.ca/governance/access-policy/aws"
version = "2.1.0"
policy_name = "developer-permission-boundary"
policy_type = "boundary"
allowed_services = [
"s3",
"dynamodb",
"lambda",
"sqs",
"sns",
"logs",
"xray"
]
denied_actions = [
# Prevent IAM escalation
"iam:CreateUser",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
# Prevent boundary removal
"iam:DeleteRolePermissionsBoundary",
"iam:PutRolePermissionsBoundary",
# Prevent organization changes
"organizations:*"
]
}
output "boundary_arn" {
value = module.developer_boundary.policy_arn
}
Step 2: Apply the Boundary to Developer Roles
resource "aws_iam_role" "developer_admin" {
name = "developer-iam-admin"
permissions_boundary = module.developer_boundary.policy_arn
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::123456789012:root"
}
Action = "sts:AssumeRole"
}]
})
}
# Grant IAM permissions within the boundary
resource "aws_iam_role_policy_attachment" "developer_admin" {
role = aws_iam_role.developer_admin.name
policy_arn = "arn:aws:iam::aws:policy/IAMFullAccess"
}
Step 3: Deploy and Test
terraform apply
Step 4: Verify Boundary Enforcement
Assume the developer role and attempt operations:
# This should succeed (within boundary)
aws lambda create-function --function-name test ...
# This should fail (outside boundary)
aws iam create-user --user-name test-user
# Error: User: ... is not authorized to perform: iam:CreateUser
Key Points
- Permission boundaries cap the maximum permissions, even if the role has broader policies attached
- Use boundaries to safely delegate IAM administration
- Developers can create roles but only with permissions within their boundary