IAM Policy Simulator

Prerequisites

AWS account with appropriate permissions
Terraform >= 1.0
AWS CLI configured

Step 1: Create the Policy

module "test_policy" {
  source  = "registry.patterneddesigns.ca/governance/access-policy/aws"
  version = "2.1.0"

  policy_name = "test-developer-policy"
  policy_type = "iam"

  allowed_services = ["s3", "dynamodb"]

  denied_actions = [
    "s3:DeleteBucket",
    "dynamodb:DeleteTable"
  ]

  resource_restrictions = {
    s3       = ["arn:aws:s3:::test-bucket-*/*"]
    dynamodb = ["arn:aws:dynamodb:*:*:table/test-*"]
  }
}

output "policy_arn" {
  value = module.test_policy.policy_arn
}

Step 2: Deploy the Policy

terraform init
terraform apply

Step 3: Test with Policy Simulator

Use the AWS CLI to simulate policy evaluation:

# Test allowed action
aws iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::123456789012:policy/test-developer-policy \
  --action-names s3:GetObject \
  --resource-arns arn:aws:s3:::test-bucket-dev/data.json

# Test denied action
aws iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::123456789012:policy/test-developer-policy \
  --action-names s3:DeleteBucket \
  --resource-arns arn:aws:s3:::test-bucket-dev

Step 4: Review Results

The simulator returns:

allowed - Action is permitted
implicitDeny - No statement allows the action
explicitDeny - A deny statement blocks the action

Step 5: Iterate and Refine

Based on simulation results, adjust your policy configuration and re-deploy until the policy matches your security requirements.