Reputation: 2433
AWS cli/boto3- Is it possible to know if a role or policy has permissions over a resource?
I would like to know if I can check if a policy or role can see, list, or edit a resource.
Can be any type of resource, S3 bucket, Secrets Manager, EC2 instance, etc.
I will try to do this through boto3 as well.
Upvotes: 0
Views: 1354
Answers (1)
Reputation: 270184
You can Test IAM policies with the IAM policy simulator - AWS Identity and Access Management. This allows you to specify a policy and a resource (including conditions) and test whether the API call would be permitted.
If you wish to do this via boto3, you can use simulate_custom_policy():
Simulate how a set of IAM policies and optionally a resource-based policy works with a list of API operations and AWS resources to determine the policies' effective permissions. The policies are provided as strings.
The simulation does not perform the API operations; it only checks the authorization to determine if the simulated policies allow or deny the operations.
If you want to simulate existing policies that are attached to an IAM user, group, or role, use
simulate_principal_policy()instead.
Upvotes: 2
Related Questions
- AWS IAM find a role that has a specific policy?
- Python boto function for getting ALL policies associated with a ROLE?
- List of all roles with attached policies with Boto3
- Get AWS IAM policy Access Advisor records from CLI or SDK
- Boto3 to list all the roles used by windows instances
- How to list available policies for an assumed AWS IAM role
- Filtering instances by IAM role in boto3?
- Get policy permissions using botocore
- How to get the list of policies assigned to a user using boto3 for an aws profile?
- boto3 giving AccessDenied, is there a way to lookup the missing permissions?