The CLI IAM Policy Simulate options does not allow the user to uncheck SCP evaluations like the console

[galley234]

Is your feature request related to a problem? Please describe. We have SCP policies that have conditionals which break the policy simulator today. For this reason we cannot use the policy simulator without the ability to unselect SCPs during the policy evaluation. The console allows this by passing simulateOrganizations: false

Describe the solution you'd like I'd like the policy simulator apis to support simulateOrganizations true or false

Describe alternatives you've considered I am unaware of any other options. I considered attempting to monkey patch cli to send the value over, but decided to request the feature.

Additional context I was able to see the simulateOrganizations: false through chrome debugging. We use this functionality to evaluate total permissions.

[kdaily]

Hi @galley234, thanks for your feature request. I'm going to reach out to the IAM team to see about this.

[galley234]

Do you need more information??

[galley234]

I am curious about when this could be delivered. The functionality is basically broken unless the option is added. Any insight would be appreciated. Many Thanks! Gary

[kdaily]

@galley234, I've requested an update from the IAM team. I haven't heard anything back as of yet.

[kdaily]

Since this is related to the service and not the CLI, I'm going to transfer this issue. It will remain open for your tracking.

[kdaily]

P44247253

[missphyrgames]

I'd also like an update on this as I have come across the same issue as @galley234 and found that the Policy Simulator on the AWS website sends simulateOrganizations: false when the SCP box is unchecked. The policy simulator in the SDK and CLI therefore give different results to the website (with the results from the SDK and CLI being incorrect for me).

Also, what is P44247253 that you have posted above @kdaily?

[kdaily]

Hi @missphyrgames and @galley234, thanks for your patience. I'll check in again with the service team.

[wimvanleuven]

The extra parameter SimulateOrganizations: false is missing on the API as well as per the docs. Boto3 misses it too ... So, there is no way to script or automate policy simulations in case you need to disable the SCPs.

What was the feedback from service and other teams?

[lerljaku]

@kdaily whats their response?

[tim-finnigan]

Checking in - a service team member mentioned on the corresponding ticket for this that policy simulator does not support SCP with condition key. This is the case for both the API and console. Below is the excerpt from the documentation:

You can't test AWS Organizations service control policies (SCPs) with global condition keys.

(https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html)

Does that address the issue here? I don't have as much context on this but you could also try reaching out to AWS Support for more information.

[galley234]

I don't really think it addresses the actual issue. The CLI, simulator all of it, should support this. As the person who opened this issue, this is beyond just a little frustrating. At the end of the day what this means is the simulator is of little value with it's scp feature if it doesn't support global condition keys. Why even have supposed SCP support. Since the service acknowledges that you can't use global condition keys, I guess that closes this issue.

[tim-finnigan]

Hi @galley234 thanks for following up and sorry to hear your frustrations. I followed up with the service team regarding this feature request and it is still being tracked internally so we can continue tracking the issue here as well. Several others have reached out requesting IAM Policy Simulator support for global keys in SCP conditions and the feedback here has been noted as well. If this is a major blocker for you then I'll again recommend reaching out to AWS Support for more direct correspondence. Otherwise I'll update this issue when I hear anything new related to it.

[wimvanleuven]

I'm starting to wonder what the proposed solution here is:

1. align API and CLI with the console functionality, i.e. to be able to run a simulation by not applying the SCPs
2. Have the policy simulator (CLI, API and console) support SCP

I can imaging (1) should be fairly easy to implement as the console already supports this feature. It would simply align functionalities of API, CLI and console. Option (2) on the other hand might be a big/huge endeavor.

I'm soliciting only for (1) now: our problem is not being able to test policies (without SCP) from outside the console, i.e. our IAC environment.

[venutm]

@tim-finnigan is having policy simulator support SCP in the roadmap? If yes when can we expect?

[tim-finnigan]

Hi @venutm it isn't officially on the team's roadmap but the PM told me that they do plan to prioritize this at some point. I don't have an official ETA on the implementation - I'll post updates here when I have them but as mentioned earlier in this issue you can out to AWS Support if you want to open a direct line of communication.

[jayush]

+1, we also need this. Why is this not being prioritized? At the very least UI and API/CLI should be in sync

[sp-ricard-valverde]

The reason for us to support the same "exclude Organization SCP" option in the CLI as the Web is that we have some Org SCP defined that completely disallow some regions. For some reason the simulator always returns denied in the Web or implicitDeny by Org because it seems unable to discern regions where the SCP applies. In the Web we can overcome this issue by unchecking the SCP option, but using the CLI for our automated tools is currently imposible as inside our Org, no matter what it always gives implicitDeny.

[almeida-matheus]

I have an SCP that denies access in regions that I don't use, so when running a simulation in which the action is from a regional service, it always returns an implicitDeny error

This functionality of disabling SCPs applied to accounts to run the policy simulator via SDK and CLI or the possibility to specify regions would be very useful

[tim-finnigan]

Checking in again and sharing documentation for reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html

If your AWS account is a member of an organization in AWS Organizations, then you can test the impact of service control policies (SCPs) on your identity-based policies.

Note The policy simulator doesn't evaluate SCPs that have global conditions.

There's no documentation on simulateOrganizations but this issue has been escalated to the service so they are aware. As previously mentioned we recommend reaching out to AWS Support for any further updates and information.

[github-actions[bot]]

This issue is now closed.

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.