Open dnmfarrell opened 3 weeks ago
SimulateCustomPolicy supports:
[]ActionNames
- eval permissions for these actions, no wildcardsCallerArn
- used by ResourcePolicy Principal, must be IAM user, not role etc.[]ContextEntries
- optional request context vars can be used by policy conditions[]PermissionsBoundaryPolicyInputList
- sets the permissions boundary for the simulation (is a list but only accepts one policy?).[]PolicyInputList
- list of identity policies[]ResourceArns
- list of resources to include in the simulation, defaults to *
.ResourceHandlingOption
- ec2 permission scenarios to run, e.g. EC2-VPC-EBS requires instance, image, security group, network interface and subnet resources to be specified.ResourceOwner
- ARN of AWS account ID that owns all resources that do not identity their owner in their resource ARN. Defaults to CallerArn
. Used for resource policy eval.ResourcePolicy
- resource policy to include in the simulation.Returns a list of evaluation results which mention SCP, even though that is not a parameter - perhaps if the CallerARN is a real IAM user and it's organization has an SCP, it will be automatically applied?
In any case:
all/2
.NotPrincipal
, NotAction
, NotResource
are kind of head-spinning and therefore useful to support to catch unintended changes.
Compare iamsim to the IAM SimulateCustomPolicy API features.