0.1.45 • Published 4 months ago

@cloud-copilot/iam-simulate v0.1.45

Weekly downloads
-
License
AGPL-3.0-or-later
Repository
github
Last release
4 months ago

IAM Simulate

NPM Version License: AGPL v3 GuardDog Known Vulnerabilities

An AWS IAM Simulator and Policy Tester built as a Node/Typescript library.

The simulator currently supports these features of AWS IAM

IAM Feature Support

  • Identity Policies
  • Resource Policies
  • Service Control Policies
  • Resource Control Policies
  • Permission Boundaries
  • All AWS Condition Operators
  • Same Account and Cross Account Requests
  • Custom trust behavior for IAM Trust Policies and KMS Key Policies

Request Validation

iam-simulate will automatically validate inputs including

  • IAM policies using iam-policy
  • IAM Actions using iam-data
  • The resource ARN against allowed resource types for the action
  • The context keys allowed for the action/resource and their types.

Currently all global condition keys are allowed for all requests which is not strictly true. More validation will be added in the future.

Explanation

iam-simulate will detail which statements were decisive in the final decision to allow or deny a request.

It will also return "explains" for each statement that was evaluated, detailing why that statement applied to the request or not.

Features Coming Soon

  • Session Policies
  • Validation of Global Condition Keys for each action
  • Automatically populating context keys from the request such as aws:PrincipalServiceName
  • Support for anonymous requests

Installation

npm install @cloud-copilot/iam-simulate

Usage

import { runSimulation, type Simulation } from '@cloud-copilot/iam-simulate'

const simulation: Simulation = {
  identityPolicies: [
    {
      name: 'userpolicy',
      policy: {
        Version: '2012-10-17',
        Statement: [
          {
            Effect: 'Allow',
            Action: ['s3:GetObject'],
            Resource: ['arn:aws:s3:::mybucket/*']
          }
        ]
      }
    }
  ],
  serviceControlPolicies: [
    {
      orgIdentifier: 'ou-12345',
      policies: [
        {
          name: 'AllowAll',
          policy: {
            Version: '2012-10-17',
            Statement: [
              {
                Effect: 'Allow',
                Action: '*',
                Resource: '*'
              }
            ]
          }
        }
      ]
    }
  ],
  resourcePolicy: {
    Version: '2012-10-17',
    Statement: [
      {
        Effect: 'Allow',
        Action: ['s3:GetObject'],
        Resource: ['arn:aws:s3:::mybucket/*'],
        Principal: 'aws:arn:iam::123456789012:root',
        Condition: {
          StringEquals: {
            'aws:PrincipalOrgID': 'o-123456789012'
          }
        }
      }
    ]
  },
  request: {
    action: 's3:GetObject',
    principal: 'arn:aws:iam::123456789012:user/username',
    resource: {
      accountId: '123456789012',
      resource: 'arn:aws:s3:::mybucket/file.txt'
    },
    contextVariables: {
      'aws:PrincipalOrgID': 'o-123456789012'
    }
  }
}

const result = await runSimulation(simulation, {})
//Check for validation errors:
if (result.errors) {
  console.log(result.errors.message)
  console.log(JSON.stringify(result.errors, null, 2))
}

//The simulation ran successfully
if (result.analysis) {
  console.log(result.analysis.result) // 'Allowed', 'ExplicityDenied', or 'ImplicitlyDenied'

  //Output the identity statements that allowed the request
  const identityAllowExplains =
    result?.analysis?.identityAnalysis?.allowStatements.map((s) => s.explain) || []
  //Show which statements applied and exactly how.
  for (const explain of identityAllowExplains) {
    console.log(explain)
  }
}

This would output an explain that shows how the identity statement was evaluated:

{
  effect: 'Allow',
  identifier: '1',
  matches: true,
  actionMatch: true,
  principalMatch: 'Match',
  resourceMatch: true,
  conditionMatch: true,
  resources: [
    {
      resource: 'arn:aws:s3:::mybucket/*',
      matches: true,
    }
  ],
  actions: [ { action: 's3:GetObject', matches: true } ],
}
1.0.0

8 months ago

0.1.10

10 months ago

0.1.11

10 months ago

0.1.12

10 months ago

0.1.14

10 months ago

0.1.15

10 months ago

0.1.41

4 months ago

0.1.42

4 months ago

0.1.43

4 months ago

0.1.44

4 months ago

0.1.45

4 months ago

0.1.40

4 months ago

0.1.38

4 months ago

0.1.8

10 months ago

0.1.39

4 months ago

0.1.7

10 months ago

0.1.9

10 months ago

0.1.6

10 months ago

0.1.30

6 months ago

0.1.31

6 months ago

0.1.32

5 months ago

0.1.33

5 months ago

0.1.34

5 months ago

0.1.35

5 months ago

0.1.36

4 months ago

0.1.37

4 months ago

0.1.13-1

10 months ago

0.1.27

8 months ago

0.1.28

7 months ago

0.1.29

6 months ago

0.1.20

10 months ago

0.1.21

10 months ago

0.1.22

10 months ago

0.1.23

9 months ago

0.1.24

9 months ago

0.1.25

9 months ago

0.1.26

9 months ago

0.1.16

10 months ago

0.1.17

10 months ago

0.1.18

10 months ago

0.1.19

10 months ago

0.1.5

11 months ago

0.1.4

11 months ago

0.1.3

11 months ago

0.1.2

11 months ago

0.1.1

11 months ago

0.1.0

11 months ago