1
00:00:00,220 --> 00:00:02,008
Okay so now we have a policy,

2
00:00:02,008 --> 00:00:04,568
and I will just remove the S3 full access,

3
00:00:04,568 --> 00:00:06,881
just for the fun, and I will also detach

4
00:00:06,881 --> 00:00:09,859
the test custom policy that we had created from before.

5
00:00:09,859 --> 00:00:12,757
Okay? Now we wanna test this policy.

6
00:00:12,757 --> 00:00:15,298
Which only allows us to read things.

7
00:00:15,298 --> 00:00:20,048
So, something you can use is called AWS policy simulator.

8
00:00:21,277 --> 00:00:25,548
And that's basically a tool online to test your policies.

9
00:00:25,548 --> 00:00:29,019
So for this you can just access it using this link.

10
00:00:29,019 --> 00:00:30,557
So I'll just click on this.

11
00:00:30,557 --> 00:00:32,619
And this IAM Policy Simulator is basically saying,

12
00:00:32,619 --> 00:00:35,439
okay, what policy do we have?

13
00:00:35,439 --> 00:00:38,149
and then, how do we simulate stuff?

14
00:00:38,149 --> 00:00:42,319
So for example, you can look for a user, a group, or a role.

15
00:00:42,319 --> 00:00:45,559
And for this time, I'll choose my first EC2 role.

16
00:00:45,559 --> 00:00:48,007
And here are the policy that it has.

17
00:00:48,007 --> 00:00:51,068
It has the Amazon S3 read only access.

18
00:00:51,068 --> 00:00:52,428
Now I'm going to select the service,

19
00:00:52,428 --> 00:00:54,538
I'm going to select Amazon S3,

20
00:00:54,538 --> 00:00:58,068
so I just have to find it in this whole bunch of services.

21
00:00:58,068 --> 00:01:01,628
Then an action, let's call it, get object,

22
00:01:01,628 --> 00:01:03,517
and then this is it!

23
00:01:03,517 --> 00:01:06,466
Now I'm going to say, okay, just run a simulation,

24
00:01:06,466 --> 00:01:09,647
and it says okay, yes, you can run a get object

25
00:01:09,647 --> 00:01:11,388
on this statement.

26
00:01:11,388 --> 00:01:15,837
Now we can also say, hey how about, list buckets.

27
00:01:15,837 --> 00:01:17,310
We'll run a simulation, and it says,

28
00:01:17,310 --> 00:01:19,049
yes, it's allowed, right?

29
00:01:19,049 --> 00:01:21,882
Now if we add a put object to this

30
00:01:22,877 --> 00:01:25,230
and run the simulation, it says denied.

31
00:01:25,230 --> 00:01:26,617
It is implicitly denied,

32
00:01:26,617 --> 00:01:28,097
there is no matching statement.

33
00:01:28,097 --> 00:01:30,238
So indeed, in our read only access,

34
00:01:30,238 --> 00:01:33,190
we haven't given the right to put an object.

35
00:01:33,190 --> 00:01:34,967
And you could obviously drill down and stuff,

36
00:01:34,967 --> 00:01:36,249
but this is really nice.

37
00:01:36,249 --> 00:01:37,998
In here it shows you the statements

38
00:01:37,998 --> 00:01:40,689
that matched when there is an allowance

39
00:01:40,689 --> 00:01:43,749
make sure the statement that matched in the policy.

40
00:01:43,749 --> 00:01:45,202
So it's really really nice.

41
00:01:45,202 --> 00:01:47,457
This policy simulator tool can save you hours

42
00:01:47,457 --> 00:01:50,078
in case a statement is denied.

43
00:01:50,078 --> 00:01:53,387
So that's the way number one to test policies.

44
00:01:53,387 --> 00:01:57,006
The way number two is to directly use the CLI.

45
00:01:57,006 --> 00:01:59,279
So let's give it a go in the next lecture.