import boto3 import json import pytest from botocore.exceptions import ClientError from moto import mock_iam invalid_policy_document_test_cases = [ { "document": "This is not a json document", "error_message": "Syntax errors in policy.", }, { "document": { "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", } }, "error_message": "Policy document must be version 2012-10-17 or greater.", }, { "document": { "Version": "2008-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Policy document must be version 2012-10-17 or greater.", }, { "document": { "Version": "2013-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Syntax errors in policy.", }, { "document": {"Version": "2012-10-17"}, "error_message": "Syntax errors in policy.", }, { "document": {"Version": "2012-10-17", "Statement": ["afd"]}, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, "Extra field": "value", }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Extra field": "value", }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Id": ["cd3a324d2343d942772346-34234234423404-4c2242343242349d1642ee"], "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Id": {}, "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "invalid", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "invalid", "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Actions/Conditions must be prefaced by a vendor, e.g., iam, sdb, ec2, etc.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "", "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Actions/Conditions must be prefaced by a vendor, e.g., iam, sdb, ec2, etc.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "a a:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Vendor a a is not valid", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:List:Bucket", "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Actions/Condition can contain only one colon.", }, { "document": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3s:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, { "Effect": "Allow", "Action": "s:3s:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, ], }, "error_message": "Actions/Condition can contain only one colon.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "invalid resource", }, }, "error_message": 'Resource invalid resource must be in ARN format or "*".', }, { "document": { "Version": "2012-10-17", "Statement": [ { "Sid": "EnableDisableHongKong", "Effect": "Allow", "Action": ["account:EnableRegion", "account:DisableRegion"], "Resource": "", "Condition": { "StringEquals": {"account:TargetRegion": "ap-east-1"} }, }, { "Sid": "ViewConsole", "Effect": "Allow", "Action": ["aws-portal:ViewAccount", "account:ListRegions"], "Resource": "", }, ], }, "error_message": 'Resource must be in ARN format or "*".', }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s:3:ListBucket", "Resource": "sdfsadf", }, }, "error_message": 'Resource sdfsadf must be in ARN format or "*".', }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": ["adf"], }, }, "error_message": 'Resource adf must be in ARN format or "*".', }, { "document": { "Version": "2012-10-17", "Statement": {"Effect": "Allow", "Action": "s3:ListBucket", "Resource": ""}, }, "error_message": 'Resource must be in ARN format or "*".', }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3s:ListBucket", "Resource": "a:bsdfdsafsad", }, }, "error_message": 'Partition "bsdfdsafsad" is not valid for resource "arn:bsdfdsafsad:*:*:*:*".', }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3s:ListBucket", "Resource": "a:b:cadfsdf", }, }, "error_message": 'Partition "b" is not valid for resource "arn:b:cadfsdf:*:*:*".', }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3s:ListBucket", "Resource": "a:b:c:d:e:f:g:h", }, }, "error_message": 'Partition "b" is not valid for resource "arn:b:c:d:e:f:g:h".', }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "aws:s3:::example_bucket", }, }, "error_message": 'Partition "s3" is not valid for resource "arn:s3:::example_bucket:*".', }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": [ "arn:error:s3:::example_bucket", "arn:error:s3::example_bucket", ], }, }, "error_message": 'Partition "error" is not valid for resource "arn:error:s3:::example_bucket".', }, { "document": {"Version": "2012-10-17", "Statement": []}, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": {"Effect": "Allow", "Action": "s3:ListBucket"}, }, "error_message": "Policy statement must contain resources.", }, { "document": { "Version": "2012-10-17", "Statement": {"Effect": "Allow", "Action": "s3:ListBucket", "Resource": []}, }, "error_message": "Policy statement must contain resources.", }, { "document": { "Version": "2012-10-17", "Statement": {"Effect": "Allow", "Action": "invalid"}, }, "error_message": "Actions/Conditions must be prefaced by a vendor, e.g., iam, sdb, ec2, etc.", }, { "document": { "Version": "2012-10-17", "Statement": {"Effect": "Allow", "Resource": "arn:aws:s3:::example_bucket"}, }, "error_message": "Policy statement must contain actions.", }, { "document": { "Version": "2012-10-17", "Statement": { "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Syntax errors in policy.", }, { "document": {"Version": "2012-10-17", "Statement": {"Effect": "Allow"}}, "error_message": "Policy statement must contain actions.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [], "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Policy statement must contain actions.", }, { "document": { "Version": "2012-10-17", "Statement": [ {"Effect": "Deny"}, { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, ], }, "error_message": "Policy statement must contain actions.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:iam:::example_bucket", }, }, "error_message": 'IAM resource path must either be "*" or start with user/, federated-user/, role/, group/, instance-profile/, mfa/, server-certificate/, policy/, sms-mfa/, saml-provider/, oidc-provider/, report/, access-report/.', }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3::example_bucket", }, }, "error_message": "The policy failed legacy parsing", }, { "document": { "Version": "2012-10-17", "Statement": {"Effect": "Allow", "Resource": "arn:aws:s3::example_bucket"}, }, "error_message": "The policy failed legacy parsing", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws", }, }, "error_message": "Resource vendor must be fully qualified and cannot contain regexes.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": {"a": "arn:aws:s3:::example_bucket"}, }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "s3:ListBucket", "Resource": ["adfdf", {}], }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "NotResource": [], }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": [[]], "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3s:ListBucket", "Action": [], "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": {}, "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": [], }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": "a", }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"a": "b"}, }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"DateGreaterThan": "b"}, }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"DateGreaterThan": []}, }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"DateGreaterThan": {"a": {}}}, }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"DateGreaterThan": {"a": {}}}, }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"x": {"a": "1"}}, }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"ForAnyValue::StringEqualsIfExists": {"a": "asf"}}, }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": [ {"ForAllValues:StringEquals": {"aws:TagKeys": "Department"}} ], }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:iam:us-east-1::example_bucket", }, }, "error_message": "IAM resource arn:aws:iam:us-east-1::example_bucket cannot contain region information.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:us-east-1::example_bucket", }, }, "error_message": "Resource arn:aws:s3:us-east-1::example_bucket can not contain region information.", }, { "document": { "Version": "2012-10-17", "Statement": { "Sid": {}, "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Sid": [], "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": [ { "Sid": "sdf", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, {"Sid": "sdf", "Effect": "Allow"}, ], }, "error_message": "Statement IDs (SID) in a single policy must be unique.", }, { "document": { "Statement": [ { "Sid": "sdf", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, {"Sid": "sdf", "Effect": "Allow"}, ] }, "error_message": "Policy document must be version 2012-10-17 or greater.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3:ListBucket", "Action": "iam:dsf", "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "NotResource": "*", }, }, "error_message": "Syntax errors in policy.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "denY", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, "error_message": "The policy failed legacy parsing", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"DateGreaterThan": {"a": "sdfdsf"}}, }, }, "error_message": "The policy failed legacy parsing", }, { "document": { "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"DateGreaterThan": {"a": "sdfdsf"}}, } }, "error_message": "Policy document must be version 2012-10-17 or greater.", }, { "document": { "Statement": { "Effect": "denY", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", } }, "error_message": "Policy document must be version 2012-10-17 or greater.", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Condition": {"DateGreaterThan": {"a": "sdfdsf"}}, }, }, "error_message": "The policy failed legacy parsing", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3:ListBucket", "Resource": "arn:aws::::example_bucket", }, }, "error_message": "The policy failed legacy parsing", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "allow", "Resource": "arn:aws:s3:us-east-1::example_bucket", }, }, "error_message": "The policy failed legacy parsing", }, { "document": { "Version": "2012-10-17", "Statement": [ { "Sid": "sdf", "Effect": "aLLow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, {"Sid": "sdf", "Effect": "Allow"}, ], }, "error_message": "The policy failed legacy parsing", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "NotResource": "arn:aws:s3::example_bucket", }, }, "error_message": "The policy failed legacy parsing", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"DateLessThanEquals": {"a": "234-13"}}, }, }, "error_message": "The policy failed legacy parsing", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateLessThanEquals": {"a": "2016-12-13t2:00:00.593194+1"} }, }, }, "error_message": "The policy failed legacy parsing", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateLessThanEquals": {"a": "2016-12-13t2:00:00.1999999999+10:59"} }, }, }, "error_message": "The policy failed legacy parsing", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"DateLessThan": {"a": "9223372036854775808"}}, }, }, "error_message": "The policy failed legacy parsing", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:error:s3:::example_bucket", "Condition": {"DateGreaterThan": {"a": "sdfdsf"}}, }, }, "error_message": "The policy failed legacy parsing", }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws::fdsasf", }, }, "error_message": "The policy failed legacy parsing", }, ] valid_policy_documents = [ { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": ["arn:aws:s3:::example_bucket"], }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "iam: asdf safdsf af ", "Resource": "arn:aws:s3:::example_bucket", }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": ["arn:aws:s3:::example_bucket", "*"], }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "*", "Resource": "arn:aws:s3:::example_bucket", }, }, { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", } ], }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "service-prefix:action-name", "Resource": "*", "Condition": { "DateGreaterThan": {"aws:CurrentTime": "2017-07-01T00:00:00Z"}, "DateLessThan": {"aws:CurrentTime": "2017-12-31T23:59:59Z"}, }, }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "fsx:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:iam:::user/example_bucket", }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s33:::example_bucket", }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:fdsasf", }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {}, }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"ForAllValues:StringEquals": {"aws:TagKeys": "Department"}}, }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:cloudwatch:us-east-1::example_bucket", }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:ec2:us-east-1::example_bucket", }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:invalid-service:::example_bucket", }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:invalid-service:us-east-1::example_bucket", }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateGreaterThan": {"aws:CurrentTime": "2017-07-01T00:00:00Z"}, "DateLessThan": {"aws:CurrentTime": "2017-12-31T23:59:59Z"}, }, }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"DateGreaterThan": {}}, }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"DateGreaterThan": {"a": []}}, }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"a": {}}, }, }, { "Version": "2012-10-17", "Statement": { "Sid": "dsfsdfsdfsdfsdfsadfsd", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, { "Version": "2012-10-17", "Statement": [ { "Sid": "ConsoleDisplay", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:GetUser", "iam:ListRoles", "iam:ListRoleTags", "iam:ListUsers", "iam:ListUserTags", ], "Resource": "*", }, { "Sid": "AddTag", "Effect": "Allow", "Action": ["iam:TagUser", "iam:TagRole"], "Resource": "*", "Condition": { "StringEquals": {"aws:RequestTag/CostCenter": ["A-123", "B-456"]}, "ForAllValues:StringEquals": {"aws:TagKeys": "CostCenter"}, }, }, ], }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "s3:*", "NotResource": [ "arn:aws:s3:::HRBucket/Payroll", "arn:aws:s3:::HRBucket/Payroll/*", ], }, }, { "Version": "2012-10-17", "Id": "sdfsdfsdf", "Statement": { "Effect": "Allow", "NotAction": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "aaaaaadsfdsafsadfsadfaaaaa:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3-s:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3.s:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3:ListBucket", "NotResource": "*", }, }, { "Version": "2012-10-17", "Statement": [ { "Sid": "sdf", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", }, ], }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"DateGreaterThan": {"a": "01T"}}, }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"x": {}, "y": {}}, }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"StringEqualsIfExists": {"a": "asf"}}, }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"ForAnyValue:StringEqualsIfExists": {"a": "asf"}}, }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"DateLessThanEquals": {"a": "2019-07-01T13:20:15Z"}}, }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateLessThanEquals": {"a": "2016-12-13T21:20:37.593194+00:00"} }, }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"DateLessThanEquals": {"a": "2016-12-13t2:00:00.593194+23"}}, }, }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"DateLessThan": {"a": "-292275054"}}, }, }, { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowViewAccountInfo", "Effect": "Allow", "Action": [ "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:ListVirtualMFADevices", ], "Resource": "*", }, { "Sid": "AllowManageOwnPasswords", "Effect": "Allow", "Action": ["iam:ChangePassword", "iam:GetUser"], "Resource": "arn:aws:iam::*:user/${aws:username}", }, { "Sid": "AllowManageOwnAccessKeys", "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey", ], "Resource": "arn:aws:iam::*:user/${aws:username}", }, { "Sid": "AllowManageOwnSigningCertificates", "Effect": "Allow", "Action": [ "iam:DeleteSigningCertificate", "iam:ListSigningCertificates", "iam:UpdateSigningCertificate", "iam:UploadSigningCertificate", ], "Resource": "arn:aws:iam::*:user/${aws:username}", }, { "Sid": "AllowManageOwnSSHPublicKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey", ], "Resource": "arn:aws:iam::*:user/${aws:username}", }, { "Sid": "AllowManageOwnGitCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ListServiceSpecificCredentials", "iam:ResetServiceSpecificCredential", "iam:UpdateServiceSpecificCredential", ], "Resource": "arn:aws:iam::*:user/${aws:username}", }, { "Sid": "AllowManageOwnVirtualMFADevice", "Effect": "Allow", "Action": ["iam:CreateVirtualMFADevice", "iam:DeleteVirtualMFADevice"], "Resource": "arn:aws:iam::*:mfa/${aws:username}", }, { "Sid": "AllowManageOwnUserMFA", "Effect": "Allow", "Action": [ "iam:DeactivateMFADevice", "iam:EnableMFADevice", "iam:ListMFADevices", "iam:ResyncMFADevice", ], "Resource": "arn:aws:iam::*:user/${aws:username}", }, { "Sid": "DenyAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "sts:GetSessionToken", ], "Resource": "*", "Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}}, }, ], }, { "Version": "2012-10-17", "Statement": [ { "Sid": "ListAndDescribe", "Effect": "Allow", "Action": [ "dynamodb:List*", "dynamodb:DescribeReservedCapacity*", "dynamodb:DescribeLimits", "dynamodb:DescribeTimeToLive", ], "Resource": "*", }, { "Sid": "SpecificTable", "Effect": "Allow", "Action": [ "dynamodb:BatchGet*", "dynamodb:DescribeStream", "dynamodb:DescribeTable", "dynamodb:Get*", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWrite*", "dynamodb:CreateTable", "dynamodb:Delete*", "dynamodb:Update*", "dynamodb:PutItem", ], "Resource": "arn:aws:dynamodb:*:*:table/MyTable", }, ], }, { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:DetachVolume"], "Resource": ["arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*"], "Condition": { "ArnEquals": { "ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id" } }, } ], }, { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:DetachVolume"], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": {"ec2:ResourceTag/Department": "Development"} }, }, { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:DetachVolume"], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "StringEquals": {"ec2:ResourceTag/VolumeUser": "${aws:username}"} }, }, ], }, { "Version": "2012-10-17", "Statement": [ { "Sid": "StartStopIfTags", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:DescribeTags", ], "Resource": "arn:aws:ec2:region:account-id:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project": "DataAnalytics", "aws:PrincipalTag/Department": "Data", } }, } ], }, { "Version": "2012-10-17", "Statement": [ { "Sid": "ListYourObjects", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": ["arn:aws:s3:::bucket-name"], "Condition": { "StringLike": { "s3:prefix": [ "cognito/application-name/${cognito-identity.amazonaws.com:sub}" ] } }, }, { "Sid": "ReadWriteDeleteYourObjects", "Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"], "Resource": [ "arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}", "arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}/*", ], }, ], }, { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"], "Resource": "*", }, { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::bucket-name", "Condition": { "StringLike": {"s3:prefix": ["", "home/", "home/${aws:userid}/*"]} }, }, { "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::bucket-name/home/${aws:userid}", "arn:aws:s3:::bucket-name/home/${aws:userid}/*", ], }, ], }, { "Version": "2012-10-17", "Statement": [ { "Sid": "ConsoleAccess", "Effect": "Allow", "Action": [ "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:ListAllMyBuckets", ], "Resource": "*", }, { "Sid": "ListObjectsInBucket", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": ["arn:aws:s3:::bucket-name"], }, { "Sid": "AllObjectActions", "Effect": "Allow", "Action": "s3:*Object", "Resource": ["arn:aws:s3:::bucket-name/*"], }, ], }, { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowViewAccountInfo", "Effect": "Allow", "Action": ["iam:GetAccountPasswordPolicy", "iam:GetAccountSummary"], "Resource": "*", }, { "Sid": "AllowManageOwnPasswords", "Effect": "Allow", "Action": ["iam:ChangePassword", "iam:GetUser"], "Resource": "arn:aws:iam::*:user/${aws:username}", }, { "Sid": "AllowManageOwnAccessKeys", "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey", ], "Resource": "arn:aws:iam::*:user/${aws:username}", }, { "Sid": "AllowManageOwnSigningCertificates", "Effect": "Allow", "Action": [ "iam:DeleteSigningCertificate", "iam:ListSigningCertificates", "iam:UpdateSigningCertificate", "iam:UploadSigningCertificate", ], "Resource": "arn:aws:iam::*:user/${aws:username}", }, { "Sid": "AllowManageOwnSSHPublicKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey", ], "Resource": "arn:aws:iam::*:user/${aws:username}", }, { "Sid": "AllowManageOwnGitCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ListServiceSpecificCredentials", "iam:ResetServiceSpecificCredential", "iam:UpdateServiceSpecificCredential", ], "Resource": "arn:aws:iam::*:user/${aws:username}", }, ], }, { "Version": "2012-10-17", "Statement": [ { "Action": "ec2:*", "Resource": "*", "Effect": "Allow", "Condition": {"StringEquals": {"ec2:Region": "region"}}, } ], }, { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds:*", "Resource": ["arn:aws:rds:region:*:*"], }, {"Effect": "Allow", "Action": ["rds:Describe*"], "Resource": ["*"]}, ], }, { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": "rds:*", "Resource": ["arn:aws:rds:region:*:*"], }, { "Sid": "", "Effect": "Allow", "Action": ["rds:Describe*"], "Resource": ["*"], }, ], }, { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": ["s3:*"], "Resource": [ "arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point", "arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point/object/*", ], }, ], }, ] @pytest.mark.parametrize("invalid_policy_document", invalid_policy_document_test_cases) @mock_iam def test_create_policy_with_invalid_policy_document(invalid_policy_document): conn = boto3.client("iam", region_name="us-east-1") with pytest.raises(ClientError) as ex: conn.create_policy( PolicyName="TestCreatePolicy", PolicyDocument=json.dumps(invalid_policy_document["document"]), ) resp = ex.value.response assert resp["Error"]["Code"] == "MalformedPolicyDocument" assert resp["ResponseMetadata"]["HTTPStatusCode"] == 400 assert resp["Error"]["Message"] == invalid_policy_document["error_message"] @pytest.mark.parametrize("valid_policy_document", valid_policy_documents) @mock_iam def test_create_policy_with_valid_policy_document(valid_policy_document): conn = boto3.client("iam", region_name="us-east-1") conn.create_policy( PolicyName="TestCreatePolicy", PolicyDocument=json.dumps(valid_policy_document) )