import json import boto3 from botocore.exceptions import ClientError from nose.tools import assert_raises from moto import mock_iam invalid_policy_document_test_cases = [ { "document": "This is not a json document", "error_message": 'Syntax errors in policy.' }, { "document": { "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Policy document must be version 2012-10-17 or greater.' }, { "document": { "Version": "2008-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Policy document must be version 2012-10-17 or greater.' }, { "document": { "Version": "2013-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17" }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": ["afd"] }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" }, "Extra field": "value" }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Extra field": "value" } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Id": ["cd3a324d2343d942772346-34234234423404-4c2242343242349d1642ee"], "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Id": {}, "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "invalid", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "invalid", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Actions/Conditions must be prefaced by a vendor, e.g., iam, sdb, ec2, etc.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Actions/Conditions must be prefaced by a vendor, e.g., iam, sdb, ec2, etc.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "a a:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Vendor a a is not valid' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:List:Bucket", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Actions/Condition can contain only one colon.' }, { "document": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3s:ListBucket", "Resource": "arn:aws:s3:::example_bucket" }, { "Effect": "Allow", "Action": "s:3s:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } ] }, "error_message": 'Actions/Condition can contain only one colon.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "invalid resource" } }, "error_message": 'Resource invalid resource must be in ARN format or "*".' }, { "document": { "Version": "2012-10-17", "Statement": [ { "Sid": "EnableDisableHongKong", "Effect": "Allow", "Action": [ "account:EnableRegion", "account:DisableRegion" ], "Resource": "", "Condition": { "StringEquals": {"account:TargetRegion": "ap-east-1"} } }, { "Sid": "ViewConsole", "Effect": "Allow", "Action": [ "aws-portal:ViewAccount", "account:ListRegions" ], "Resource": "" } ] }, "error_message": 'Resource must be in ARN format or "*".' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s:3:ListBucket", "Resource": "sdfsadf" } }, "error_message": 'Resource sdfsadf must be in ARN format or "*".' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": ["adf"] } }, "error_message": 'Resource adf must be in ARN format or "*".' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "" } }, "error_message": 'Resource must be in ARN format or "*".' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3s:ListBucket", "Resource": "a:bsdfdsafsad" } }, "error_message": 'Partition "bsdfdsafsad" is not valid for resource "arn:bsdfdsafsad:*:*:*:*".' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3s:ListBucket", "Resource": "a:b:cadfsdf" } }, "error_message": 'Partition "b" is not valid for resource "arn:b:cadfsdf:*:*:*".' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3s:ListBucket", "Resource": "a:b:c:d:e:f:g:h" } }, "error_message": 'Partition "b" is not valid for resource "arn:b:c:d:e:f:g:h".' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "aws:s3:::example_bucket" } }, "error_message": 'Partition "s3" is not valid for resource "arn:s3:::example_bucket:*".' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": [ "arn:error:s3:::example_bucket", "arn:error:s3::example_bucket" ] } }, "error_message": 'Partition "error" is not valid for resource "arn:error:s3:::example_bucket".' }, { "document": { "Version": "2012-10-17", "Statement": [] }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket" } }, "error_message": 'Policy statement must contain resources.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": [] } }, "error_message": 'Policy statement must contain resources.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "invalid" } }, "error_message": 'Policy statement must contain resources.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Policy statement must contain actions.' }, { "document": { "Version": "2012-10-17", "Statement": { "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow" } }, "error_message": 'Policy statement must contain actions.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [], "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Policy statement must contain actions.' }, { "document": { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny" }, { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } ] }, "error_message": 'Policy statement must contain actions.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:iam:::example_bucket" } }, "error_message": 'IAM resource path must either be "*" or start with user/, federated-user/, role/, group/, instance-profile/, mfa/, server-certificate/, policy/, sms-mfa/, saml-provider/, oidc-provider/, report/, access-report/.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3::example_bucket" } }, "error_message": 'The policy failed legacy parsing' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Resource": "arn:aws:s3::example_bucket" } }, "error_message": 'The policy failed legacy parsing' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws" } }, "error_message": 'Resource vendor must be fully qualified and cannot contain regexes.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": { "a": "arn:aws:s3:::example_bucket" } } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "s3:ListBucket", "Resource": ["adfdf", {}] } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "NotResource": [] } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": [[]], "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3s:ListBucket", "Action": [], "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": {}, "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": [] } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": "a" } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "a": "b" } } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateGreaterThan": "b" } } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateGreaterThan": [] } } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateGreaterThan": {"a": {}} } } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateGreaterThan": {"a": {}} } } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "x": { "a": "1" } } } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "ForAnyValue::StringEqualsIfExists": { "a": "asf" } } } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": [ {"ForAllValues:StringEquals": {"aws:TagKeys": "Department"}} ] } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:iam:us-east-1::example_bucket" } }, "error_message": 'IAM resource arn:aws:iam:us-east-1::example_bucket cannot contain region information.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:us-east-1::example_bucket" } }, "error_message": 'Resource arn:aws:s3:us-east-1::example_bucket can not contain region information.' }, { "document": { "Version": "2012-10-17", "Statement": { "Sid": {}, "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Sid": [], "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": [ { "Sid": "sdf", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" }, { "Sid": "sdf", "Effect": "Allow" } ] }, "error_message": 'Statement IDs (SID) in a single policy must be unique.' }, { "document": { "Statement": [ { "Sid": "sdf", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" }, { "Sid": "sdf", "Effect": "Allow" } ] }, "error_message": 'Policy document must be version 2012-10-17 or greater.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3:ListBucket", "Action": "iam:dsf", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "NotResource": "*" } }, "error_message": 'Syntax errors in policy.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "denY", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'The policy failed legacy parsing' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateGreaterThan": {"a": "sdfdsf"} } } }, "error_message": 'The policy failed legacy parsing' }, { "document": { "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateGreaterThan": {"a": "sdfdsf"} } } }, "error_message": 'Policy document must be version 2012-10-17 or greater.' }, { "document": { "Statement": { "Effect": "denY", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, "error_message": 'Policy document must be version 2012-10-17 or greater.' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Condition": { "DateGreaterThan": {"a": "sdfdsf"} } } }, "error_message": 'The policy failed legacy parsing' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3:ListBucket", "Resource": "arn:aws::::example_bucket" } }, "error_message": 'The policy failed legacy parsing' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "allow", "Resource": "arn:aws:s3:us-east-1::example_bucket" } }, "error_message": 'The policy failed legacy parsing' }, { "document": { "Version": "2012-10-17", "Statement": [ { "Sid": "sdf", "Effect": "aLLow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" }, { "Sid": "sdf", "Effect": "Allow" } ] }, "error_message": 'The policy failed legacy parsing' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "NotResource": "arn:aws:s3::example_bucket" } }, "error_message": 'The policy failed legacy parsing' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateLessThanEquals": { "a": "234-13" } } } }, "error_message": 'The policy failed legacy parsing' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateLessThanEquals": { "a": "2016-12-13t2:00:00.593194+1" } } } }, "error_message": 'The policy failed legacy parsing' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateLessThanEquals": { "a": "2016-12-13t2:00:00.1999999999+10:59" } } } }, "error_message": 'The policy failed legacy parsing' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateLessThan": { "a": "9223372036854775808" } } } }, "error_message": 'The policy failed legacy parsing' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:error:s3:::example_bucket", "Condition": { "DateGreaterThan": { "a": "sdfdsf" } } } }, "error_message": 'The policy failed legacy parsing' }, { "document": { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws::fdsasf" } }, "error_message": 'The policy failed legacy parsing' } ] valid_policy_documents = [ { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": [ "arn:aws:s3:::example_bucket" ] } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "iam: asdf safdsf af ", "Resource": "arn:aws:s3:::example_bucket" } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": [ "arn:aws:s3:::example_bucket", "*" ] } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "*", "Resource": "arn:aws:s3:::example_bucket" } }, { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } ] }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "service-prefix:action-name", "Resource": "*", "Condition": { "DateGreaterThan": {"aws:CurrentTime": "2017-07-01T00:00:00Z"}, "DateLessThan": {"aws:CurrentTime": "2017-12-31T23:59:59Z"} } } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "fsx:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:iam:::user/example_bucket" } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s33:::example_bucket" } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:fdsasf" } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {} } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": {"ForAllValues:StringEquals": {"aws:TagKeys": "Department"}} } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:cloudwatch:us-east-1::example_bucket" } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:ec2:us-east-1::example_bucket" } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:invalid-service:::example_bucket" } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:invalid-service:us-east-1::example_bucket" } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateGreaterThan": {"aws:CurrentTime": "2017-07-01T00:00:00Z"}, "DateLessThan": {"aws:CurrentTime": "2017-12-31T23:59:59Z"} } } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateGreaterThan": {} } } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateGreaterThan": {"a": []} } } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "a": {} } } }, { "Version": "2012-10-17", "Statement": { "Sid": "dsfsdfsdfsdfsdfsadfsd", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, { "Version": "2012-10-17", "Statement": [ { "Sid": "ConsoleDisplay", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:GetUser", "iam:ListRoles", "iam:ListRoleTags", "iam:ListUsers", "iam:ListUserTags" ], "Resource": "*" }, { "Sid": "AddTag", "Effect": "Allow", "Action": [ "iam:TagUser", "iam:TagRole" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/CostCenter": [ "A-123", "B-456" ] }, "ForAllValues:StringEquals": {"aws:TagKeys": "CostCenter"} } } ] }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, { "Version": "2012-10-17", "Statement": { "Effect": "Deny", "Action": "s3:*", "NotResource": [ "arn:aws:s3:::HRBucket/Payroll", "arn:aws:s3:::HRBucket/Payroll/*" ] } }, { "Version": "2012-10-17", "Id": "sdfsdfsdf", "Statement": { "Effect": "Allow", "NotAction": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "aaaaaadsfdsafsadfsadfaaaaa:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3-s:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3.s:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "NotAction": "s3:ListBucket", "NotResource": "*" } }, { "Version": "2012-10-17", "Statement": [ { "Sid": "sdf", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" }, { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } ] }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateGreaterThan": { "a": "01T" } } } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "x": { }, "y": {} } } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "StringEqualsIfExists": { "a": "asf" } } } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "ForAnyValue:StringEqualsIfExists": { "a": "asf" } } } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateLessThanEquals": { "a": "2019-07-01T13:20:15Z" } } } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateLessThanEquals": { "a": "2016-12-13T21:20:37.593194+00:00" } } } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateLessThanEquals": { "a": "2016-12-13t2:00:00.593194+23" } } } }, { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket", "Condition": { "DateLessThan": { "a": "-292275054" } } } }, { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowViewAccountInfo", "Effect": "Allow", "Action": [ "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary", "iam:ListVirtualMFADevices" ], "Resource": "*" }, { "Sid": "AllowManageOwnPasswords", "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetUser" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnAccessKeys", "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSigningCertificates", "Effect": "Allow", "Action": [ "iam:DeleteSigningCertificate", "iam:ListSigningCertificates", "iam:UpdateSigningCertificate", "iam:UploadSigningCertificate" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSSHPublicKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnGitCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ListServiceSpecificCredentials", "iam:ResetServiceSpecificCredential", "iam:UpdateServiceSpecificCredential" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnVirtualMFADevice", "Effect": "Allow", "Action": [ "iam:CreateVirtualMFADevice", "iam:DeleteVirtualMFADevice" ], "Resource": "arn:aws:iam::*:mfa/${aws:username}" }, { "Sid": "AllowManageOwnUserMFA", "Effect": "Allow", "Action": [ "iam:DeactivateMFADevice", "iam:EnableMFADevice", "iam:ListMFADevices", "iam:ResyncMFADevice" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "DenyAllExceptListedIfNoMFA", "Effect": "Deny", "NotAction": [ "iam:CreateVirtualMFADevice", "iam:EnableMFADevice", "iam:GetUser", "iam:ListMFADevices", "iam:ListVirtualMFADevices", "iam:ResyncMFADevice", "sts:GetSessionToken" ], "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] }, { "Version": "2012-10-17", "Statement": [ { "Sid": "ListAndDescribe", "Effect": "Allow", "Action": [ "dynamodb:List*", "dynamodb:DescribeReservedCapacity*", "dynamodb:DescribeLimits", "dynamodb:DescribeTimeToLive" ], "Resource": "*" }, { "Sid": "SpecificTable", "Effect": "Allow", "Action": [ "dynamodb:BatchGet*", "dynamodb:DescribeStream", "dynamodb:DescribeTable", "dynamodb:Get*", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWrite*", "dynamodb:CreateTable", "dynamodb:Delete*", "dynamodb:Update*", "dynamodb:PutItem" ], "Resource": "arn:aws:dynamodb:*:*:table/MyTable" } ] }, { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "ArnEquals": {"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"} } } ] }, { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringEquals": {"ec2:ResourceTag/Department": "Development"} } }, { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:DetachVolume" ], "Resource": "arn:aws:ec2:*:*:volume/*", "Condition": { "StringEquals": {"ec2:ResourceTag/VolumeUser": "${aws:username}"} } } ] }, { "Version": "2012-10-17", "Statement": [ { "Sid": "StartStopIfTags", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances", "ec2:DescribeTags" ], "Resource": "arn:aws:ec2:region:account-id:instance/*", "Condition": { "StringEquals": { "ec2:ResourceTag/Project": "DataAnalytics", "aws:PrincipalTag/Department": "Data" } } } ] }, { "Version": "2012-10-17", "Statement": [ { "Sid": "ListYourObjects", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": ["arn:aws:s3:::bucket-name"], "Condition": { "StringLike": { "s3:prefix": ["cognito/application-name/${cognito-identity.amazonaws.com:sub}"] } } }, { "Sid": "ReadWriteDeleteYourObjects", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}", "arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}/*" ] } ] }, { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "*" }, { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::bucket-name", "Condition": { "StringLike": { "s3:prefix": [ "", "home/", "home/${aws:userid}/*" ] } } }, { "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::bucket-name/home/${aws:userid}", "arn:aws:s3:::bucket-name/home/${aws:userid}/*" ] } ] }, { "Version": "2012-10-17", "Statement": [ { "Sid": "ConsoleAccess", "Effect": "Allow", "Action": [ "s3:GetAccountPublicAccessBlock", "s3:GetBucketAcl", "s3:GetBucketLocation", "s3:GetBucketPolicyStatus", "s3:GetBucketPublicAccessBlock", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "ListObjectsInBucket", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": ["arn:aws:s3:::bucket-name"] }, { "Sid": "AllObjectActions", "Effect": "Allow", "Action": "s3:*Object", "Resource": ["arn:aws:s3:::bucket-name/*"] } ] }, { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowViewAccountInfo", "Effect": "Allow", "Action": [ "iam:GetAccountPasswordPolicy", "iam:GetAccountSummary" ], "Resource": "*" }, { "Sid": "AllowManageOwnPasswords", "Effect": "Allow", "Action": [ "iam:ChangePassword", "iam:GetUser" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnAccessKeys", "Effect": "Allow", "Action": [ "iam:CreateAccessKey", "iam:DeleteAccessKey", "iam:ListAccessKeys", "iam:UpdateAccessKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSigningCertificates", "Effect": "Allow", "Action": [ "iam:DeleteSigningCertificate", "iam:ListSigningCertificates", "iam:UpdateSigningCertificate", "iam:UploadSigningCertificate" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnSSHPublicKeys", "Effect": "Allow", "Action": [ "iam:DeleteSSHPublicKey", "iam:GetSSHPublicKey", "iam:ListSSHPublicKeys", "iam:UpdateSSHPublicKey", "iam:UploadSSHPublicKey" ], "Resource": "arn:aws:iam::*:user/${aws:username}" }, { "Sid": "AllowManageOwnGitCredentials", "Effect": "Allow", "Action": [ "iam:CreateServiceSpecificCredential", "iam:DeleteServiceSpecificCredential", "iam:ListServiceSpecificCredentials", "iam:ResetServiceSpecificCredential", "iam:UpdateServiceSpecificCredential" ], "Resource": "arn:aws:iam::*:user/${aws:username}" } ] }, { "Version": "2012-10-17", "Statement": [ { "Action": "ec2:*", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ec2:Region": "region" } } } ] }, { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds:*", "Resource": ["arn:aws:rds:region:*:*"] }, { "Effect": "Allow", "Action": ["rds:Describe*"], "Resource": ["*"] } ] }, { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": "rds:*", "Resource": ["arn:aws:rds:region:*:*"] }, { "Sid": "", "Effect": "Allow", "Action": ["rds:Describe*"], "Resource": ["*"] } ] } ] def test_create_policy_with_invalid_policy_documents(): for test_case in invalid_policy_document_test_cases: yield check_create_policy_with_invalid_policy_document, test_case def test_create_policy_with_valid_policy_documents(): for valid_policy_document in valid_policy_documents: yield check_create_policy_with_valid_policy_document, valid_policy_document @mock_iam def check_create_policy_with_invalid_policy_document(test_case): conn = boto3.client('iam', region_name='us-east-1') with assert_raises(ClientError) as ex: conn.create_policy( PolicyName="TestCreatePolicy", PolicyDocument=json.dumps(test_case["document"])) ex.exception.response['Error']['Code'].should.equal('MalformedPolicyDocument') ex.exception.response['ResponseMetadata']['HTTPStatusCode'].should.equal(400) ex.exception.response['Error']['Message'].should.equal(test_case["error_message"]) @mock_iam def check_create_policy_with_valid_policy_document(valid_policy_document): conn = boto3.client('iam', region_name='us-east-1') conn.create_policy( PolicyName="TestCreatePolicy", PolicyDocument=json.dumps(valid_policy_document))