moto/tests/test_iam/test_iam_policies.py
2023-11-30 14:55:51 -01:00

1650 lines
50 KiB
Python

import json
import boto3
import pytest
from botocore.exceptions import ClientError
from moto import mock_iam
invalid_policy_document_test_cases = [
{
"document": "This is not a json document",
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
}
},
"error_message": "Policy document must be version 2012-10-17 or greater.",
},
{
"document": {
"Version": "2008-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Policy document must be version 2012-10-17 or greater.",
},
{
"document": {
"Version": "2013-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {"Version": "2012-10-17"},
"error_message": "Syntax errors in policy.",
},
{
"document": {"Version": "2012-10-17", "Statement": ["afd"]},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
"Extra field": "value",
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Extra field": "value",
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Id": ["cd3a324d2343d942772346-34234234423404-4c2242343242349d1642ee"],
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Id": {},
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "invalid",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "invalid",
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Actions/Conditions must be prefaced by a vendor, e.g., iam, sdb, ec2, etc.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"NotAction": "",
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Actions/Conditions must be prefaced by a vendor, e.g., iam, sdb, ec2, etc.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "a a:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Vendor a a is not valid",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:List:Bucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Actions/Condition can contain only one colon.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3s:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
{
"Effect": "Allow",
"Action": "s:3s:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
],
},
"error_message": "Actions/Condition can contain only one colon.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "invalid resource",
},
},
"error_message": 'Resource invalid resource must be in ARN format or "*".',
},
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnableDisableHongKong",
"Effect": "Allow",
"Action": ["account:EnableRegion", "account:DisableRegion"],
"Resource": "",
"Condition": {
"StringEquals": {"account:TargetRegion": "ap-east-1"}
},
},
{
"Sid": "ViewConsole",
"Effect": "Allow",
"Action": ["aws-portal:ViewAccount", "account:ListRegions"],
"Resource": "",
},
],
},
"error_message": 'Resource must be in ARN format or "*".',
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s:3:ListBucket",
"Resource": "sdfsadf",
},
},
"error_message": 'Resource sdfsadf must be in ARN format or "*".',
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": ["adf"],
},
},
"error_message": 'Resource adf must be in ARN format or "*".',
},
{
"document": {
"Version": "2012-10-17",
"Statement": {"Effect": "Allow", "Action": "s3:ListBucket", "Resource": ""},
},
"error_message": 'Resource must be in ARN format or "*".',
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"NotAction": "s3s:ListBucket",
"Resource": "a:bsdfdsafsad",
},
},
"error_message": 'Partition "bsdfdsafsad" is not valid for resource "arn:bsdfdsafsad:*:*:*:*".',
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"NotAction": "s3s:ListBucket",
"Resource": "a:b:cadfsdf",
},
},
"error_message": 'Partition "b" is not valid for resource "arn:b:cadfsdf:*:*:*".',
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"NotAction": "s3s:ListBucket",
"Resource": "a:b:c:d:e:f:g:h",
},
},
"error_message": 'Partition "b" is not valid for resource "arn:b:c:d:e:f:g:h".',
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "aws:s3:::example_bucket",
},
},
"error_message": 'Partition "s3" is not valid for resource "arn:s3:::example_bucket:*".',
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:error:s3:::example_bucket",
"arn:error:s3::example_bucket",
],
},
},
"error_message": 'Partition "error" is not valid for resource "arn:error:s3:::example_bucket".',
},
{
"document": {"Version": "2012-10-17", "Statement": []},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {"Effect": "Allow", "Action": "s3:ListBucket"},
},
"error_message": "Policy statement must contain resources.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {"Effect": "Allow", "Action": "s3:ListBucket", "Resource": []},
},
"error_message": "Policy statement must contain resources.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {"Effect": "Allow", "Action": "invalid"},
},
"error_message": "Actions/Conditions must be prefaced by a vendor, e.g., iam, sdb, ec2, etc.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {"Effect": "Allow", "Resource": "arn:aws:s3:::example_bucket"},
},
"error_message": "Policy statement must contain actions.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {"Version": "2012-10-17", "Statement": {"Effect": "Allow"}},
"error_message": "Policy statement must contain actions.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [],
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Policy statement must contain actions.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": [
{"Effect": "Deny"},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
],
},
"error_message": "Policy statement must contain actions.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:iam:::example_bucket",
},
},
"error_message": 'IAM resource path must either be "*" or start with user/, federated-user/, role/, group/, instance-profile/, mfa/, server-certificate/, policy/, sms-mfa/, saml-provider/, oidc-provider/, report/, access-report/.',
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3::example_bucket",
},
},
"error_message": "The policy failed legacy parsing",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {"Effect": "Allow", "Resource": "arn:aws:s3::example_bucket"},
},
"error_message": "The policy failed legacy parsing",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws",
},
},
"error_message": "Resource vendor must be fully qualified and cannot contain regexes.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": {"a": "arn:aws:s3:::example_bucket"},
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "s3:ListBucket",
"Resource": ["adfdf", {}],
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"NotAction": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"NotResource": [],
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": [[]],
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"NotAction": "s3s:ListBucket",
"Action": [],
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": {},
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": [],
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": "a",
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"a": "b"},
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"DateGreaterThan": "b"},
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"DateGreaterThan": []},
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"DateGreaterThan": {"a": {}}},
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"DateGreaterThan": {"a": {}}},
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"x": {"a": "1"}},
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"ForAnyValue::StringEqualsIfExists": {"a": "asf"}},
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": [
{"ForAllValues:StringEquals": {"aws:TagKeys": "Department"}}
],
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:iam:us-east-1::example_bucket",
},
},
"error_message": "IAM resource arn:aws:iam:us-east-1::example_bucket cannot contain region information.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:us-east-1::example_bucket",
},
},
"error_message": "Resource arn:aws:s3:us-east-1::example_bucket can not contain region information.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Sid": {},
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Sid": [],
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "sdf",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
{"Sid": "sdf", "Effect": "Allow"},
],
},
"error_message": "Statement IDs (SID) in a single policy must be unique.",
},
{
"document": {
"Statement": [
{
"Sid": "sdf",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
{"Sid": "sdf", "Effect": "Allow"},
]
},
"error_message": "Policy document must be version 2012-10-17 or greater.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"NotAction": "s3:ListBucket",
"Action": "iam:dsf",
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"NotResource": "*",
},
},
"error_message": "Syntax errors in policy.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "denY",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
"error_message": "The policy failed legacy parsing",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"DateGreaterThan": {"a": "sdfdsf"}},
},
},
"error_message": "The policy failed legacy parsing",
},
{
"document": {
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"DateGreaterThan": {"a": "sdfdsf"}},
}
},
"error_message": "Policy document must be version 2012-10-17 or greater.",
},
{
"document": {
"Statement": {
"Effect": "denY",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
}
},
"error_message": "Policy document must be version 2012-10-17 or greater.",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Condition": {"DateGreaterThan": {"a": "sdfdsf"}},
},
},
"error_message": "The policy failed legacy parsing",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"NotAction": "s3:ListBucket",
"Resource": "arn:aws::::example_bucket",
},
},
"error_message": "The policy failed legacy parsing",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "allow",
"Resource": "arn:aws:s3:us-east-1::example_bucket",
},
},
"error_message": "The policy failed legacy parsing",
},
{
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "sdf",
"Effect": "aLLow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
{"Sid": "sdf", "Effect": "Allow"},
],
},
"error_message": "The policy failed legacy parsing",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"NotResource": "arn:aws:s3::example_bucket",
},
},
"error_message": "The policy failed legacy parsing",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"DateLessThanEquals": {"a": "234-13"}},
},
},
"error_message": "The policy failed legacy parsing",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {
"DateLessThanEquals": {"a": "2016-12-13t2:00:00.593194+1"}
},
},
},
"error_message": "The policy failed legacy parsing",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {
"DateLessThanEquals": {"a": "2016-12-13t2:00:00.1999999999+10:59"}
},
},
},
"error_message": "The policy failed legacy parsing",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"DateLessThan": {"a": "9223372036854775808"}},
},
},
"error_message": "The policy failed legacy parsing",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:error:s3:::example_bucket",
"Condition": {"DateGreaterThan": {"a": "sdfdsf"}},
},
},
"error_message": "The policy failed legacy parsing",
},
{
"document": {
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws::fdsasf",
},
},
"error_message": "The policy failed legacy parsing",
},
]
valid_policy_documents = [
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": ["arn:aws:s3:::example_bucket"],
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "iam: asdf safdsf af ",
"Resource": "arn:aws:s3:::example_bucket",
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": ["arn:aws:s3:::example_bucket", "*"],
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "*",
"Resource": "arn:aws:s3:::example_bucket",
},
},
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
}
],
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "service-prefix:action-name",
"Resource": "*",
"Condition": {
"DateGreaterThan": {"aws:CurrentTime": "2017-07-01T00:00:00Z"},
"DateLessThan": {"aws:CurrentTime": "2017-12-31T23:59:59Z"},
},
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "fsx:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:iam:::user/example_bucket",
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s33:::example_bucket",
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:fdsasf",
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {},
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"ForAllValues:StringEquals": {"aws:TagKeys": "Department"}},
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:cloudwatch:us-east-1::example_bucket",
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:ec2:us-east-1::example_bucket",
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:invalid-service:::example_bucket",
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:invalid-service:us-east-1::example_bucket",
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {
"DateGreaterThan": {"aws:CurrentTime": "2017-07-01T00:00:00Z"},
"DateLessThan": {"aws:CurrentTime": "2017-12-31T23:59:59Z"},
},
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"DateGreaterThan": {}},
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"DateGreaterThan": {"a": []}},
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"a": {}},
},
},
{
"Version": "2012-10-17",
"Statement": {
"Sid": "dsfsdfsdfsdfsdfsadfsd",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ConsoleDisplay",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:GetUser",
"iam:ListRoles",
"iam:ListRoleTags",
"iam:ListUsers",
"iam:ListUserTags",
],
"Resource": "*",
},
{
"Sid": "AddTag",
"Effect": "Allow",
"Action": ["iam:TagUser", "iam:TagRole"],
"Resource": "*",
"Condition": {
"StringEquals": {"aws:RequestTag/CostCenter": ["A-123", "B-456"]},
"ForAllValues:StringEquals": {"aws:TagKeys": "CostCenter"},
},
},
],
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"NotAction": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "s3:*",
"NotResource": [
"arn:aws:s3:::HRBucket/Payroll",
"arn:aws:s3:::HRBucket/Payroll/*",
],
},
},
{
"Version": "2012-10-17",
"Id": "sdfsdfsdf",
"Statement": {
"Effect": "Allow",
"NotAction": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "aaaaaadsfdsafsadfsadfaaaaa:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3-s:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3.s:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"NotAction": "s3:ListBucket",
"NotResource": "*",
},
},
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "sdf",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
},
],
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"DateGreaterThan": {"a": "01T"}},
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"x": {}, "y": {}},
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"StringEqualsIfExists": {"a": "asf"}},
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"ForAnyValue:StringEqualsIfExists": {"a": "asf"}},
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"DateLessThanEquals": {"a": "2019-07-01T13:20:15Z"}},
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {
"DateLessThanEquals": {"a": "2016-12-13T21:20:37.593194+00:00"}
},
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"DateLessThanEquals": {"a": "2016-12-13t2:00:00.593194+23"}},
},
},
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {"DateLessThan": {"a": "-292275054"}},
},
},
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices",
],
"Resource": "*",
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": ["iam:ChangePassword", "iam:GetUser"],
"Resource": "arn:aws:iam::*:user/${aws:username}",
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate",
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey",
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential",
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": ["iam:CreateVirtualMFADevice", "iam:DeleteVirtualMFADevice"],
"Resource": "arn:aws:iam::*:mfa/${aws:username}",
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice",
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
],
"Resource": "*",
"Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}},
},
],
},
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAndDescribe",
"Effect": "Allow",
"Action": [
"dynamodb:List*",
"dynamodb:DescribeReservedCapacity*",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTimeToLive",
],
"Resource": "*",
},
{
"Sid": "SpecificTable",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWrite*",
"dynamodb:CreateTable",
"dynamodb:Delete*",
"dynamodb:Update*",
"dynamodb:PutItem",
],
"Resource": "arn:aws:dynamodb:*:*:table/MyTable",
},
],
},
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:AttachVolume", "ec2:DetachVolume"],
"Resource": ["arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:instance/*"],
"Condition": {
"ArnEquals": {
"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/instance-id"
}
},
}
],
},
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:AttachVolume", "ec2:DetachVolume"],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {"ec2:ResourceTag/Department": "Development"}
},
},
{
"Effect": "Allow",
"Action": ["ec2:AttachVolume", "ec2:DetachVolume"],
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"StringEquals": {"ec2:ResourceTag/VolumeUser": "${aws:username}"}
},
},
],
},
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "StartStopIfTags",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:DescribeTags",
],
"Resource": "arn:aws:ec2:region:account-id:instance/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Project": "DataAnalytics",
"aws:PrincipalTag/Department": "Data",
}
},
}
],
},
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListYourObjects",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": ["arn:aws:s3:::bucket-name"],
"Condition": {
"StringLike": {
"s3:prefix": [
"cognito/application-name/${cognito-identity.amazonaws.com:sub}"
]
}
},
},
{
"Sid": "ReadWriteDeleteYourObjects",
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
"Resource": [
"arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}/*",
],
},
],
},
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets", "s3:GetBucketLocation"],
"Resource": "*",
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringLike": {"s3:prefix": ["", "home/", "home/${aws:userid}/*"]}
},
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name/home/${aws:userid}",
"arn:aws:s3:::bucket-name/home/${aws:userid}/*",
],
},
],
},
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ConsoleAccess",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListAllMyBuckets",
],
"Resource": "*",
},
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": ["arn:aws:s3:::bucket-name"],
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::bucket-name/*"],
},
],
},
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": ["iam:GetAccountPasswordPolicy", "iam:GetAccountSummary"],
"Resource": "*",
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": ["iam:ChangePassword", "iam:GetUser"],
"Resource": "arn:aws:iam::*:user/${aws:username}",
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate",
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey",
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential",
],
"Resource": "arn:aws:iam::*:user/${aws:username}",
},
],
},
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Resource": "*",
"Effect": "Allow",
"Condition": {"StringEquals": {"ec2:Region": "region"}},
}
],
},
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds:*",
"Resource": ["arn:aws:rds:region:*:*"],
},
{"Effect": "Allow", "Action": ["rds:Describe*"], "Resource": ["*"]},
],
},
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "rds:*",
"Resource": ["arn:aws:rds:region:*:*"],
},
{
"Sid": "",
"Effect": "Allow",
"Action": ["rds:Describe*"],
"Resource": ["*"],
},
],
},
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": [
"arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point",
"arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point/object/*",
],
},
],
},
]
@pytest.mark.parametrize("invalid_policy_document", invalid_policy_document_test_cases)
@mock_iam
def test_create_policy_with_invalid_policy_document(invalid_policy_document):
conn = boto3.client("iam", region_name="us-east-1")
with pytest.raises(ClientError) as ex:
conn.create_policy(
PolicyName="TestCreatePolicy",
PolicyDocument=json.dumps(invalid_policy_document["document"]),
)
resp = ex.value.response
assert resp["Error"]["Code"] == "MalformedPolicyDocument"
assert resp["ResponseMetadata"]["HTTPStatusCode"] == 400
assert resp["Error"]["Message"] == invalid_policy_document["error_message"]
@pytest.mark.parametrize("valid_policy_document", valid_policy_documents)
@mock_iam
def test_create_policy_with_valid_policy_document(valid_policy_document):
conn = boto3.client("iam", region_name="us-east-1")
conn.create_policy(
PolicyName="TestCreatePolicy", PolicyDocument=json.dumps(valid_policy_document)
)