Skip to content

Validation

After you've rewritten your IAM policy, we suggest two options for validating that it will pass Cloudsplaining and alleviate any remaining concerns:

  • Run Cloudsplaining's scan-policy-file command, which scans a single JSON policy file instead of the entire AWS Account's Authorization details.

Leveraging Parliament by Duo-Labs, courtesy of Scott Piper.

Using Cloudsplaining to Validate your Remediated Policies

You can validate that your remediated policy passes Cloudsplaining by running the following command:

cloudsplaining scan-policy-file --input-file policy.json --exclusions-file exclusions.yml

When there are no more results, it passes!

Using Parliament to Lint your Policies

parliament is an AWS IAM linting library. It reviews policies looking for problems such as:

  • malformed JSON
  • missing required elements
  • incorrect prefix and action names
  • incorrect resources or conditions for the actions provided
  • type mismatches
  • bad policy patterns

Parliament duplicates (and adds to!) much of the functionality in the web console page when reviewing IAM policies in the browser.

You can use Parliament to scan your IAM policy with the following command:

parliament --file policy.json

When there are no more results, it passes!