Does this role have S3 Create Bucket permissions?

Scenario

A decision was made to remove S3 create bucket permissions from roles to enforce standard S3 bucket configurations via a CloudFormation template created by a pipeline. Using the IAM Policy Simulator determine if the AWSLandingZoneNetworkOpsRole has the ability to create buckets.

How do I use the IAM policy simulator?

  • Navigate to IAM within the Development Account
  • Select Policy Simulator from the links on the right side of the screen
  • Select Roles from the drop down menu
  • Select the AWSLandingZoneNetworkOpsRole from the list
  • Select S3 from the Service List
  • Click the Select All button
  • Click the Run Simulation button
  • Review the results to see if CreateBucket is allowed

Team Discussion

  • How would you identify roles, policies, and users with restricted actions across all accounts in your organization?
  • What process or solution would you put in place to help ensure restricted actions aren’t granted within your accounts?

Resources