I am working on a tool which takes IAM policy as JSON and creates the policy on aws. I am using aws-sdk-go for building the tool. I am looking for a way through which I can validate the policy before executing it on aws. Does AWS provide some sort of API to dry-run the policy creation or something like that?
The things I have tried: I am validating the policy field by field.
- Effect field must be
Allow
orDeny
- For Action field, I added a dictionary in my tool which map service to the valid actions. Problem with this approach is it requires a lot of maintenance. AWS keep releasing new services and action and I have to update the dictionary.
- For a resource, it should be valid ARN.
A couple of other validations are added but its really tough to add all validation checks manually. I believe, aws must be providing some sort of dry-run facility for a policy.