# AWS Cloudformation Template Validation - [ ] [Pre-Commit](https://pre-commit.com/) Running - [ ] [cnf-python-lint](Phttps://github.com/aws-cloudformation/cfn-python-lint) Running CFN Lint - [ ] [cnf-nag](https://github.com/stelligent/cfn_nag) Static Analysis of CloudFormation - [ ] [parliment](https://github.com/duo-labs/parliament) AWS IAM policy linting library # IAM Policy Validation - [ ] [Manually: Using IAM Simulator]() - [ ] [Commandline: AWS CLI]() - [ ] [IAM:SimulatePrincipalPolicy]() ``` bash aws iam simulate-principal-policy --policy-source-arn IAM-USER-ARN --action-names "iam:putuserpolicy" ``` - [ ] [IAM:SimulateCustomPolicy]() ``` bash aws iam simulate-principal-policy --policy-source-arn IAM-USER-ARN --action-names "iam:putuserpolicy" ``` - [ ] [Pragmatic approach: Boto3 Python](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.simulate_custom_policy) which can be automated in Jenkins or as described in the following solution: [AWS re:Invent 2016: How to Automate Policy Validation (SEC311)](https://www.slideshare.net/AmazonWebServices/aws-reinvent-2016-how-to-automate-policy-validation-sec311) Note: - The policy must be in AWS and can not be verified before. - Policies can be validates by `parliment` but still has some limitation. ## Parsing AWS IAM Cfn Template - AWS::IAM::ManagedPolicy - AWS::IAM::Role - AWS::IAM::InstanceProfile ## References - [Finding Security Problems Early in the Development Process of a CloudFormation Template with "cfn-nag"](https://stelligent.com/2016/04/07/finding-security-problems-early-in-the-development-process-of-a-cloudformation-template-with-cfn-nag/)