{"id":20550160,"url":"https://github.com/dnmfarrell/iamsim","last_synced_at":"2026-02-01T02:03:05.692Z","repository":{"id":258295059,"uuid":"665574303","full_name":"dnmfarrell/iamsim","owner":"dnmfarrell","description":"A Prolog module that stores IAM policies and actions to simulate permissions.","archived":false,"fork":false,"pushed_at":"2024-10-20T02:56:29.000Z","size":40,"stargazers_count":8,"open_issues_count":6,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-06-17T05:40:32.760Z","etag":null,"topics":["aws-iam","cloud-security","prolog","simulation"],"latest_commit_sha":null,"homepage":"","language":"Prolog","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dnmfarrell.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2023-07-12T14:00:43.000Z","updated_at":"2025-03-13T03:22:42.000Z","dependencies_parsed_at":null,"dependency_job_id":"18c7236d-d74f-4f6e-b219-490b972fe597","html_url":"https://github.com/dnmfarrell/iamsim","commit_stats":null,"previous_names":["dnmfarrell/iamsim"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/dnmfarrell/iamsim","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dnmfarrell%2Fiamsim","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dnmfarrell%2Fiamsim/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dnmfarrell%2Fiamsim/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dnmfarrell%2Fiamsim/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dnmfarrell","download_url":"https://codeload.github.com/dnmfarrell/iamsim/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dnmfarrell%2Fiamsim/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28964429,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-01T01:25:30.373Z","status":"online","status_checked_at":"2026-02-01T02:00:08.102Z","response_time":56,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-iam","cloud-security","prolog","simulation"],"created_at":"2024-11-16T02:23:37.269Z","updated_at":"2026-02-01T02:03:05.664Z","avatar_url":"https://github.com/dnmfarrell.png","language":"Prolog","funding_links":[],"categories":[],"sub_categories":[],"readme":"AWS IAM Simulator\n=================\nA Prolog module that stores IAM policies and actions to simulate permissions.\n\nFor more info about the project background and rationale, see this [blog post](https://blog.dnmfarrell.com/post/simulating-aws-iam-with-prolog/).\n\nRequires [Scryer-Prolog](https://scryer.pl/) or similar interpreter.\n\n\nLimitations\n-----------\nOnly supports identity-based policies and permissions boundaries for now. However, session policies (and some resource-based policies) can be modeled as identity policies and service control policies can be modeled as permissions boundaries.\n\nAssumes one principal per-database session.\n\nDoes not support [policy conditions](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html).\n\nOnly includes S3 actions (PRs welcome see [iam/s3.pl](src/iam/s3.pl).\n\n\nPredicates\n----------\n### `policy_add(+Type,+Id,+Effect,+Action,+ArnStr, -Errs)`\n\nAdds a policy to the database, where:\n\n* `Type` is one of: `boundary` or `identity`.\n* `Id` is a list string which names the policy, e.g. `\"s3-foo-allow-all\"`.\n* `Effect` is one of: `allow` or `deny`.\n* `Action` is a list string pattern, e.g. `\"s3:PutObject\"`, `\"s3:*\"`, or `\"*\"`.\n* `ArnStr` is a list string of an AWS Arn, e.g. `\"arn:aws:s3:::foo/bar\"`. The resource portion (the last part) may be a string pattern, e.g. `\"fo?/*\"`.\n* `Errs` is a list of error messages that is empty when the policy was successfully added.\n\n### `can(+Action, +ArnStr, -Allowed, -Reasons, -Errs)`\n\nEvaluates whether the principal is permitted to perform the action on the resource, where:\n\n* `Action` is a list string, e.g. `\"s3:PutObject\"`.\n* `ArnStr` is a list string of an AWS Arn, e.g. `\"arn:aws:s3:::foo/bar\"`.\n* `Allowed` is a boolean.\n* `Reasons` is a list of messsages explaining the evaluation reasoning.\n* `Errs` is a list of error messages that is empty when the evaluation succeeded.\n\n### `all(-Actions, +ArnStr, -Err)`\n\nReturns all actions the principal may perform on the resource, where:\n\n* `Actions` is a list of permitted actions.\n* `ArnStr` is a list string of an AWS Arn, e.g. `\"arn:aws:s3:::foo/bar\"`.\n* `Errs` is a list of error messages that is empty when the evaluation succeeded.\n\n### `fix(+Action, +ArnStr, -Changes, -Errs)`\n\nFixes a permission issue by creating/deleting policies, where:\n\n* `Action` is a list string of the action to grant, e.g. `\"s3:PutObject\"`.\n* `ArnStr` is a list string of an AWS Arn, e.g. `\"arn:aws:s3:::foo/bar\"`.\n* `Changes` is a list of strings describing the operations performed.\n* `Errs` is a list of error messages that is empty when the fix succeeded.\n\n\nExample\n-------\n    $ scryer-prolog -f src/iam/sim.pl\n    ?- % check if we can get foo/bar.csv\n    can(\"s3:GetObject\", \"arn:aws:s3:::foo/bar.csv\", Allowed, Reasons, Errs).\n       Allowed = false, Reasons = [\"\\'Not explicitly all ...\"].\n    ?- % grant the permission\n    fix(\"s3:GetObject\", \"arn:aws:s3:::foo/bar.csv\", Changelog, Errs).\n       Changelog = [changelog(add,policy(identity,\"[s,\\'3\\',:,\\'G\\',e,t, ...\",allow,\"s3:GetObject\",\"arn:aws:s3:::foo/ ...\"))], Errs = []\n    ;  false.\n    ?- % re-test\n    can(\"s3:GetObject\", \"arn:aws:s3:::foo/bar.csv\", Allowed, Reasons, Errs).\n       Allowed = true, Reasons = [\"\\'Not explicitly den ...\",\"\\'Allowed by\\' ident ...\"].\n    ?- % create a policy to grant all\n    policy_add(identity, \"s3-foo-*\", allow, \"*\", \"arn:aws:s3:::foo/*\", Errs).\n       Errs = [].\n    ?- % What actions can we perform?\n    all(Actions, \"arn:aws:s3:::foo/bar.csv\", Errs).\n    ;  Actions = [\"s3-object-lambda:Ab ...\",\"s3-object-lambda:D ...\",\"s3-object-lambda: ...\",\"s3-object-lambda ...\",\"s3-object-lambd ...\",\"s3-object-lamb ...\",\"s3-object-lam ...\",\"s3-object-la ...\",\"s3-object-l ...\",\"s3-object- ...\",\"s3-object ...\",\"s3-objec ...\",\"s3-obje ...\",\"s3-obj ...\",\"s3-ob ...\",\"s3-o ...\",\"s3- ...\",\"s3 ...\",\"s ...\",\"s3-object-lambda:PutObjectLegalHold\"|...], Errs = []\n\n\nTesting\n-------\n    $ bin/run-tests\n    + scryer-prolog -f test/arn.pl\n    Running test \"arn:aws:ec2:us-east-1:123456789012:foo/bar\"\n    Running test \"arn:aws:s3:::foo/bar\"\n    + scryer-prolog -f test/sim.pl\n    Running test \"all-no-policies\"\n    Running test \"arn_match\"\n    Running test \"arn_parse\"\n    Running test \"service_match\"\n    Running test \"all-except-denied\"\n    Running test \"all-deny-beats-allow\"\n    Running test \"all-boundary-implicit-deny\"\n    Running test \"all-boundary-explicit-deny\"\n    Running test \"fix-no-policies\"\n    Running test \"fix-boundary-implicit-deny\"\n    Running test \"fix-explicit-deny\"\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdnmfarrell%2Fiamsim","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdnmfarrell%2Fiamsim","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdnmfarrell%2Fiamsim/lists"}