Policy Simulator for deny policies lets you see how a change to an IAM deny policy might affect a principal's access before you commit to making the change. You can use Policy Simulator to ensure that the changes you're making won't cause a principal to lose access that they need.
This feature only evaluates deny policies. To learn how to simulate other policy types, see the following:
- Policy Simulator for organization policies
- Policy Simulator for allow policies
- Policy Simulator for principal access boundary policies
How Policy Simulator for deny policies works
Policy Simulator for deny policies helps you determine whether a change to a deny policy will block access that your principals are using.
When you run a simulation for a deny policy, Policy Simulator does the following:
Retrieves access logs for the organization that were generated during the replay period. The replay period is at least 30 days.
If the organization has not existed for more than 30 days, then Policy Simulator retrieves all access logs since the organization was created.
Determines which access logs are relevant to the simulation. Relevant access logs are all access logs that represent a principal's most recent attempt to use a permission to access a resource.
For each relevant access log, determines whether the current deny policies, along with the proposed changes, would permit the attempted access. This process is called replaying the access attempts.
For each access log, compares the access state from the replay with the access state in the access logs. Then, Policy Simulator reports any historical access attempts that weren't blocked in the access log, but were blocked in the replay. These differences, which are called access changes, show which access attempts would have been blocked if the simulated deny policy had been in place at the time of the attempt.
Replay period
The replay period is the time period that Policy Simulator gets access logs for when running a simulation. Access logs that occur before the first day of the replay period or after the last day of the replay period aren't included in the simulation.
Typically, the last day of the replay period is 1 day prior to the simulation. However, in some cases, the last day of the replay period can be up to a few days prior to the simulation. Access logs that occur after the last day of the replay period aren't included in the simulation.
The replay period is at least 30 days. If the organization has not existed for more than 30 days, then Policy Simulator retrieves all access attempts since the organization was created.
Policy Simulator results
Policy Simulator reports the impact of a proposed change to a deny policy as a list of access changes. For deny policies, the only type of access change that Policy Simulator reports is the Access revoked access change.
Policy Simulator reports that access is revoked if the following are true:
- The principal's most recent attempt to access the resource was successful
- The current deny policies, along with the proposed changes, block the principal's access to the resource
For each access change, Policy Simulator also reports the following information:
- The principal, resource, and permission involved in the access attempt.
- The number of days during the replay period that the principal tried to use the permission to access the resource. This total includes only the access attempts that have the same result as the most recent access attempt.
- The date of the most recent access attempt.
Errors
The following errors can cause a simulation to fail:
- Maximum concurrent simulations exceeded: The user already has 10 in-progress simulations, which is the maximum number of in-progress simulations that a user can have. To resolve, wait for one of the in-progress simulations to complete, then try running the simulation again.
- Timeout: The simulation took too long to run and timed out. To resolve, try running the simulation again.
- Invalid simulation construction: The proposed deny policy is invalid. For example, the proposed policy has an invalid condition expression. To resolve, correct the policy and try again.
- Permission denied: You don't have permission to run a simulation. To resolve, ensure that you're granted the required roles and try again.
Supported principal types
Policy Simulator for deny policies only reviews access logs for the following types of principals:
- Google Accounts
- Service accounts
When simulating deny policies, Policy Simulator doesn't review access logs for any other principal types. As a result, it doesn't report whether the proposed changes to your policies or bindings will affect those principals' access.
What's next
- Learn how to simulate a change to a deny policy.
- Explore other Policy Intelligence tools.