Policy Simulator for deny policies

Policy Simulator for deny policies lets you see how a change to an IAM deny policy might affect a principal's access before you commit to making the change. You can use Policy Simulator to ensure that the changes you're making won't cause a principal to lose access that they need.

This feature only evaluates deny policies. To learn how to simulate other policy types, see the following:

How Policy Simulator for deny policies works

Policy Simulator for deny policies helps you determine whether a change to a deny policy will block access that your principals are using.

When you run a simulation for a deny policy, Policy Simulator does the following:

Retrieves access logs for the organization that were generated during the replay period. The replay period is at least 30 days.

If the organization has not existed for more than 30 days, then Policy Simulator retrieves all access logs since the organization was created.
Determines which access logs are relevant to the simulation. Relevant access logs are all access logs that represent a principal's most recent attempt to use a permission to access a resource.
For each relevant access log, determines whether the current deny policies, along with the proposed changes, would permit the attempted access. This process is called replaying the access attempts.
For each access log, compares the access state from the replay with the access state in the access logs. Then, Policy Simulator reports any historical access attempts that weren't blocked in the access log, but were blocked in the replay. These differences, which are called access changes, show which access attempts would have been blocked if the simulated deny policy had been in place at the time of the attempt.

Note: The access state in an access log might not reflect the current access state. In these cases, Policy Simulator always compares the results of the replay to the result from the access log, not to the current access state.

Replay period

The replay period is the time period that Policy Simulator gets access logs for when running a simulation. Access logs that occur before the first day of the replay period or after the last day of the replay period aren't included in the simulation.

Typically, the last day of the replay period is 1 day prior to the simulation. However, in some cases, the last day of the replay period can be up to a few days prior to the simulation. Access logs that occur after the last day of the replay period aren't included in the simulation.

The replay period is at least 30 days. If the organization has not existed for more than 30 days, then Policy Simulator retrieves all access attempts since the organization was created.

Policy Simulator results

Policy Simulator reports the impact of a proposed change to a deny policy as a list of access changes. For deny policies, the only type of access change that Policy Simulator reports is the Access revoked access change.

Policy Simulator reports that access is revoked if the following are true:

The principal's most recent attempt to access the resource was successful
The current deny policies, along with the proposed changes, block the principal's access to the resource

For each access change, Policy Simulator also reports the following information:

The principal, resource, and permission involved in the access attempt.
The number of days during the replay period that the principal tried to use the permission to access the resource. This total includes only the access attempts that have the same result as the most recent access attempt.
The date of the most recent access attempt.

Errors

The following errors can cause a simulation to fail:

Maximum concurrent simulations exceeded: The user already has 10 in-progress simulations, which is the maximum number of in-progress simulations that a user can have. To resolve, wait for one of the in-progress simulations to complete, then try running the simulation again.
Timeout: The simulation took too long to run and timed out. To resolve, try running the simulation again.
Invalid simulation construction: The proposed deny policy is invalid. For example, the proposed policy has an invalid condition expression. To resolve, correct the policy and try again.
Permission denied: You don't have permission to run a simulation. To resolve, ensure that you're granted the required roles and try again.

Supported principal types

Policy Simulator for deny policies only reviews access logs for the following types of principals:

Google Accounts
Service accounts

When simulating deny policies, Policy Simulator doesn't review access logs for any other principal types. As a result, it doesn't report whether the proposed changes to your policies or bindings will affect those principals' access.

What's next

Learn how to simulate a change to a deny policy.
Explore other Policy Intelligence tools.