Simulate an IAM principal policy
📑 On this page
Part 109 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.
What we are learning
simulate-principal-policy evaluates policies attached to a principal and reports allowed, implicit deny, or explicit deny decisions.
Before you run it
ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
USER_ARN="arn:aws:iam::$ACCOUNT_ID:user/$USER_NAME"
BUCKET="replace-with-private-bucket"The caller needs permission to run policy simulation. Simulation does not send the real S3 request.
The command
aws iam simulate-principal-policy \
--policy-source-arn "$USER_ARN" \
--action-names s3:ListBucket s3:GetObject \
--resource-arns \
"arn:aws:s3:::$BUCKET" \
"arn:aws:s3:::$BUCKET/private/example.txt"IAM writes can take a short time to propagate. Inspect the resource after every change.
Inspect the result
aws iam simulate-principal-policy \
--policy-source-arn "$USER_ARN" \
--action-names s3:ListBucket s3:GetObject \
--resource-arns "arn:aws:s3:::$BUCKET" \
--query "EvaluationResults[].{Action:EvalActionName,Decision:EvalDecision,MissingContext:MissingContextValues}" \
--output tableMissing context values indicate that conditions could not be fully evaluated.
One tiny variation
aws iam simulate-principal-policy \
--policy-source-arn "$USER_ARN" \
--action-names s3:DeleteObject \
--resource-arns "arn:aws:s3:::$BUCKET/private/example.txt"Test a destructive action explicitly rather than inferring it from read permissions.
Common mistake
Simulation does not guarantee the real service call will succeed; resource state, SCPs, VPC endpoint policies, KMS, and service-specific rules can still matter.
Cleanup
# This lesson is read-only or reuses a named demo identity.
aws sts get-caller-identityKeep shared demo identities only while following the IAM sequence. Part 125 removes them in dependency order.
Next, we will learn Create an IAM role with a trust policy.