← All posts
2 min read

Simulate an IAM principal policy

#aws#cli#iam#security#identity
📑 On this page

Part 109 of AWS from Zero. This lesson changes or inspects one IAM concept so the permission model stays understandable.

What we are learning

simulate-principal-policy evaluates policies attached to a principal and reports allowed, implicit deny, or explicit deny decisions.

Before you run it

ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
USER_NAME="aws-zero-learner"
USER_ARN="arn:aws:iam::$ACCOUNT_ID:user/$USER_NAME"
BUCKET="replace-with-private-bucket"

The caller needs permission to run policy simulation. Simulation does not send the real S3 request.

The command

aws iam simulate-principal-policy \
  --policy-source-arn "$USER_ARN" \
  --action-names s3:ListBucket s3:GetObject \
  --resource-arns \
  "arn:aws:s3:::$BUCKET" \
  "arn:aws:s3:::$BUCKET/private/example.txt"

IAM writes can take a short time to propagate. Inspect the resource after every change.

Inspect the result

aws iam simulate-principal-policy \
  --policy-source-arn "$USER_ARN" \
  --action-names s3:ListBucket s3:GetObject \
  --resource-arns "arn:aws:s3:::$BUCKET" \
  --query "EvaluationResults[].{Action:EvalActionName,Decision:EvalDecision,MissingContext:MissingContextValues}" \
  --output table

Missing context values indicate that conditions could not be fully evaluated.

One tiny variation

aws iam simulate-principal-policy \
  --policy-source-arn "$USER_ARN" \
  --action-names s3:DeleteObject \
  --resource-arns "arn:aws:s3:::$BUCKET/private/example.txt"

Test a destructive action explicitly rather than inferring it from read permissions.

Common mistake

Simulation does not guarantee the real service call will succeed; resource state, SCPs, VPC endpoint policies, KMS, and service-specific rules can still matter.

Cleanup

# This lesson is read-only or reuses a named demo identity.
aws sts get-caller-identity

Keep shared demo identities only while following the IAM sequence. Part 125 removes them in dependency order.

Next, we will learn Create an IAM role with a trust policy.

Official AWS CLI reference