Get Started →
AWS Cloud Tools

AWS IAM Policy
Simulator

Test and simulate AWS IAM policy decisions instantly — paste any policy, set the request context, and get a precise Allow / Deny verdict with a full statement-by-statement evaluation trace. No AWS account needed.

Exact AWS policy evaluation logic — explicit deny wins always Multi-layer: identity policy + resource policy + SCP + boundary Full statement trace — see exactly which rule fired and why Condition simulation — IP, MFA, region, tags, org, and more Batch mode — test 20+ actions simultaneously in one run Pre-built scenarios for common real-world security questions
// Last Simulation
Step 1 — Define Policy Layers
Quick load:
Step 2 — Request Context
Context Conditions Optional
Quick context:
Evaluation Trace
Batch Simulation Results
#ActionResourceDecisionMatching StatementConditions Met
Scenario Library — Real-World Security Tests
🟢 S3 Read Allowed User with S3 read policy gets an object — should Allow Expected: ALLOW
🔴 S3 Write Denied Read-only user attempts PutObject — explicit deny Expected: DENY
🔐 MFA Not Present Deny condition blocks request when MFA is false Expected: DENY
MFA Present Same policy — MFA is true, condition satisfied Expected: ALLOW
⚔️ Deny Overrides Allow Both Allow and explicit Deny — Deny must win Expected: DENY
Wildcard Resource Policy uses * resource — matches any ARN Expected: ALLOW
🌐 IP Restriction Source IP condition — request from unknown IP Expected: DENY
🔗 Cross-Account Access Resource policy grants cross-account with trust Expected: ALLOW
🏢 SCP Blocks Action Org SCP denies EC2 launch even with IAM Allow Expected: DENY
🚫 Implicit Deny No matching Allow — default implicit deny Expected: IMPLICIT DENY
IAM Evaluation Order
StepCheckOutcome
1Explicit Deny in any policy→ DENY immediately
2SCP — does it allow the action?→ DENY if no Allow
3Permissions Boundary check→ DENY if outside boundary
4Resource policy (same account)→ ALLOW if grants access
5Identity policy explicit Allow→ ALLOW
6No matching Allow found→ IMPLICIT DENY
Condition Matching Rules
RuleBehaviour
Multiple conditions in one blockAll must match (AND logic)
Multiple values in one conditionAny must match (OR logic)
Condition key missing from contextCondition fails → statement skipped
StringLike wildcard* = any chars, ? = one char
...IfExists suffixPass if key missing; else evaluate normally
ForAllValues: prefixAll values in set must match
ForAnyValue: prefixAt least one value must match
Null checkNull: true passes if key absent
Global Context Keys Quick Reference
Context KeyTypeExample ValueUse Case
aws:SourceIpIP203.0.113.1Restrict access by caller IP address
aws:MultiFactorAuthPresentBooltrueRequire MFA for sensitive actions
aws:RequestedRegionStringus-east-1Restrict API calls to specific regions
aws:PrincipalAccountString123456789012Match the caller's AWS account
aws:PrincipalOrgIDStringo-abc123Restrict to principals in your AWS Org
aws:SecureTransportBooltrueRequire HTTPS — block plaintext HTTP
aws:CalledViaStringcloudformation.amazonaws.comOnly allow calls through CloudFormation
aws:useridStringAIDAI...aliceMatch specific IAM user by unique ID
aws:ResourceTag/keyStringprodRestrict by resource tag value
aws:RequestTag/keyStringteam-aRequire specific tag on create requests

How AWS IAM Policy Evaluation Works — Complete Guide

Understanding how AWS evaluates IAM policies is critical for building secure cloud architectures. This simulator replicates the exact AWS policy evaluation engine — so you can test decisions, debug access issues, and validate security controls before deploying to production.

The Six-Step AWS Policy Evaluation Algorithm

When an IAM principal makes an API request, AWS evaluates all applicable policies in a strict order. The first matching rule wins — and an explicit Deny always wins over everything else.

  • Step 1 — Explicit Deny check: AWS scans all applicable policies for any statement with "Effect":"Deny" that matches the action and resource. If found, the request is denied immediately — no further evaluation.
  • Step 2 — SCP evaluation: If the account is part of an AWS Organisation, SCPs define the maximum permissions. If no SCP allows the action, it is implicitly denied at this layer.
  • Step 3 — Permissions boundary: If a permissions boundary is attached to the IAM entity, the action must also be allowed by the boundary policy. The boundary limits, but does not grant, permissions.
  • Step 4 — Resource policy (same account): For resource-based policies (S3, SQS, KMS), an explicit Allow in the resource policy can grant access independent of the identity policy for same-account principals.
  • Step 5 — Identity policy Allow: If no Deny and no SCP/boundary block, an explicit Allow in any attached identity policy grants access.
  • Step 6 — Implicit Deny: If no Allow statement was found, the request is denied by default. AWS never allows by default — permissions must be explicitly granted.

Explicit Deny vs Implicit Deny — What's the Difference?

An explicit deny occurs when a policy statement has "Effect":"Deny" that matches the request. It is definitive and cannot be overridden by any Allow in any other policy — including admin policies and root permissions (except for root on certain actions). An implicit deny is simply the absence of an Allow — the default state. Any policy could still grant access and override an implicit deny, but nothing can override an explicit deny.

How Conditions Are Evaluated

Conditions use a three-part structure: operator, context key, and value. For a statement to apply, all conditions in the block must be satisfied. Within a single condition, multiple values use OR logic (any must match). The IfExists suffix passes the condition if the context key is absent, making it safe for optional keys. Global condition keys like aws:SourceIp are always available; service-specific keys like s3:prefix are only available for relevant service APIs.

Cross-Account Access Rules

When a principal in Account A accesses a resource in Account B: both the resource policy in Account B must allow the access AND the identity policy in Account A must allow the action. Either policy alone is insufficient. This is why S3 bucket policies with "Principal":"*" still require the caller to have an Allow in their own identity policy.

Common IAM Policy Debugging Patterns

  • Access Denied but policy shows Allow: Check for an explicit Deny elsewhere — in a SCP, permission boundary, or another attached policy. Deny always wins.
  • Condition not matching: Verify the context key name is correct and the value type matches (Bool vs String). Missing context keys cause conditions to fail silently.
  • S3 access denied cross-account: Confirm both the bucket policy grants access to the specific principal AND the caller's identity policy allows the S3 action.
  • Role can't do what user can: Check if a permissions boundary is attached to the role limiting its effective permissions below what the identity policy allows.

Frequently Asked Questions

What is the AWS IAM Policy Simulator?
It is a tool that replicates the AWS policy evaluation engine locally. You provide a policy and a request context (action, resource, conditions), and the simulator tells you whether the request would be allowed or denied — and exactly why.
Does explicit Deny always win in AWS IAM?
Yes — with one exception. An explicit Deny in any evaluated policy immediately overrides all Allow statements, including those in admin policies. The only exception is root account actions that are exempt from SCPs.
What is the difference between a permissions boundary and an SCP?
A permissions boundary is attached to a specific IAM entity and limits that entity's maximum effective permissions. An SCP is applied at the AWS Organization or OU level and limits the maximum permissions for all principals in that account. Both must allow an action for it to be permitted — they restrict but never grant permissions.
Why is my request denied even though I have an Allow policy?
The most common causes are: (1) An explicit Deny in another attached policy, SCP, or permissions boundary. (2) A condition in the Allow statement that is not satisfied by the request context. (3) The resource ARN in the policy doesn't match the requested resource. Use the simulator's trace view to identify exactly which step caused the denial.
Can I test IAM conditions like aws:SourceIp?
Yes. Use the Context Conditions section to set any AWS global or service-specific context key. Set aws:SourceIp to an IP address, aws:MultiFactorAuthPresent to true or false, or aws:RequestedRegion to a region name — the simulator evaluates all conditions against your policy.
Is my policy data sent to any server?
No — completely private. All simulation logic runs entirely in your browser using JavaScript. No policy JSON, ARNs, account IDs, or context values are ever transmitted. You can safely test with real policy data.
Amazon Connect Pricing Calculator Amazon Connect Tools AWS Cloud Tools Other Tools

More Free Online Tools

Simple tools. Surgical fixes. Zero friction.

Amazon Connect CCP Log Parser

Parse Amazon Connect CCP logs into structured, searchable diagnostics.

Open

Amazon Connect CTR Parser

Turn raw Amazon Connect CTR JSON into a rich visual breakdown.

Open

Amazon Connect Agent Workstation Validator

Pre-flight check for Amazon Connect softphone agents.

Open

CloudTrail Log Analyser

Security audit & threat detection for AWS environments.

Open

Amazon Connect Pricing Calculator

Instantly estimate monthly AWS Connect costs — voice, chat, email, campaigns, telephony & more.

Open

Connect CloudWatch Log Analyzer

Drop any Amazon Connect CloudWatch log and get a rich visual breakdown.

Open