AWS IAM Policy Tester

Test AWS IAM policy decisions against expected allow and deny cases with action search and resource ARNs.

IAM JSON policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowBucketReads",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    },
    {
      "Sid": "DenyPrivatePrefix",
      "Effect": "Deny",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/private/*"
    }
  ]
}

Simulation setup

Test cases

Policy type

Principal ARN

Test case

s3:ListBucket

Action

Expected result

Resource ARN

Actual result

Test case

s3:GetObject

Action

Expected result

Resource ARN

Actual result

Test IAM policy decisions before deployment

Paste an AWS IAM JSON policy, add test cases for specific IAM actions and resources, and compare the expected permission result with the simulator output. Use it to check identity policies and resource policies before a pull request, Terraform apply, or console change.

How to use the IAM policy tester

Paste, upload, or load an example IAM JSON policy.
Choose whether the policy should be evaluated as an identity policy or a resource policy.
Set the principal ARN used for resource-policy principal matching.
Add test cases with an IAM action, expected result, and resource ARN.
Review whether each case is allowed, explicitly denied, implicitly denied, or blocked by an input error.

Policy testing workflow

Start with the AWS IAM policy generator when you need to build the JSON from action metadata. Use this tester to verify important allow and deny paths, then run the IAM policy validator to review syntax and best-practice findings or the IAM policy converter to turn the final JSON into Terraform, CloudFormation, or CDK snippets.

Frequently asked questions

Does this IAM policy tester call AWS?

No. The tester runs with the Cloud Copilot IAM simulator package and does not need AWS credentials.

What does Denied mean in expected results?

Denied passes when the simulator returns either an explicit deny or an implicit deny. Use the actual result badge when you need to distinguish between those two IAM outcomes.

Does this model SCPs or permission boundaries?

No. This version evaluates the pasted policy as an identity policy or a resource policy. It does not model service control policies, resource control policies, permission boundaries, session policies, or deployed account inventory.

Related tools

Want AWS engineering that feels this practical?

I build these tools to make AWS easier to manage. If this level of quality is what you want in your own cloud platform, Towards The Cloud can help with landing zones, infrastructure as code, security reviews, migrations, and cost optimization.

Explore AWS services

← Back to tools