IAM Policy Tester
Put in a Policy and Test it out
Based on iam-simulate with iam-data version 0.9.202508241 updated 8/24/2025. Watch the videoFAQs
What do I do with this?
Test an AWS IAM identity policy against a set of requests detailed answers on how the result was determined.
The underlying library, iam-simulate, supports identity policies, resources policies, service control policies, and permission boundaries. To keep the UI simple, this page only supports a single identity policy and requests from an IAM user with that policy.
How does this work?
This runs 100% in your browser using using iam-data
for service information, iam-policy for policy validation
and iam-simulate to execute your test cases.
What information does this store or share?
Everything happens in your browser, no policy information is set to any server to evaluate or test policies. Check the network tab in your inspector if you're interested.
If you decide to share the policy, all information will be saved behind an obscure URL that will share the information with anyone who has the URL.
Why is this here?
Testing IAM policies takes too long, this evaluates your requests on every keystroke.
This gives you the superpower of testing complex policies without deploying to AWS for every test.
How is this different from AWS Policy Simulator?
Policy Tester:
- Runs without an account completely in your browser
- Can test multiple variations of the same action at once
- Provides detailed explainations of why a policy statement matched a request or not
How can I help?
Thanks for asking! You can do a few things:
- Star iam-simulate or any of our other IAM related repos on GitHub
- Subscribe to our email list in the page footer
- Provide feedback, the best way is to file an issues in the iam-simulate repo
- Share this with your colleagues, friends, and family. A link to this page would make a great gift for your brother in law.
- Send expensive meat. Order anything from Morgan Ranch and tell them it's for David Kerber, they'll know what to do.
Details For People Who Think About IAM All Day
- iam-simulate supports evaluating resource policies, to keep this UI simple, this page assumes permissive resource policies. In cases where a resource policy would apply, you can assume that there is an allow for the current account.
- iam-simulate supports evaluating cross account requests, but this page assumes all requests are with in the same account.
- For now, you'll have to fill in all context keys yourself, even things like aws:PrincipalArn but more of those will be added in the future.
- Currently all global condition keys are considered valid for all requests, which isn't strictly true, keep that in mind and make sure to double check docs for those keys when testing.
- If you are using any Organizations APIs, this tester will assume you are in the management account.