IAM Policy Simulator (Offline) - Client-Side AWS IAM Policy Evaluator

First Published:
Last Updated:

Simulate AWS IAM policy evaluation entirely in your browser - no sign-in, no account, no data sent to AWS.

All processing is performed entirely in your browser using client-side JavaScript. No data is transmitted to any server. Your policies and request context never leave your device.

  • This tool is provided "AS IS" without any warranties of any kind.
  • This tool approximates IAM policy evaluation logic. Results may differ from actual AWS evaluation, especially with SCPs, permission boundaries, or session policies.
  • Use the AWS Console IAM Policy Simulator for authoritative results.
  • By using this tool, you accept full responsibility for any outcomes.

This tool uses client-side JavaScript for all processing. No data is transmitted to servers, no files are uploaded online, all processing happens locally in your browser. Once loaded, this tool continues to work even without an internet connection. For more details, please refer to our Web Tools Disclaimer.

Sample Policies

Policies

Request

Context Keys

Add condition context keys referenced by your policies (e.g. aws:SourceIp, aws:MultiFactorAuthPresent). For multi-value context, enter comma-separated values.

Features

  • Allow / Deny / Implicit-Deny evaluation: Applies the standard IAM precedence: Explicit Deny beats Allow; absence of any Allow results in Implicit Deny.
  • Identity-based and Resource-based policies: Register any number of policies per tab. Resource-based policies are evaluated against the provided Principal ARN.
  • Full Statement matching: Action / NotAction, Resource / NotResource, Principal / NotPrincipal, Condition.
  • AWS-style wildcards: * and ? in Action and Resource patterns, with case-insensitive action matching.
  • 20+ Condition operators: String (Equals / NotEquals / EqualsIgnoreCase / NotEqualsIgnoreCase / Like / NotLike), Numeric (Equals / NotEquals / LessThan / LessThanEquals / GreaterThan / GreaterThanEquals), Bool, Date (all six variants), IpAddress / NotIpAddress (IPv4 CIDR), ArnEquals / ArnNotEquals / ArnLike / ArnNotLike.
  • Operator modifiers: IfExists suffix and ForAllValues: / ForAnyValue: prefixes for multi-value context keys.
  • Evaluation trace: Every statement is traced with match / skip status and per-element reasons for Action, Resource, Principal, and every Condition operator.
  • Sample presets: S3 Read, MFA-required Deny, IP-restricted Allow, and an S3 bucket resource-based policy to get started.
  • 100% client-side: No network calls, no account required, works offline after first load.

How to Use

  1. Click any Sample Policies button to load a preset, or paste your own policy JSON into the Identity-based or Resource-based tab.
  2. Use + Add Identity Policy / + Add Resource Policy to register additional policies. Each textarea accepts a complete IAM policy document ({"Version":"2012-10-17","Statement":[...]}).
  3. Fill in the Request: the Action you want to simulate (e.g. s3:GetObject), the target Resource ARN, and - for resource-based policies - the Principal ARN making the request.
  4. Add any Context Keys referenced by your Conditions. Use comma-separated values when a key has multiple values (for ForAllValues: / ForAnyValue:).
  5. Click Evaluate. The decision badge shows Allow / ExplicitDeny / ImplicitDeny, followed by the matched statements and a full evaluation trace.
  6. Click Copy Result to copy the decision, summary, and trace to your clipboard.

Important Notes

  • MVP scope. This tool implements the most common IAM evaluation logic but is not a complete replacement for the AWS Policy Simulator.
  • Not supported: Service Control Policies (SCPs), Permission Boundaries, Session Policies, VPC endpoint policies, and cross-account delegated evaluation. Identity-based and resource-based policies are evaluated side by side without the full AWS cross-account logic.
  • Dynamic tag-based authorization (e.g. aws:ResourceTag/*, aws:PrincipalTag/*) is not resolved automatically - you must provide tag values via Context Keys.
  • IP matching supports IPv4 / CIDR only; IPv6 is not handled.
  • Policy variables (e.g. ${aws:username}) are not expanded.
  • For authoritative results, always verify using the AWS Console IAM Policy Simulator against your real account.

References:
Tech Blog with curated related content
Web Tools Collection

Written by Hidekazu Konishi