How to check if an IAM access key has specific permissions?


Is it possible to check if a particular AWS IAM key has permissions for a set of specific commands?

Essentially, is there an API for AWS’s privacy simulator?

So far I’ve been using hacks, such as executing a command with incorrect parameters that utilizes the permission in question, and watching what response I get back.


This is obviously hacky. Ideally I’d have some function call like iam.check_against(resource) or something. Any suggestions?


See boto3’s simulate_principal_policy.

I’ve made this function to test for permissions (you’ll need to modify it slightly, as it’s not completely self-contained):

You need to pass the permission’s original action names to actions, like so:

Here’s an example that uses the resources and context arguments as well:

Leave a Reply