HEX
Server: Apache
System: Linux vps-cdc32557.vps.ovh.ca 5.15.0-156-generic #166-Ubuntu SMP Sat Aug 9 00:02:46 UTC 2025 x86_64
User: hanode (1017)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
$ pwd: /usr/lib/python3/dist-packages/awscli/examples/iam/
Upload Files
File: //usr/lib/python3/dist-packages/awscli/examples/iam/simulate-custom-policy.rst
**To simulate the effects of all IAM policies associated with an IAM user or role**

The following ``simulate-custom-policy`` shows how to provide both the policy and define variable values and simulate an API call to see if it is allowed or denied. The following example shows a policy that enables database access only after a specified date and time. The simulation succeeds because the simulated actions and the specified ``aws:CurrentTime`` variable all match the requirements of the policy. ::

    aws iam simulate-custom-policy \
        --policy-input-list '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"*","Condition":{"DateGreaterThan":{"aws:CurrentTime":"2018-08-16T12:00:00Z"}}}}' \
        --action-names dynamodb:CreateBackup \
        --context-entries "ContextKeyName='aws:CurrentTime',ContextKeyValues='2019-04-25T11:00:00Z',ContextKeyType=date"

Output::

    {
        "EvaluationResults": [
            {
                "EvalActionName": "dynamodb:CreateBackup",
                "EvalResourceName": "*",
                "EvalDecision": "allowed",
                "MatchedStatements": [
                    {
                        "SourcePolicyId": "PolicyInputList.1",
                        "StartPosition": {
                            "Line": 1,
                            "Column": 38
                        },
                        "EndPosition": {
                            "Line": 1,
                            "Column": 167
                        }
                    }
                ],
                "MissingContextValues": []
            }
        ]
    }

The following ``simulate-custom-policy`` example shows the results of simulating a command that is prohibited by the policy. In this example, the provided date is before that required by the policy's condition. ::

    aws iam simulate-custom-policy \
        --policy-input-list '{"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":"dynamodb:*","Resource":"*","Condition":{"DateGreaterThan":{"aws:CurrentTime":"2018-08-16T12:00:00Z"}}}}' \
        --action-names dynamodb:CreateBackup \
        --context-entries "ContextKeyName='aws:CurrentTime',ContextKeyValues='2014-04-25T11:00:00Z',ContextKeyType=date"

Output::

    {
        "EvaluationResults": [
            {
                "EvalActionName": "dynamodb:CreateBackup",
                "EvalResourceName": "*",
                "EvalDecision": "implicitDeny",
                "MatchedStatements": [],
                "MissingContextValues": []
            }
        ]
    }

For more information, see `Testing IAM Policies with the IAM Policy Simulator`_ in the *AWS IAM User Guide*

.. _`Testing IAM Policies with the IAM Policy Simulator`: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
@ Telegram