I have our AWS Setup, everything is via SAML Federation (no IAM users). Users are added to groups in AD and granted roles, login via SSO.
My issue is how do I check a a specific users permissions/roles. Our AD granters say they have set it up, user complains it does not work.
Is there a way to actually test, can the AWS Simulator help?
You can use the AWS IAM Policy Simulator to find out if a principal is allowed to execute specific actions, and if the action is explicitly denied by a particular policy that is not directly attached to the principal, e.g. a permission boundary, a service control policy, a resource policy, etc.).
You can learn more here: Testing IAM policies with the IAM policy simulator
