5.1.4. Troubleshooting Access: CloudTrail, Access Analyzer, and Policy Simulator
š” First Principle: When an IAM permission error occurs, the error message ("Access Denied") tells you what failed but not why. The investigation requires tools that reveal which policy evaluation step blocked the action, who has access to what, and what actually happened in the account. AWS provides three distinct tools for this, each answering a different diagnostic question.
Three Tools, Three Questions:
| Tool | Question Answered | When to Use |
|---|---|---|
| IAM Policy Simulator | "Would this action be allowed for this principal?" | Pre-deployment testing; reproduce a reported access denial |
| IAM Access Analyzer | "Who has access to this resource?" | Audit external access; find unintended public/cross-account exposure |
| CloudTrail | "What API calls were made, by whom, and were they denied?" | Post-incident investigation; find the exact action that failed |
IAM Policy Simulator:
Select a principal (user/role), select an action, select a resource ā the simulator evaluates all relevant policies and tells you:
- Allowed or denied
- Which policy caused the result
- Whether a condition prevented access
This is the exam's go-to for "a developer says they can't access X ā how do you diagnose?" before reaching for CloudTrail.
IAM Access Analyzer:
Analyzes resource-based policies (S3 buckets, KMS keys, IAM roles, SQS queues, Lambda functions, Secrets Manager secrets) to identify which resources are accessible from outside your account or organization. Creates a finding for each external access path.
Use cases:
- Find S3 buckets accessible from other accounts
- Identify KMS keys that external accounts can use
- Audit cross-account IAM role trust relationships
Access Analyzer also validates IAM policies you're about to create, checking for syntax errors, redundant statements, and potential over-permissions.
IAM Credential Report: A downloadable CSV listing all IAM users and their credential status ā when passwords were last used, whether access keys are active, when keys were last rotated, whether MFA is enabled. Used for compliance audits.
IAM Access Advisor: For a specific IAM user or role, shows the last time each AWS service was accessed and which actions were used. Use this to identify over-permissive policies ā if a role hasn't used EC2 in 90 days, remove EC2 permissions.
Reading Access Denied in CloudTrail:
When an API call fails due to insufficient permissions, CloudTrail records the event with "errorCode": "AccessDenied" and "errorMessage" containing the ARN of the denying policy. This pinpoints the exact policy causing the denial.
ā ļø Exam Trap: IAM Access Analyzer only finds access from outside the trust zone (external accounts or public). It does not analyze whether one IAM user within the same account has too much access compared to another ā that's what Access Advisor and the Policy Simulator are for. For a question about "which S3 buckets are publicly accessible," the answer is IAM Access Analyzer or AWS Trusted Advisor (both check this).
Reflection Question: A Lambda function is failing with "AccessDenied" when trying to write to a DynamoDB table. The Lambda execution role has dynamodb:PutItem in its policy. What three IAM tools or features would you check (in order), and what specific issue might the Policy Simulator reveal?
