Example of how to use IAM Policy Simulator to test IAM policy effects on permissions (also works for SCPs)

stop_run_instance.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "*"
        }
    ]
}

test_iam_action.sh

#!/bin/bash

# https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html

CUSTOM_POLICY=$(cat stop_run_instance.json)
ROLE_ARN='arn:aws:iam::012345678901:role/SAML-readonly-role'
ADMIN_ROLE_ARN='arn:aws:iam::012345678901:role/SAML-admin-role'

echo Determine if ec2:RunInstance is possible with a custom policy
aws iam simulate-custom-policy --polity-input-list "$CUSTOM_POLICY" --action-names 'ec2:RunInstances'

echo Determine if ec2:CreateVpc is possible with a custom policy
aws iam simulate-custom-policy --polity-input-list "$CUSTOM_POLICY" --action-names 'ec2:CreateVpc'

echo Check if a role can perform ec2:CreateVpc
aws iam simulate-principal-policy --policy-source-arn $ROLE_ARN --action-names 'ec2:CreateVpc'

echo Check if an admin role can perform ec2:CreateVpc
aws iam simulate-principal-policy --policy-source-arn $ADMIN_ROLE_ARN --action-names 'ec2:CreateVpc'