End of support notice: On May 20, 2026, AWS will end support for AWS SimSpace Weaver. After May 20, 2026, you will no longer be able to access the SimSpace Weaver console or SimSpace Weaver resources. For more information, see AWS SimSpace Weaver end of support.
Permissions that SimSpace Weaver creates for you
When you create a SimSpace Weaver project, the service will create an AWS Identity and Access Management (IAM) role
with the name weaver- and an IAM trust policy.
The trust policy allows SimSpace Weaver to assume the role so that it can perform operations for you.project-name-app-role
App role permissions policy
The simulation app role has the following permissions policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:CreateLogStream" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": "*" } ] }
App role trust policy
SimSpace Weaver adds a trust relationship to the simulation app role as a trust policy. SimSpace Weaver creates a trust policy for each simulation, similar to the following example.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "simspaceweaver.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "ArnLike": { "aws:SourceArn": "arn:aws:simspaceweaver:us-west-2:111122223333:simulation/MySimName*" } } } ] }
Note
In this example, the account number is 111122223333 and the simulation name is
MySimName. These values are different in your trust policies.
