So much this, I don't understand why cloud providers don't offer an easy way to view this sort of thing as really it should all be in the logging anyway.
The execution of rulesets needs to be performed synchronously and as fast as possible, since requests are blocked until they pass the permission checks; but it doesn't need any sort of replication since each request is validated independently.
Request logging can be performed asynchronously and has much more relaxed latency requirements, but data needs to be aggregated and replicated for durability.
The extremely different requirements pretty much guarantee that these will be two completely separate systems; by Conway's Law, this means two completely separate teams. In practice, logging is more aimed at business analytics and billing.
You're right that the information should be available, and there's no technical reason why it can't be made available, but there are technical reasons which influence the social reasons why it's not available.
It seems like AWS isn't good with cross cutting concerns. Eg instead of Cloudformation being part of a service during development, that they could even use during testing the service, every team creates a custom api and cf is an afterthought. It wouldn't surprise me if every service is also evaluating against iam policies independently as well.
That reminds me of the latter stages of Sun Microsystems, where it seemed like multiple teams were developing competing solutions for system management and patching. Seems a wasteful model and not one that is servicing customers.
Much of the services were built well before clod formation... Or cloud formation became popular... Or before everyone was willing to make the trade-off that features come later because they had to have cloud formation. Like any other best practice you invent along the way. I'll bet there's something about your 1/3/5/10/15 year old that isn't up to current snuff.
People forget, AWS is massive and taking care of edge case after edge case while being in a bullet point war with other cloud providers.
Even new features sometimes don’t get CloudFormation support for quite a while (sometimes longer than third-party support like Terraform). I keep wondering why they didn’t want it for their own integration testing.
AWS had the policy simulator for IAM policies but it hasn't been kept up to date wrt new features (like SCP)... Maybe they'll have something similar for this.
Request logging can be performed asynchronously and has much more relaxed latency requirements, but data needs to be aggregated and replicated for durability.
The extremely different requirements pretty much guarantee that these will be two completely separate systems; by Conway's Law, this means two completely separate teams. In practice, logging is more aimed at business analytics and billing.
You're right that the information should be available, and there's no technical reason why it can't be made available, but there are technical reasons which influence the social reasons why it's not available.