Users are increasingly performing tasks using remote computing resources, often referred to as part of “the cloud.” This has many advantages, as users do not have to purchase and maintain dedicated hardware and software, and instead can pay for only those resources that are needed at any given time, where those resources typically will be managed by a resource provider. Users can perform tasks such as storing data to various types of resources offered by a resource provider. The user often will have rules and policies regarding access to the user data, which may be in addition to any access policies of the resource provider. While providing a robust and flexible policy framework provides capabilities users desire, the complexity can result in policies that do not perform as expected. While a system could attempt to predict the impact of a change in policy, the inability to determine the source of the policy, or any changes to the policy, can make such predictions inaccurate at best.