diff --git a/pkg/asset/installconfig/aws/permissions.go b/pkg/asset/installconfig/aws/permissions.go
index 42734e1e34c..82fbdaa1be8 100644
--- a/pkg/asset/installconfig/aws/permissions.go
+++ b/pkg/asset/installconfig/aws/permissions.go
@@ -84,6 +84,9 @@ const (
 
 	// PermissionPassthroughCreds is a permission set required when using passthrough credentials.
 	PermissionPassthroughCreds PermissionGroup = "permission-passthrough-creds"
+
+	// PermissionEmptyCreds is a required permission set when a credential mode is not provided.
+	PermissionEmptyCreds PermissionGroup = "permission-empty-creds"
 )
 
 var permissions = map[PermissionGroup][]string{
@@ -173,7 +176,6 @@ var permissions = map[PermissionGroup][]string{
 		"iam:ListRoles",
 		"iam:ListUsers",
 		"iam:PassRole",
-		"iam:SimulatePrincipalPolicy",
 		"iam:TagInstanceProfile",
 		"iam:TagRole",
 
@@ -370,12 +372,10 @@ var permissions = map[PermissionGroup][]string{
 		"iam:ListAccessKeys",
 		"iam:PutUserPolicy",
 		"iam:TagUser",
-		"iam:SimulatePrincipalPolicy", // needed so we can verify the above list of course
 	},
 	PermissionPassthroughCreds: {
 		// so we can query whether we have the below list of creds
 		"iam:GetUser",
-		"iam:SimulatePrincipalPolicy",
 
 		// openshift-ingress
 		"elasticloadbalancing:DescribeLoadBalancers",
@@ -430,6 +430,10 @@ var permissions = map[PermissionGroup][]string{
 		"iam:GetUserPolicy",
 		"iam:ListAccessKeys",
 	},
+	PermissionEmptyCreds: {
+		// needed so we can verify the other required permissions
+		"iam:SimulatePrincipalPolicy",
+	},
 }
 
 // ValidateCreds will try to create an AWS session, and also verify that the current credentials
diff --git a/pkg/asset/permissions/permissions.go b/pkg/asset/permissions/permissions.go
index 4ed3983a2a4..afa9404fec9 100644
--- a/pkg/asset/permissions/permissions.go
+++ b/pkg/asset/permissions/permissions.go
@@ -55,6 +55,10 @@ func (o *Permissions) Generate(ctx context.Context, dependencies asset.Parents)
 			// Include permissions needed by CCO/cluster for passthrough creds mode
 			reqGroups = append(reqGroups, awsconfig.PermissionPassthroughCreds)
 		default:
+			// Include permissions needed by installer and CCO to perform permission checks.
+			if ic.Config.CredentialsMode == "" {
+				reqGroups = append(reqGroups, awsconfig.PermissionEmptyCreds)
+			}
 			// Include permissions needed by CCO/cluster for mint creds mode
 			reqGroups = append(reqGroups, awsconfig.PermissionMintCreds)
 		}