From antigravity-awesome-skills
Reviews and hardens AWS IAM policies following least privilege and security best practices. Includes checks for overly permissive policies, MFA enforcement, and access key management.
How this skill is triggered — by the user, by Claude, or both
Slash command
/antigravity-awesome-skills:aws-iam-best-practicesThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Review and harden IAM policies following AWS security best practices and least privilege principles.
Review and harden IAM policies following AWS security best practices and least privilege principles.
Use this skill when you need to review IAM policies, implement least privilege access, or harden IAM security.
Least Privilege
Defense in Depth
Separation of Duties
# List policies with full admin access
aws iam list-policies --scope Local \
--query 'Policies[*].[PolicyName,Arn]' --output table | \
grep -i admin
# Find policies with wildcard actions
aws iam list-policies --scope Local --query 'Policies[*].Arn' --output text | \
while read arn; do
version=$(aws iam get-policy --policy-arn "$arn" \
--query 'Policy.DefaultVersionId' --output text)
doc=$(aws iam get-policy-version --policy-arn "$arn" \
--version-id "$version" --query 'PolicyVersion.Document')
if echo "$doc" | grep -q '"Action": "\*"'; then
echo "Wildcard action in: $arn"
fi
done
# Find inline policies (should use managed policies)
aws iam list-users --query 'Users[*].UserName' --output text | \
while read user; do
policies=$(aws iam list-user-policies --user-name "$user" \
--query 'PolicyNames' --output text)
if [ -n "$policies" ]; then
echo "Inline policies on user $user: $policies"
fi
done
# List users without MFA
aws iam get-credential-report --output text | \
awk -F, 'NR>1 && $4=="false" {print $1}'
# Check if MFA is required in policies
aws iam list-policies --scope Local --query 'Policies[*].Arn' --output text | \
while read arn; do
version=$(aws iam get-policy --policy-arn "$arn" \
--query 'Policy.DefaultVersionId' --output text)
doc=$(aws iam get-policy-version --policy-arn "$arn" \
--version-id "$version" --query 'PolicyVersion.Document')
if echo "$doc" | grep -q "aws:MultiFactorAuthPresent"; then
echo "MFA enforced in: $arn"
fi
done
# Enable MFA for a user (returns QR code)
aws iam create-virtual-mfa-device \
--virtual-mfa-device-name user-mfa \
--outfile /tmp/qr.png \
--bootstrap-method QRCodePNG
# Find old access keys (>90 days)
aws iam list-users --query 'Users[*].UserName' --output text | \
while read user; do
aws iam list-access-keys --user-name "$user" \
--query 'AccessKeyMetadata[*].[AccessKeyId,CreateDate,Status]' \
--output text | \
while read key_id create_date status; do
age_days=$(( ($(date +%s) - $(date -d "$create_date" +%s)) / 86400 ))
if [ $age_days -gt 90 ]; then
echo "$user: Key $key_id is $age_days days old"
fi
done
done
# Rotate access key
OLD_KEY="<AWS_ACCESS_KEY_ID>"
USER="myuser"
# Create new key
NEW_KEY=$(aws iam create-access-key --user-name "$USER")
echo "New key created. Update applications, then run:"
echo "aws iam delete-access-key --user-name $USER --access-key-id $OLD_KEY"
# Deactivate old key (test first)
aws iam update-access-key \
--user-name "$USER" \
--access-key-id "$OLD_KEY" \
--status Inactive
# List unused roles (no activity in 90 days)
aws iam list-roles --query 'Roles[*].[RoleName,RoleLastUsed.LastUsedDate]' \
--output text | \
while read role last_used; do
if [ "$last_used" = "None" ]; then
echo "Never used: $role"
fi
done
# Find roles with trust relationships to external accounts
aws iam list-roles --query 'Roles[*].RoleName' --output text | \
while read role; do
trust=$(aws iam get-role --role-name "$role" \
--query 'Role.AssumeRolePolicyDocument')
if echo "$trust" | grep -q '"AWS":'; then
echo "External trust: $role"
fi
done
# Analyze policy permissions
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::123456789012:user/myuser \
--action-names s3:GetObject s3:PutObject \
--resource-arns arn:aws:s3:::mybucket/*
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/user-data/${aws:username}/*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket",
"Condition": {
"StringLike": {
"s3:prefix": "user-data/${aws:username}/*"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2026-01-01T00:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime": "2026-12-31T23:59:59Z"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"203.0.113.0/24",
"198.51.100.0/24"
]
}
}
}
]
}
User Management
Policy Management
Role Management
Monitoring
#!/usr/bin/env python3
# iam-hardening.py
import boto3
from datetime import datetime, timedelta
iam = boto3.client('iam')
def enforce_mfa():
"""Identify users without MFA"""
users = iam.list_users()['Users']
no_mfa = []
for user in users:
mfa_devices = iam.list_mfa_devices(
UserName=user['UserName']
)['MFADevices']
if not mfa_devices:
no_mfa.append(user['UserName'])
return no_mfa
def rotate_old_keys():
"""Find access keys older than 90 days"""
users = iam.list_users()['Users']
old_keys = []
for user in users:
keys = iam.list_access_keys(
UserName=user['UserName']
)['AccessKeyMetadata']
for key in keys:
age = datetime.now(key['CreateDate'].tzinfo) - key['CreateDate']
if age.days > 90:
old_keys.append({
'user': user['UserName'],
'key_id': key['AccessKeyId'],
'age_days': age.days
})
return old_keys
def find_overpermissive_policies():
"""Find policies with wildcard actions"""
policies = iam.list_policies(Scope='Local')['Policies']
overpermissive = []
for policy in policies:
version = iam.get_policy_version(
PolicyArn=policy['Arn'],
VersionId=policy['DefaultVersionId']
)
doc = version['PolicyVersion']['Document']
for statement in doc.get('Statement', []):
if statement.get('Action') == '*':
overpermissive.append(policy['PolicyName'])
break
return overpermissive
if __name__ == "__main__":
print("IAM Hardening Report")
print("=" * 50)
print("\nUsers without MFA:")
for user in enforce_mfa():
print(f" - {user}")
print("\nOld access keys (>90 days):")
for key in rotate_old_keys():
print(f" - {key['user']}: {key['age_days']} days")
print("\nOverpermissive policies:")
for policy in find_overpermissive_policies():
print(f" - {policy}")
kiro-cli chat "Use aws-iam-best-practices to review my IAM setup"
kiro-cli chat "Create a least privilege policy with aws-iam-best-practices"
npx claudepluginhub anthony-chaudhary/antigravity-awesome-skills31plugins reuse this skill
First indexed Jun 3, 2026
Showing the 6 earliest of 31 plugins
Reviews and hardens AWS IAM policies following least privilege and security best practices. Includes checks for overly permissive policies, MFA enforcement, and access key management.
Hardens AWS IAM configurations to enforce least privilege across cloud accounts. Covers policy scoping, permission boundaries, Access Analyzer, and credential rotation.
Reviews AWS IAM identity policies, trust policies, resource policies, permission boundaries, SCPs, session policies, role design, pass-role, federation, and Access Analyzer findings for least-privilege risk.