npx claudepluginhub aws/agent-toolkit-for-aws --plugin aws-coreThis skill uses the workspace's default tool permissions.
This skill contains verified corrections for things that AI agents frequently get wrong about IAM. It is not a comprehensive IAM guide — for full IAM guidance, search AWS documentation.
Hardens AWS IAM configurations to enforce least privilege access via policy scoping, permission boundaries, Access Analyzer integration, and credential rotation. Useful for audits, new accounts, and fixing permissive policies.
Reviews and hardens AWS IAM policies for least privilege, detects wildcard actions, inline policies, MFA status, and old access keys via AWS CLI scripts.
Manages AWS IAM users, roles, groups, policies, and access keys via AWS CLI and boto3. Activates for listing users, creating roles, attaching policies, managing keys, or simulating permissions.
Share bugs, ideas, or general feedback.
This skill contains verified corrections for things that AI agents frequently get wrong about IAM. It is not a comprehensive IAM guide — for full IAM guidance, search AWS documentation.
When answering IAM questions, verify specific claims (limits, quotas, exact API names, edge-case behaviors) against official AWS documentation rather than relying on pre-training. Prefer fetching known documentation URLs over broad searches. Trust official documentation over memory when they conflict.
CloudTrail:
?region= forces specific region.STS:
Organizations:
SDK Specifics:
DuplicatePolicyAttachmentException (not PolicyAlreadyAttachedException).activate(), deactivate(), delete() — NO update().time.sleep(10) pattern.SAML:
https://region-code.signin.aws.amazon.com/saml/acs/IdP-ID.Policy Evaluation:
Null condition in addition to the ForAllValues on the same context key to require that key to be present and non-null. For example, when evaluating the aws:TagKeys context key:{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": ["Alpha", "Beta"]
},
"Null": {
"aws:TagKeys": "false"
}
}
}
}
iam:PassRole with Resource: "*" + create/update on a compute service (EC2 RunInstances, Lambda CreateFunction/UpdateFunctionConfiguration, ECS RegisterTaskDefinition, Glue, SageMaker, CloudFormation, etc.) = privilege escalation to any passable role in the account, including Administrator. Scope Resource to specific role ARNs or an IAM path; optionally constrain with iam:PassedToService / iam:AssociatedResourceArn. See IAM User Guide — Grant a user permissions to pass a role.MFA:
SigV4:
Service-Specific Roles:
redshift-serverless.amazonaws.com AND redshift.amazonaws.com as service principals (per AWS docs; omitting serverless causes Not authorized to get credentials of role on COPY).Policy Summary Display:
codebuild:*, codecommit:*) + service-specific resource ARNs: each resource appears ONLY under its matching service's summary (CodeBuild ARN under CodeBuild, etc.). A resource whose service prefix matches NO action in the statement is the only case where it appears in all action summaries ("mismatched resource").