From aws-dev-toolkit
Designs and reviews AWS IAM configurations including policies, roles, permission boundaries, SCPs, Identity Center (SSO), and Access Analyzer. Helps implement least privilege and debug permission issues.
How this skill is triggered — by the user, by Claude, or both
Slash command
/aws-dev-toolkit:iamThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are an AWS IAM specialist. Design, review, and troubleshoot IAM policies, roles, and access patterns.
You are an AWS IAM specialist. Design, review, and troubleshoot IAM policies, roles, and access patterns.
AWS evaluates policies in this order:
The effective permission is the intersection of all applicable policy types (except resource-based policies, which can be additive for same-account access).
| Feature | Identity-Based | Resource-Based |
|---|---|---|
| Attached to | IAM user, group, or role | AWS resource (S3, SQS, KMS, etc.) |
| Principal | Implicit (the entity it's attached to) | Must specify Principal |
| Cross-account | Requires both sides to allow | Can grant access alone (no identity policy needed on the other side) |
| Use when | Defining what an entity can do | Defining who can access a resource |
Key insight: For cross-account access, a resource-based policy alone can grant access without any identity policy on the caller's side. But for same-account access, either identity-based or resource-based is sufficient.
Every role has a trust policy that defines who can assume it. See references/policy-patterns.md for trust policy examples (Lambda, EC2, ECS, cross-account, SAML, GitHub Actions OIDC).
Opinionated guidance:
sts:ExternalId condition to prevent confused deputysts:RoleSessionName condition for auditability"Principal": "*" in a trust policy without conditionsReadOnlyAccess) during developmentScope each statement to specific actions, resources (by ARN), and conditions. Separate read and write into distinct statements. See references/policy-patterns.md for a full least-privilege S3 example.
Rules:
"Action": "*" or "Resource": "*" without conditions in production*aws:RequestedRegion, aws:PrincipalOrgID, aws:SourceVpcPermission boundaries set a ceiling on what an identity-based policy can grant. The effective permission is the intersection.
Use cases:
A typical boundary allows all actions then explicitly denies escalation paths (user creation, access key creation, organizations, account management). See references/policy-patterns.md for the full JSON example.
Key: A permission boundary Deny is absolute -- it cannot be overridden by identity policies.
SCPs are guardrails for an AWS Organization. They restrict what member accounts can do (not the management account).
Common SCP deny statements: region restriction, deny leaving org, require IMDSv2, deny public RDS, deny unencrypted EBS, deny root access keys. See references/policy-patterns.md for individual JSON examples of each.
SCP principles:
FullAWSAccess and add deny statements.Identity Center is the recommended way for humans to access AWS accounts.
AdminAccess, DeveloperAccess, ReadOnlyAccesssts:AssumeRole on the target role ARNsts:AssumeRole, gets temporary credentialsAlways use sts:ExternalId condition to prevent confused deputy attacks.
aws:PrincipalOrgID condition to allow access from any account in the organization# List roles
aws iam list-roles --query 'Roles[*].{Name:RoleName,Arn:Arn}' --output table
# Get role's attached policies
aws iam list-attached-role-policies --role-name my-role
# Get inline policy document
aws iam get-role-policy --role-name my-role --policy-name my-policy
# Simulate policy evaluation
aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:role/my-role \
--action-names s3:GetObject --resource-arns arn:aws:s3:::my-bucket/*
# Generate policy from Access Analyzer
aws accessanalyzer start-policy-generation --policy-generation-details '{"principalArn":"arn:aws:iam::123456789012:role/my-role"}'
# List Access Analyzer findings
aws accessanalyzer list-findings --analyzer-arn arn:aws:accessanalyzer:us-east-1:123456789012:analyzer/my-analyzer \
--query 'findings[?status==`ACTIVE`]'
# Validate a policy
aws accessanalyzer validate-policy --policy-document file://policy.json --policy-type IDENTITY_POLICY
# Get credential report
aws iam generate-credential-report && sleep 5 && aws iam get-credential-report --query Content --output text | base64 -d
# List users with access keys
aws iam list-users --query 'Users[*].UserName' --output text | xargs -I{} aws iam list-access-keys --user-name {}
# Get last accessed services for a role
aws iam generate-service-last-accessed-details --arn arn:aws:iam::123456789012:role/my-role
# List Identity Center permission sets
aws sso-admin list-permission-sets --instance-arn arn:aws:sso:::instance/ssoins-xxx
# List SCPs
aws organizations list-policies --filter SERVICE_CONTROL_POLICY --query 'Policies[*].{Name:Name,Id:Id}'
"Action": "*" on "Resource": "*": Overly permissive. Always scope to specific actions and resources. Use Access Analyzer to determine what's actually needed.iam:PassRole without resource constraint: PassRole lets an entity assign a role to a service. Without constraining which roles can be passed, it's a privilege escalation path.aws:PrincipalOrgID: When granting cross-account access within an org, use this condition instead of listing individual account IDs. Easier to maintain and automatically includes new accounts.aws:MultiFactorAuthPresent.| File | Contents |
|---|---|
references/policy-patterns.md | Identity-based policies, trust policies (Lambda, EC2, ECS, cross-account, SAML, GitHub Actions OIDC), resource-based policies (S3, KMS, SQS), permission boundaries, SCP examples, condition keys reference |
references/role-templates.md | Persona-based role templates with trust and identity policies: Developer, Data Engineer, On-Call/Operations, CI/CD Pipeline, Read-Only Auditor, plus a shared permission boundary |
security-review -- comprehensive security audit and IaC reviewaws-architect -- well-architected design guidancenetworking -- VPC, subnets, security groups, NACLslambda -- Lambda execution roles and resource policiesecs -- ECS task roles vs task execution roleseks -- Kubernetes RBAC and IRSA (IAM Roles for Service Accounts)claude plugin install aws-dev-toolkit@claude-plugins-officialGenerates least-privilege IAM policies for AWS services, covering roles, policies, trust relationships, cross-account access, and condition keys.
Provides verified IAM edge cases (policy evaluation, trust policies, STS limits, Organizations, condition operators) and structured workflows for role management and least-privilege policy generation.
Hardens AWS IAM configurations to enforce least privilege across cloud accounts. Covers policy scoping, permission boundaries, Access Analyzer, and credential rotation.