Provides AWS CloudFormation patterns for IAM roles, policies, managed policies, permission boundaries, and trust relationships. Use for least-privilege access, cross-account assumptions, service roles, and reusable stacks.
From developer-kit-awsnpx claudepluginhub giuseppe-trisciuoglio/developer-kit --plugin developer-kit-awsThis skill is limited to using the following tools:
references/examples.mdreferences/reference.mdGuides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Migrates code, prompts, and API calls from Claude Sonnet 4.0/4.5 or Opus 4.1 to Opus 4.5, updating model strings on Anthropic, AWS, GCP, Azure platforms.
Optimizes cloud costs on AWS, Azure, GCP via rightsizing, tagging strategies, reserved instances, spot usage, and spending analysis. Use for expense reduction and governance.
Use this skill to model IAM with CloudFormation in a way that stays secure, auditable, and maintainable.
The most important design concerns are:
Do not treat SKILL.md as a full IAM encyclopedia. Use the bundled references for larger policy examples and service-specific variants.
Identify who or what assumes the role (service principal, cross-account principal, or federated identity), then write the trust policy with explicit principals and conditions before adding permissions.
Use inline policies for role-specific access; use managed policies for shared patterns across principals. Scope actions and resources tightly, and use conditions where possible.
Use permission boundaries when teams create or extend roles in their own stacks, when guardrails are needed around privileged services (IAM, KMS, Organizations), or to separate maximum allowed permissions from application-specific policies.
Name roles and policies consistently so stack outputs and audits remain easy to trace.
For cross-account roles: trust only the exact source account or principal, add sts:ExternalId conditions when appropriate, keep permission and trust policies separate, and export only the ARNs that consuming accounts need.
Before rollout, use these commands to verify the template and IAM behavior:
# Validate CloudFormation template syntax
aws cloudformation validate-template --template-body file://template.yaml
# Preview changes before applying
aws cloudformation create-change-set \
--stack-name <stack-name> \
--template-body file://template.yaml \
--change-set-type CREATE
# Simulate whether a principal can perform specific actions
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::123456789012:role/LambdaExecutionRole \
--action-names dynamodb:GetItem dynamodb:PutItem
# Check for wildcards in IAM policies within the template
aws cloudformation list-stack-resources --stack-name <stack-name>
After deployment, confirm policy attachments and stack outputs match the intended security model.
Resources:
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: DynamoDbWritePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- dynamodb:GetItem
- dynamodb:PutItem
Resource: !GetAtt OrdersTable.Arn
Resources:
PartnerReadRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: arn:aws:iam::123456789012:role/partner-reader
Action: sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId: partner-contract-001
Keep the trust relationship narrow and pair it with a separate read-only permission policy.
references/ instead of bloating the root skill.references/examples.mdreferences/reference.mdaws-cloudformation-securityaws-cloudformation-ec2aws-cloudformation-ecsaws-cloudformation-lambda