Stats
Actions
Tags
From aws-core
Corrects AI mistakes on AWS IAM pitfalls: policy evaluation edge cases, STS session limits, Organizations quirks, SAML/MFA specifics. Use when working with IAM roles, policies, STS, Organizations.
How this skill is triggered — by the user, by Claude, or both
Slash command
/aws-core:aws-iamThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
This skill contains verified corrections for things that AI agents frequently get wrong about IAM. It is not a comprehensive IAM guide — for full IAM guidance, search AWS documentation.
This skill contains verified corrections for things that AI agents frequently get wrong about IAM. It is not a comprehensive IAM guide — for full IAM guidance, search AWS documentation.
When answering IAM questions, verify specific claims (limits, quotas, exact API names, edge-case behaviors) against official AWS documentation rather than relying on pre-training. Prefer fetching known documentation URLs over broad searches. Trust official documentation over memory when they conflict.
CloudTrail:
?region= forces specific region.STS:
Organizations:
SDK Specifics:
DuplicatePolicyAttachmentException (not PolicyAlreadyAttachedException).activate(), deactivate(), delete() — NO update().time.sleep(10) pattern.SAML:
https://region-code.signin.aws.amazon.com/saml/acs/IdP-ID.Policy Evaluation:
Null condition in addition to the ForAllValues on the same context key to require that key to be present and non-null. For example, when evaluating the aws:TagKeys context key:{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": ["Alpha", "Beta"]
},
"Null": {
"aws:TagKeys": "false"
}
}
}
}
iam:PassRole with Resource: "*" + create/update on a compute service (EC2 RunInstances, Lambda CreateFunction/UpdateFunctionConfiguration, ECS RegisterTaskDefinition, Glue, SageMaker, CloudFormation, etc.) = privilege escalation to any passable role in the account, including Administrator. Scope Resource to specific role ARNs or an IAM path; optionally constrain with iam:PassedToService / iam:AssociatedResourceArn. See IAM User Guide — Grant a user permissions to pass a role.MFA:
SigV4:
Service-Specific Roles:
redshift-serverless.amazonaws.com AND redshift.amazonaws.com as service principals (per AWS docs; omitting serverless causes Not authorized to get credentials of role on COPY).Policy Summary Display:
codebuild:*, codecommit:*) + service-specific resource ARNs: each resource appears ONLY under its matching service's summary (CodeBuild ARN under CodeBuild, etc.). A resource whose service prefix matches NO action in the statement is the only case where it appears in all action summaries ("mismatched resource").npx claudepluginhub aws/agent-toolkit-for-aws --plugin aws-coreReviews and hardens AWS IAM policies, enforces least privilege, audits MFA enforcement, and manages access keys. Use for tightening IAM security and reducing over-permissive permissions.
Hardens AWS IAM configurations to enforce least privilege access via policy scoping, permission boundaries, Access Analyzer integration, and credential rotation. Useful for audits, new accounts, and fixing permissive policies.
Validate, analyze, and query AWS IAM policies via CLI. Runs 22 built-in checks on identity, resource, trust policies, SCPs, and RCPs; detects wildcard actions, privilege escalation, confused deputy issues; queries AWS service actions, condition keys, and ARNs; exports findings as JSON for PR review.