- Home
- Skills
- Giuseppe Trisciuoglio
- Developer Kit
- Aws Cloudformation Iam
aws-cloudformation-iam_skill
- Python
99
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill giuseppe-trisciuoglio/developer-kit --skill aws-cloudformation-iam- SKILL.md47.9 KB
Overview
This skill provides production-ready AWS CloudFormation patterns for creating and managing IAM users, roles, policies, and managed policies. It focuses on implementing least-privilege, permission boundaries, cross-account access, and modular template structure to support secure, repeatable deployments. Use the patterns to standardize IAM infrastructure across environments and teams.
How this skill works
The skill delivers CloudFormation template patterns and examples that define Parameters, Mappings, Conditions, Resources, and Outputs for IAM constructs. It includes ready-made role trust policies, inline and managed policy documents, permission boundary templates, cross-account role patterns using STS, and export/import patterns for cross-stack references. Templates are designed for modularity (nested stacks) and environment-specific configuration via mappings and parameters.
When to use it
- Creating IAM users with programmatic or console access using CloudFormation
- Defining IAM roles for services (Lambda, EC2, ECS, EKS) with correct assume-role policies
- Implementing least-privilege policies and managed policies for teams and services
- Configuring cross-account access with roles, external IDs, and STS
- Applying permission boundaries to limit maximum permissions for developers
- Organizing templates with Parameters, Mappings, Conditions, and nested stacks
Best practices
- Enforce least-privilege by specifying exact actions and resource ARNs rather than wildcards
- Use PermissionsBoundary managed policies to cap effective privileges for IAM principals
- Store sensitive seeds (initial passwords, access keys) in Secrets Manager and reference them in outputs only when necessary
- Validate names and values with parameter constraints and AWS-specific parameter types for stronger template input validation
- Export role and policy ARNs from a core IAM stack and import them into application stacks to centralize identity management
- Require MFA for console users and rotate access keys regularly via parameterized rotation frequency
Example use cases
- Create a Lambda execution role with the minimal managed policies and a trust policy for lambda.amazonaws.com
- Provision developer IAM users with a permissions boundary and a Secrets Manager secret holding initial credentials
- Build a cross-account read role that trusts a specific account root ARN and requires an external ID
- Split IAM resources into nested stacks: users, roles, and policies to enable independent updates and clear ownership
- Import a central execution role ARN into application stacks using Export/Import to avoid duplicating IAM definitions
FAQ
Export centralized policy and role ARNs from an IAM core stack and import them into application stacks; define narrow resource ARNs and specific actions in policy documents.
When should I use permission boundaries vs. managed policies?
Use permission boundaries to cap the maximum permissions an identity can obtain. Use managed policies to grant specific sets of permissions that can be attached and versioned.
Can I include secrets like access keys in templates?
Avoid embedding secrets in templates. Generate keys in CloudFormation but store credentials in Secrets Manager and reference the secret ARN in outputs if necessary.