iam_skill
- Python
976
GitHub Stars
3
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill itsmostafa/aws-agent-skills --skill iam- best-practices.md7.1 KB
- policies.md6.7 KB
- SKILL.md6.9 KB
Overview
This skill helps manage AWS Identity and Access Management (IAM) for users, roles, policies, and permissions. It provides patterns and commands to create service roles, craft least-privilege policies, configure cross-account access, and troubleshoot permission errors. Use it to automate IAM tasks, validate permissions, and enforce secure access controls.
How this skill works
The skill inspects IAM constructs such as identity-based and resource-based policies, trust relationships, managed and inline policies, and permission boundaries. It generates CLI and boto3 examples to create roles, attach policies, and assume roles across accounts. It also guides simulation and debugging steps for AccessDenied issues and highlights key CLI commands and flags for scripting.
When to use it
- Creating service roles for Lambda, EC2, or other AWS services
- Designing or attaching least-privilege custom policies
- Configuring cross-account role assumption and ExternalId protections
- Troubleshooting AccessDenied and AssumeRole failures
- Auditing permissions, running simulations, and reviewing trust policies
Best practices
- Avoid daily use of the root account; use IAM users and roles instead
- Enable MFA for human users and require MFA in sensitive policies
- Apply least privilege and use permission boundaries for delegated admin
- Prefer roles and temporary credentials over long-term access keys
- Enable CloudTrail and IAM Access Analyzer for monitoring and policy validation
Example use cases
- Create a Lambda service role with a trust policy and attach AWS managed policy via CLI or boto3
- Write a tight DynamoDB policy granting GetItem/PutItem/Query to a specific table ARN
- Configure a cross-account role with ExternalId and demonstrate sts:assume-role from the trusting account
- Simulate a principal policy to verify a specific API call and debug AccessDenied errors
- Split large policies into multiple managed policies to work around size limits
FAQ
Verify caller identity with sts get-caller-identity, list attached policies, use aws iam simulate-principal-policy for the action and resource, and check SCPs or permission boundaries for explicit denies.
When should I use resource-based vs identity-based policies?
Use resource-based policies when you need the resource to grant access directly (S3, SQS). Use identity-based policies to grant permissions to users, groups, or roles that will act on multiple resources.