PluginBench
Skill
Pass
Audit score 90

aws-iam

aws/agent-toolkit-for-aws

How to install aws-iam

npx skills add https://github.com/aws/agent-toolkit-for-aws --skill aws-iam
Claude Code
Cursor
Windsurf
Cline
Full instructions (SKILL.md)

Source of truth, from aws/agent-toolkit-for-aws.


name: aws-iam description: "Verified corrections for IAM behaviors that AI agents frequently get
\ wrong \u2014 policy evaluation edge cases, trust policy gotchas, STS session limits,
\ Organizations quirks, and SAML/MFA specifics. Use alongside documentation when
\ working with IAM roles, policies, STS, or Organizations. Do NOT use for non-IAM
\ authorization like Cognito user-pool policies or app-level RBAC." version: 1

AWS IAM — Common Pitfalls

About This Skill

This skill contains verified corrections for things that AI agents frequently get wrong about IAM. It is not a comprehensive IAM guide — for full IAM guidance, search AWS documentation.

When answering IAM questions, verify specific claims (limits, quotas, exact API names, edge-case behaviors) against official AWS documentation rather than relying on pre-training. Prefer fetching known documentation URLs over broad searches. Trust official documentation over memory when they conflict.

Verified Edge Cases

CloudTrail:

  • AcceptHandshake/DeclineHandshake logged in ACTING account ONLY, not management account. Organization trail required for centralization.
  • ConsoleLogin region varies by endpoint/cookies, NOT always us-east-1. ?region= forces specific region.

STS:

  • GetSessionToken restrictions: (1) No IAM APIs unless MFA included (2) No STS except AssumeRole and GetCallerIdentity.
  • Cross-account AssumeRole to opt-in region: TARGET account must enable region, not calling account.
  • Role chaining: max 1-hour session.

Organizations:

  • Suspended/closed accounts CANNOT be removed until permanently closed (~90 days). Remove FIRST, then close.
  • Policy management delegation: use PutResourcePolicy, NOT register-delegated-administrator.
  • AI opt-out policies: management account required by default.
  • Organizations policy types for ListPolicies filter: SERVICE_CONTROL_POLICY, TAG_POLICY, BACKUP_POLICY, AISERVICES_OPT_OUT_POLICY, CHATBOT_POLICY, DECLARATIVE_POLICY_EC2, RESOURCE_CONTROL_POLICY.

SDK Specifics:

  • Organizations: DuplicatePolicyAttachmentException (not PolicyAlreadyAttachedException).
  • Boto3 IAM AccessKey: methods are activate(), deactivate(), delete() — NO update().
  • Instance profiles: waiter + time.sleep(10) pattern.
  • Managed policy max versions: 5.

SAML:

  • Encrypted assertions URL: https://region-code.signin.aws.amazon.com/saml/acs/IdP-ID.
  • Private key from IdP uploaded to IAM in .pem format.

Policy Evaluation:

  • ForAllValues with empty/missing key: evaluates to true (vacuous truth). To avoid that, use a Null condition in addition to the ForAllValues on the same context key to require that key to be present and non-null. For example, when evaluating the aws:TagKeys context key:
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": "*",
        "Condition": {
            "ForAllValues:StringEquals": {
                "aws:TagKeys": ["Alpha", "Beta"]
            },
            "Null": {
                "aws:TagKeys": "false"
            }
        }
    }
}
  • Resource-based policies granting to IAM user ARN bypass permissions boundaries in same account.
  • 8 privilege escalation actions via direct IAM policy manipulation: PutGroupPolicy, PutRolePolicy, PutUserPolicy, CreatePolicy, CreatePolicyVersion, AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy.
  • iam:PassRole with Resource: "*" + create/update on a compute service (EC2 RunInstances, Lambda CreateFunction/UpdateFunctionConfiguration, ECS RegisterTaskDefinition, Glue, SageMaker, CloudFormation, etc.) = privilege escalation to any passable role in the account, including Administrator. Scope Resource to specific role ARNs or an IAM path; optionally constrain with iam:PassedToService / iam:AssociatedResourceArn. See IAM User Guide — Grant a user permissions to pass a role.

MFA:

  • Unassigned virtual MFA devices auto-deleted when adding new ones.
  • MFA resync-only policy NotAction needs exactly: iam:ListMFADevices, iam:ListVirtualMFADevices, iam:ResyncMFADevice.

SigV4:

  • IncompleteSignatureException includes SHA-256 hash of Authorization header for transit modification diagnosis.

Service-Specific Roles:

  • Redshift Serverless trust policy: include BOTH redshift-serverless.amazonaws.com AND redshift.amazonaws.com as service principals (per AWS docs; omitting serverless causes Not authorized to get credentials of role on COPY).
  • IAM OIDC providers: thumbprints no longer required for most providers (AWS verifies via trusted CAs since 2022).

Policy Summary Display:

  • Single statement with multi-service wildcard actions (e.g. codebuild:*, codecommit:*) + service-specific resource ARNs: each resource appears ONLY under its matching service's summary (CodeBuild ARN under CodeBuild, etc.). A resource whose service prefix matches NO action in the statement is the only case where it appears in all action summaries ("mismatched resource").

Related skills

More from aws/agent-toolkit-for-aws and the wider catalog.

AW

aws-serverless

aws/agent-toolkit-for-aws

Builds, deploys, manages, debugs, configures, and optimizes serverless applications on AWS using Lambda, API Gateway, Step Functions, EventBridge, and SAM/CDK. Covers cold starts, CORS debugging, event source mappings, troubleshooting, concurrency, SnapStart, Powertools, function URLs, EventBridge Scheduler, Lambda layers, and production readiness. Triggers on mentions of Lambda, API Gateway, Step Functions, SAM templates, CDK serverless stacks, DynamoDB stream triggers, SQS event sources, cold starts, timeouts, 502/504 errors, throttling, concurrency, CORS, Powertools, or any event-driven architecture on AWS, even without the word "serverless." Does not apply to EC2, ECS/Fargate containers, or Amplify hosting.

2.4k installsAudited
AW

aws-cdk

aws/agent-toolkit-for-aws

Authors, deploys, and troubleshoots AWS infrastructure using CDK with TypeScript or Python. Covers best practices, stack architecture, and construct patterns. Always use when writing CDK constructs, bootstrapping environments, running cdk deploy/synth/diff, fixing CDK or CloudFormation errors, planning stack structure, importing existing resources, resolving drift, or refactoring stacks without resource replacement.

2.3k installsAudited
AW

aws-observability

aws/agent-toolkit-for-aws

Builds, configures, debugs, and optimizes AWS observability using CloudWatch (Logs Insights, Metrics, Alarms, Dashboards, EMF), X-Ray, CloudTrail, and ADOT. Covers Log Insights query syntax (fields, filter, stats, parse, pattern, join, subqueries), alarm configuration (metric, composite, anomaly detection, missing data treatment), dashboard design, custom metrics (PutMetricData, EMF, metric filters), X-Ray tracing (ADOT, sampling rules, annotations vs metadata), ADOT collector config, and CloudTrail auditing. Use when the user mentions CloudWatch, Log Insights, alarms, INSUFFICIENT_DATA, dashboards, custom metrics, EMF, X-Ray, traces, sampling, CloudTrail, who deleted, ADOT, OpenTelemetry, observability, monitoring, synthetics, canaries, or troubleshooting alarm behavior. Do NOT use for application logging setup, container log drivers, or security threat detection.

2.2k installsAudited
AM

amazon-bedrock

aws/agent-toolkit-for-aws

Builds generative AI applications on Amazon Bedrock. Covers model invocation (Converse API, InvokeModel), RAG with Knowledge Bases, Bedrock Agents, Guardrails, and AgentCore. Use when invoking models, setting up Knowledge Bases, creating agents, applying guardrails, deploying to AgentCore, troubleshooting Bedrock errors (ThrottlingException, AccessDeniedException), or choosing models (Claude, Llama, Nova, Titan). ALSO USE for prompt caching setup and debugging, quota health checks and throttling diagnosis, cost attribution and tracking, migrating between Claude model generations (4.5 to 4.6 to 4.7), chunking strategies, API selection (Converse vs InvokeModel), guardrail capabilities, and model selection. Also covers AgentCore Payments setup (x402, microtransactions, Payment Manager, Connector, Instrument, Coinbase CDP, Stripe Privy, 402 Payment Required, pay for content, paid endpoint, agent payments). NOT for custom model training, Rekognition, or Comprehend.

2.1k installs
AW

aws-billing-and-cost-management

aws/agent-toolkit-for-aws

|

2.1k installs
AW

aws-cloudformation

aws/agent-toolkit-for-aws

Author, validate, and troubleshoot AWS CloudFormation templates. Covers template authoring with secure defaults, pre-deployment validation (cfn-lint, cfn-guard, change sets), and root-cause diagnosis of failed stacks using CloudFormation events and CloudTrail correlation.

2.1k installs