iam

The IAM skill provides comprehensive support for AWS security and access control, allowing agents to manage identities, resources, and permissions effectively. It is designed for cloud engineers, DevOps practitioners, and security architects who need to enforce the principle of least privilege while ensuring that services like Lambda, EC2, and S3 interact securely. The skill covers identity-based and resource-based policies, role-based access control (RBAC), and trust relationships for cross-account access.

• Expert guidance on creating, modifying, and troubleshooting JSON-based IAM policies, permission boundaries, and Service Control Policies (SCPs).

• Assistance in configuring IAM roles, trust relationships for service assumption (e.g., sts:AssumeRole), and federated identity setups.

• Debugging support for common AWS authorization issues, including AccessDeniedException, policy simulation, and credential report analysis.

• Security hardening workflows, such as enabling MFA, rotating access keys, and auditing root account usage via CloudTrail and IAM Access Analyzer.

• Automated generation of CLI commands for boto3 and AWS CLI, ensuring compliant and repeatable infrastructure-as-code (IaC) deployment.

• Users should provide specific resource ARNs, account IDs, or action patterns to receive precise policy generation.

• Input requirements often include the target service, required API actions, and the intended principal (user/role/service).

• Outputs include fully formed JSON policy documents, bash scripts for CLI execution, or debugging steps for existing configurations.

• Be aware of the constraints regarding global vs. regional resources and the implicit deny nature of IAM evaluations.

• Always prioritize least-privilege principles by using explicit resource scoping instead of wildcards where possible.