aws-iam-best-practices
Review and Harden IAM Policies
This skill helps Claude and Codex users implement AWS IAM best practices by reviewing policies, identifying overly permissive access, and generating least-privilege IAM configurations.
Download the skill ZIP
Upload in Claude
Go to Settings → Capabilities → Skills → Upload skill
Toggle on and start using
Test it
Using "aws-iam-best-practices". Review my IAM policies for security issues
Expected outcome:
- Security Review Summary:
- • Found 3 policies with wildcard (*) actions
- • 5 users without MFA enabled
- • 2 access keys older than 90 days
- • Recommendations provided for each finding
Using "aws-iam-best-practices". Create a least privilege policy for S3 access
Expected outcome:
- IAM Policy Generated:
- • Allows s3:GetObject and s3:PutObject to specific bucket prefix
- • Uses ${aws:username} for user-specific access
- • Includes ListBucket condition for prefix restriction
Security Audit
SafeAll 48 static findings are false positives. The skill contains legitimate AWS CLI commands for IAM security auditing, AWS documentation URLs, RFC5737 documentation IP addresses, and standard IAM policy syntax. This is a defensive security skill focused on IAM hardening and least privilege implementation with no malicious functionality.
Detected Patterns
Quality Score
What You Can Build
Security Engineer Auditing IAM
Security engineer reviews AWS account IAM configurations quarterly, identifying overly permissive policies and users without MFA for remediation
Developer Creating S3 Access Policy
Developer creates a least-privilege S3 access policy that grants only required permissions to specific bucket prefixes
DevOps Implementing MFA Enforcement
DevOps team implements MFA-required policies to enforce multi-factor authentication for sensitive AWS operations
Try These Prompts
Review my IAM policies for common security issues like overly permissive actions, wildcard resources, or missing conditions.
Find all IAM users in my account that do not have MFA enabled and generate a list for remediation.
Create an IAM policy that allows read and write access to a specific S3 bucket prefix for a single user, using conditions for security.
Generate an IAM policy that denies all actions unless the requester has authenticated with MFA.
Best Practices
- Use AWS managed policies instead of inline policies for better auditability and reusability
- Implement least privilege by granting only the specific actions needed for each use case
- Enable MFA for all users, especially those with administrative access
Avoid
- Using wildcard (*) in Action or Resource elements - always specify exact permissions
- Granting administrative access as a default - use role-based access control instead
- Skipping regular access reviews - schedule quarterly IAM policy audits