一键导入
aws-iam
Create and debug AWS IAM policies with least-privilege. Use on 'IAM policy', 'permission denied', 'access denied', 'not authorized', 'create role'.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Create and debug AWS IAM policies with least-privilege. Use on 'IAM policy', 'permission denied', 'access denied', 'not authorized', 'create role'.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Airflow DAG patterns, KubernetesPodOperator, and debugging. Use on 'dag', 'airflow', 'task', 'operator', 'KPO', 'scheduler', 'XCom'.
Create architecture diagrams with draw.io MCP server. Use on 'diagram', 'architecture', 'drawio', 'flowchart', 'visualize'.
Git operations including commits, branches, worktrees, and safety protocols. Use on 'git', 'commit', 'branch', 'worktree', 'rebase', 'merge'.
Helm chart policies, bitnami legacy repo, and release management. Use on 'helm-skill' or 'load helm skill'.
Kubernetes security best practices for manifests and Helm charts. Use on 'k8s security', 'manifest audit', 'helm security review', 'pod hardening'.
Build Python/K8s/AWS with minimal code. Every line is a liability. Use on 'build', 'implement', 'add', 'create', 'deploy'. Prioritizes deletion, reuse, and configuration over new code.
| name | aws-iam |
| description | Create and debug AWS IAM policies with least-privilege. Use on 'IAM policy', 'permission denied', 'access denied', 'not authorized', 'create role'. |
Create least-privilege IAM policies and debug access issues.
**{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DescriptiveName",
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::bucket/path/*",
"Condition": {
"StringEquals": {"aws:PrincipalTag/team": "myteam"}
}
}]
}
# Check CloudTrail for denied requests
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=EventName,AttributeValue=<operation> \
--query 'Events[?contains(CloudTrailEvent, `AccessDenied`)]'
# Test if policy allows action
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::123456789:role/MyRole \
--action-names s3:GetObject \
--resource-arns arn:aws:s3:::mybucket/mykey
| Error | Check | Fix |
|---|---|---|
| Explicit deny | Check SCPs, permission boundaries | Remove deny statement |
| Missing action | Policy doesn't include action | Add specific action |
| Wrong resource | ARN doesn't match | Fix resource ARN pattern |
| Condition failed | Condition block not met | Check tags, VPC, etc. |
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/*"
]
}
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*"
}
{
"Effect": "Allow",
"Principal": {"Federated": "arn:aws:iam::ACCOUNT:oidc-provider/OIDC"},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"OIDC:sub": "system:serviceaccount:NAMESPACE:SA_NAME"
}
}
}
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::OTHER_ACCOUNT:root"},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {"sts:ExternalId": "UNIQUE_ID"}
}
}
# List attached policies
aws iam list-attached-role-policies --role-name MyRole
# Get policy document
aws iam get-role-policy --role-name MyRole --policy-name MyPolicy
# Who can assume this role?
aws iam get-role --role-name MyRole --query 'Role.AssumeRolePolicyDocument'
# Test credentials
aws sts get-caller-identity
"Action": "*" -> Too broad"Resource": "*" -> Too broadCondition -> Consider adding