DiscordSign up
SKILLS.SH

aws-iam

Verified corrections for IAM behaviors that AI agents frequently get\

INSTALLATION
npx skills add https://github.com/aws/agent-toolkit-for-aws --skill aws-iam
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

AWS IAM — Common Pitfalls

About This Skill

This skill contains verified corrections for things that AI agents frequently get wrong about IAM. It is not a comprehensive IAM guide — for full IAM guidance, search AWS documentation.

When answering IAM questions, verify specific claims (limits, quotas, exact API names, edge-case behaviors) against official AWS documentation rather than relying on pre-training. Prefer fetching known documentation URLs over broad searches. Trust official documentation over memory when they conflict.

Verified Edge Cases

CloudTrail:

  • AcceptHandshake/DeclineHandshake logged in ACTING account ONLY, not management account. Organization trail required for centralization.
  • ConsoleLogin region varies by endpoint/cookies, NOT always us-east-1. ?region= forces specific region.

STS:

  • GetSessionToken restrictions: (1) No IAM APIs unless MFA included (2) No STS except AssumeRole and GetCallerIdentity.
  • Cross-account AssumeRole to opt-in region: TARGET account must enable region, not calling account.
  • Role chaining: max 1-hour session.

Organizations:

  • Suspended/closed accounts CANNOT be removed until permanently closed (~90 days). Remove FIRST, then close.
  • Policy management delegation: use PutResourcePolicy, NOT register-delegated-administrator.
  • AI opt-out policies: management account required by default.
  • Organizations policy types for ListPolicies filter: SERVICE_CONTROL_POLICY, TAG_POLICY, BACKUP_POLICY, AISERVICES_OPT_OUT_POLICY, CHATBOT_POLICY, DECLARATIVE_POLICY_EC2, RESOURCE_CONTROL_POLICY.

SDK Specifics:

  • Organizations: DuplicatePolicyAttachmentException (not PolicyAlreadyAttachedException).
  • Boto3 IAM AccessKey: methods are activate(), deactivate(), delete() — NO update().
  • Instance profiles: waiter + time.sleep(10) pattern.
  • Managed policy max versions: 5.

SAML:

  • Encrypted assertions URL: https://region-code.signin.aws.amazon.com/saml/acs/IdP-ID.
  • Private key from IdP uploaded to IAM in .pem format.

Policy Evaluation:

  • ForAllValues with empty/missing key: evaluates to true (vacuous truth). To avoid that, use a Null condition in addition to the ForAllValues on the same context key to require that key to be present and non-null. For example, when evaluating the aws:TagKeys context key:
{

    "Version": "2012-10-17",

    "Statement": {

        "Effect": "Allow",

        "Action": "ec2:RunInstances",

        "Resource": "*",

        "Condition": {

            "ForAllValues:StringEquals": {

                "aws:TagKeys": ["Alpha", "Beta"]

            },

            "Null": {

                "aws:TagKeys": "false"

            }

        }

    }

}
  • Resource-based policies granting to IAM user ARN bypass permissions boundaries in same account.
  • 8 privilege escalation actions via direct IAM policy manipulation: PutGroupPolicy, PutRolePolicy, PutUserPolicy, CreatePolicy, CreatePolicyVersion, AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy.
  • iam:PassRole with Resource: "*" + create/update on a compute service (EC2 RunInstances, Lambda CreateFunction/UpdateFunctionConfiguration, ECS RegisterTaskDefinition, Glue, SageMaker, CloudFormation, etc.) = privilege escalation to any passable role in the account, including Administrator. Scope Resource to specific role ARNs or an IAM path; optionally constrain with iam:PassedToService / iam:AssociatedResourceArn. See IAM User Guide — Grant a user permissions to pass a role.

MFA:

  • Unassigned virtual MFA devices auto-deleted when adding new ones.
  • MFA resync-only policy NotAction needs exactly: iam:ListMFADevices, iam:ListVirtualMFADevices, iam:ResyncMFADevice.

SigV4:

  • IncompleteSignatureException includes SHA-256 hash of Authorization header for transit modification diagnosis.

Service-Specific Roles:

  • Redshift Serverless trust policy: include BOTH redshift-serverless.amazonaws.com AND redshift.amazonaws.com as service principals (per AWS docs; omitting serverless causes Not authorized to get credentials of role on COPY).
  • IAM OIDC providers: thumbprints no longer required for most providers (AWS verifies via trusted CAs since 2022).

Policy Summary Display:

  • Single statement with multi-service wildcard actions (e.g. codebuild:*, codecommit:*) + service-specific resource ARNs: each resource appears ONLY under its matching service's summary (CodeBuild ARN under CodeBuild, etc.). A resource whose service prefix matches NO action in the statement is the only case where it appears in all action summaries ("mismatched resource").
BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

find-skills
2/3

Discover and install specialized agent skills from the open ecosystem when users need extended capabilities. Helps identify relevant skills by domain and task when users ask "how do I do X" or "find a skill for X" Integrates with the Skills CLI ( npx skills find , npx skills add ) to search, verify, and install packages from the skills.sh directory Recommends skills based on install count, source reputation, and GitHub stars to ensure quality before suggesting installation Presents skill options with install commands and links to skills.sh for user review and one-click installation

Verified authorvercel-labs
SKILLS.SH
1.5M19.6K
2026-05-22
vercel-react-best-practices
3/3

React and Next.js performance optimization guide with 64 prioritized rules across 8 categories. Organized by impact level, from critical waterfalls and bundle optimization down to advanced patterns, each rule includes incorrect/correct code examples and explanations Covers eight domains: async patterns, bundle size, server-side caching, client-side data fetching, re-render optimization, rendering performance, JavaScript efficiency, and advanced patterns Designed for use during component writing, code review, refactoring, and performance audits on React and Next.js applications Each rule has a prefix code (e.g., async-parallel , bundle-barrel-imports ) for easy reference in automated tooling and documentation

Verified authorvercel-labs
SKILLS.SH
389K26.9K
2026-05-22
azure-validate
2/3

Pre-deployment validation for Azure infrastructure, configuration, and permissions before deployment. Requires .azure/plan.md from a prior azure-prepare run; stops immediately if the plan is missing Executes recipe-specific validation commands (azd provision, bicep build, terraform validate) and records proof in the plan document Performs build verification, configuration checks, and permission validation; blocks deployment if any check fails Only authorized method to set plan status to Validated ; must be followed by azure-deploy skill to execute the actual deployment

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22
appinsights-instrumentation
3/3

Guidance and reference material for instrumenting webapps with Azure Application Insights. Covers SDK setup, telemetry patterns, and configuration for ASP.NET Core and Node.js applications hosted in Azure Distinguishes between this skill (reference and guidance) and azure-prepare (actual implementation); invoke azure-prepare when the user wants to add instrumentation to their project Provides auto-instrumentation guidance for C# ASP.NET Core apps in Azure App Service, plus manual instrumentation paths for creating App Insights resources via Bicep templates or Azure CLI Includes language-specific code modification guides for ASP.NET Core, Node.js, and Python, plus quick references for OpenTelemetry SDKs and exporters

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card