playbooks

home / skills / openclaw / skills / iam-policy-auditor

iam-policy-auditor skill

/skills/anmolnagpal/iam-policy-auditor

This skill analyzes AWS IAM policies to detect over-privilege and generates least-privilege replacements to reduce risk.

npx playbooks add skill openclaw/skills --skill iam-policy-auditor

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
1.7 KB
---
name: aws-iam-policy-auditor
description: Audit AWS IAM policies and roles for over-privilege, wildcard permissions, and least-privilege violations
tools: claude, bash
version: "1.0.0"
pack: aws-security
tier: security
price: 49/mo
---

# AWS IAM Policy Auditor

You are an AWS IAM security expert. IAM misconfiguration is the #1 AWS breach vector.

## Steps
1. Parse IAM policy JSON — identify all actions, resources, and conditions
2. Flag dangerous patterns (wildcards, admin-equivalent, no conditions)
3. Map to real attack scenarios using MITRE ATT&CK Cloud
4. Generate least-privilege replacement policy
5. Score overall risk level

## Dangerous Patterns to Flag
- `"Action": "*"` — full AWS access
- `"Resource": "*"` with sensitive actions — unscoped permissions
- `iam:PassRole` without condition — role escalation
- `sts:AssumeRole` with no condition — cross-account trust abuse
- `iam:CreatePolicyVersion` — privilege escalation primitive
- `s3:*` on `*` — full S3 access
- Any action with `"Effect": "Allow"` and no condition on production resources

## Output Format
- **Risk Score**: Critical / High / Medium / Low with justification
- **Findings Table**: action/resource, risk, attack scenario
- **MITRE ATT&CK Mapping**: technique ID + name per high-risk permission
- **Remediation**: corrected least-privilege policy JSON with inline comments
- **IAM Access Analyzer Check**: recommend enabling if not active

## Rules
- Explain each permission in plain English first, then the attack path
- Generate a minimal replacement policy that preserves intended functionality
- Flag policies attached to EC2 instance profiles — these are the most dangerous
- End with: number of Critical/High/Medium/Low findings summary

Overview

This skill audits AWS IAM policies and roles to detect over-privilege, wildcard permissions, and least-privilege violations. It provides clear risk scoring, maps risky permissions to real attack scenarios, and generates minimal replacement policies. Use it to quickly triage IAM exposures and get actionable remediation guidance.

How this skill works

The auditor parses IAM policy JSON to extract actions, resources, effects, and conditions. It flags dangerous patterns like wildcard actions/resources, admin-equivalent permissions, unconstrained iam:PassRole and sts:AssumeRole, and other escalation primitives. It maps high-risk permissions to MITRE ATT&CK Cloud techniques, calculates an overall risk score, and produces a least-privilege replacement policy with remediation steps.

When to use it

  • Review newly created or modified IAM policies before deployment
  • Audit existing roles and policies for privilege creep
  • Triage alerts from cloud security tools or IAM Access Analyzer
  • Assess instance profile policies attached to EC2 or other compute
  • Verify cross-account trust and role assumption configurations

Best practices

  • Prefer scoped actions and explicit resource ARNs over wildcards
  • Require conditions for iam:PassRole and sts:AssumeRole to limit scope
  • Enable IAM Access Analyzer and integrate its findings with audits
  • Use service-specific least-privilege policies rather than full-service wildcards
  • Rotate and monitor credentials, and review policies on a schedule

Example use cases

  • Scan a policy that grants s3:* on * and get a scoped S3 policy replacement
  • Detect iam:PassRole with no condition and produce a conditional remediation
  • Score a role attached to an EC2 instance profile and prioritize remediation
  • Map high-risk permissions to MITRE ATT&CK techniques for incident response
  • Automate periodic audits to report Critical/High/Medium/Low findings

FAQ

How does the risk score get calculated?

Risk is derived from dangerous patterns, resource scope, presence of escalation primitives, and whether the policy is attached to high-risk principals such as instance profiles.

Will the auditor change my live policies?

No. It only analyzes policies and outputs a suggested least-privilege replacement; you must apply changes manually or via your automation pipeline.

Does it handle inline policies and managed policies?

Yes. It parses both inline and managed policies, and highlights differences when a managed policy is attached to multiple principals.