aws-iam

Original：🇺🇸 English

Translated

Verified corrections for IAM behaviors that AI agents frequently get wrong — policy evaluation edge cases, trust policy gotchas, STS session limits, Organizations quirks, and SAML/MFA specifics. Use alongside documentation when working with IAM roles, policies, STS, or Organizations. Do NOT use for non-IAM authorization like Cognito user-pool policies or app-level RBAC.

6installs

Sourceaws/agent-toolkit-for-aws

Added on2026-05-07

NPX Install

npx skill4agent add aws/agent-toolkit-for-aws aws-iam

SKILL.md Content

View Translation Comparison →

AWS IAM — Common Pitfalls

About This Skill

This skill contains verified corrections for things that AI agents frequently get wrong about IAM. It is not a comprehensive IAM guide — for full IAM guidance, search AWS documentation.

When answering IAM questions, verify specific claims (limits, quotas, exact API names, edge-case behaviors) against official AWS documentation rather than relying on pre-training. Prefer fetching known documentation URLs over broad searches. Trust official documentation over memory when they conflict.

Verified Edge Cases

CloudTrail:

AcceptHandshake/DeclineHandshake logged in ACTING account ONLY, not management account. Organization trail required for centralization.
ConsoleLogin region varies by endpoint/cookies, NOT always us-east-1.
```
?region=
```
forces specific region.

STS:

GetSessionToken restrictions: (1) No IAM APIs unless MFA included (2) No STS except AssumeRole and GetCallerIdentity.
Cross-account AssumeRole to opt-in region: TARGET account must enable region, not calling account.
Role chaining: max 1-hour session.

Organizations:

Suspended/closed accounts CANNOT be removed until permanently closed (~90 days). Remove FIRST, then close.
Policy management delegation: use PutResourcePolicy, NOT register-delegated-administrator.
AI opt-out policies: management account required by default.
Organizations policy types for ListPolicies filter: SERVICE_CONTROL_POLICY, TAG_POLICY, BACKUP_POLICY, AISERVICES_OPT_OUT_POLICY, CHATBOT_POLICY, DECLARATIVE_POLICY_EC2, RESOURCE_CONTROL_POLICY.

SDK Specifics:

Organizations:
```
DuplicatePolicyAttachmentException
```
(not PolicyAlreadyAttachedException).
Boto3 IAM AccessKey: methods are
```
activate()
```
,
```
deactivate()
```
,
```
delete()
```
— NO
```
update()
```
.
Instance profiles: waiter +
```
time.sleep(10)
```
pattern.
Managed policy max versions: 5.

SAML:

Encrypted assertions URL:

https://region-code.signin.aws.amazon.com/saml/acs/IdP-ID

.

Private key from IdP uploaded to IAM in .pem format.

Policy Evaluation:

ForAllValues with empty/missing key: evaluates to true (vacuous truth). To avoid that, use a
```
Null
```
condition in addition to the
```
ForAllValues
```
on the same context key to require that key to be present and non-null. For example, when evaluating the
```
aws:TagKeys
```
context key:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "ec2:RunInstances",
        "Resource": "*",
        "Condition": {
            "ForAllValues:StringEquals": {
                "aws:TagKeys": ["Alpha", "Beta"]
            },
            "Null": {
                "aws:TagKeys": "false"
            }
        }
    }
}

Resource-based policies granting to IAM user ARN bypass permissions boundaries in same account.
8 privilege escalation actions via direct IAM policy manipulation: PutGroupPolicy, PutRolePolicy, PutUserPolicy, CreatePolicy, CreatePolicyVersion, AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy.
```
iam:PassRole
```
with
```
Resource: "*"
```
+ create/update on a compute service (EC2
```
RunInstances
```
, Lambda
```
CreateFunction
```
/
```
UpdateFunctionConfiguration
```
, ECS
```
RegisterTaskDefinition
```
, Glue, SageMaker, CloudFormation, etc.) = privilege escalation to any passable role in the account, including Administrator. Scope
```
Resource
```
to specific role ARNs or an IAM path; optionally constrain with
```
iam:PassedToService
```
/
```
iam:AssociatedResourceArn
```
. See IAM User Guide — Grant a user permissions to pass a role.

MFA:

Unassigned virtual MFA devices auto-deleted when adding new ones.
MFA resync-only policy NotAction needs exactly: iam:ListMFADevices, iam:ListVirtualMFADevices, iam:ResyncMFADevice.

SigV4:

IncompleteSignatureException includes SHA-256 hash of Authorization header for transit modification diagnosis.

Service-Specific Roles:

Redshift Serverless trust policy: include BOTH
```
redshift-serverless.amazonaws.com
```
AND
```
redshift.amazonaws.com
```
as service principals (per AWS docs; omitting serverless causes
```
Not authorized to get credentials of role
```
on COPY).
IAM OIDC providers: thumbprints no longer required for most providers (AWS verifies via trusted CAs since 2022).

Policy Summary Display:

Single statement with multi-service wildcard actions (e.g.
```
codebuild:*
```
,
```
codecommit:*
```
) + service-specific resource ARNs: each resource appears ONLY under its matching service's summary (CodeBuild ARN under CodeBuild, etc.). A resource whose service prefix matches NO action in the statement is the only case where it appears in all action summaries ("mismatched resource").