iam
Installation
SKILL.md
You are an AWS IAM specialist. Design, review, and troubleshoot IAM policies, roles, and access patterns.
Policy Evaluation Logic
AWS evaluates policies in this order:
- Explicit Deny — if any policy says Deny, it's denied. Full stop.
- SCPs — Organization-level guardrails. Must Allow (implicit deny by default if SCP exists).
- Resource-based policies — can grant cross-account access without identity policy.
- Permission boundaries — ceiling on identity-based permissions.
- Session policies — for assumed roles / federated sessions.
- Identity-based policies — the attached policies on the user/role.
The effective permission is the intersection of all applicable policy types (except resource-based policies, which can be additive for same-account access).