{"id":"a7df5969-9103-4c55-bc79-9ab7e881e004","shortId":"LsZctz","kind":"skill","title":"Audit AWS IAM policies for risky permissions with Cloudsplaining","tagline":"Use Cloudsplaining when an agent needs to flag privilege-escalation paths and overbroad IAM permissions before an AWS policy change reaches production.","description":"# Audit AWS IAM policies for risky permissions with Cloudsplaining\n\nUse Cloudsplaining when an agent needs to flag privilege-escalation paths and overbroad IAM permissions before an AWS policy change reaches production.\n\n## Prerequisites\n\nPython 3, AWS IAM policy JSON or account data, and Cloudsplaining.\n\n## Installation\n\nUse the upstream install or setup path that matches your environment:\n- brew tap salesforce/cloudsplaining https://github.com/salesforce/cloudsplaining\n- brew install cloudsplaining\n\nRequirements and caveats from upstream:\n- [![Python Version](https://img.shields.io/pypi/pyversions/cloudsplaining)](#)\n- You must have the privileges to run [iam:GetAccountAuthorizationDetails](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountAuthorizationDetails.html). The arn:aws:iam::aws:policy/SecurityAudit policy i...\n- default-iam-results.json: This contains the raw JSON output of the report. You can use this data file for operating on the scan results for various purposes. For example, you could write a Python script that parses th...\n\nBasic usage or getting-started notes:\n- [Example report](https://opensource.salesforce.com/cloudsplaining/)\n- Cloudsplaining also identifies IAM Roles that can be assumed by AWS Compute Services (such as EC2, ECS, EKS, or Lambda), as they can present greater risk than user-defined roles - especially if the AWS Compute service...\n- You can also specify a custom exclusions file to filter out results that are False Positives for various reasons. For example, User Policies are permissive by design, whereas System roles are generally more restrictiv...\n\n- Source: https://github.com/salesforce/cloudsplaining\n- Extracted from upstream docs: https://raw.githubusercontent.com/salesforce/cloudsplaining/HEAD/README.md\n\n## Documentation\n\n- https://cloudsplaining.readthedocs.io/en/latest/\n\n## Source\n\n- [Agent Skill Exchange](https://agentskillexchange.com/skills/audit-aws-iam-policies-for-risky-permissions-with-cloudsplaining/)","tags":["audit","aws","iam","policies","for","risky","permissions","with","cloudsplaining","skills","agentskillexchange","agent-skills"],"capabilities":["skill","source-agentskillexchange","skill-audit-aws-iam-policies-for-risky-permissions-with-cloudsplaining","topic-agent-skills","topic-ai-agents","topic-ai-tools","topic-awesome-list","topic-claude-code","topic-codex","topic-cursor","topic-llm","topic-mcp","topic-npx-skills","topic-openclaw","topic-skills-catalog"],"categories":["skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/agentskillexchange/skills/audit-aws-iam-policies-for-risky-permissions-with-cloudsplaining","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add agentskillexchange/skills","source_repo":"https://github.com/agentskillexchange/skills","install_from":"skills.sh"}},"qualityScore":"0.454","qualityRationale":"deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 8 github stars · SKILL.md body (2,002 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:09:29.766Z","embedding":null,"createdAt":"2026-05-18T13:15:14.642Z","updatedAt":"2026-05-18T19:09:29.766Z","lastSeenAt":"2026-05-18T19:09:29.766Z","tsv":"'/cloudsplaining/)':175 '/en/latest/':261 '/iam/latest/apireference/api_getaccountauthorizationdetails.html).':119 '/pypi/pyversions/cloudsplaining)](#)':107 '/salesforce/cloudsplaining':94,250 '/salesforce/cloudsplaining/head/readme.md':257 '/skills/audit-aws-iam-policies-for-risky-permissions-with-cloudsplaining/)':268 '3':67 'account':73 'agent':14,46,263 'agentskillexchange.com':267 'agentskillexchange.com/skills/audit-aws-iam-policies-for-risky-permissions-with-cloudsplaining/)':266 'also':177,215 'arn':121 'assum':184 'audit':1,33 'aw':2,28,34,60,68,122,124,186,210 'basic':164 'brew':89,95 'caveat':100 'chang':30,62 'cloudsplain':9,11,41,43,76,97,176 'cloudsplaining.readthedocs.io':260 'cloudsplaining.readthedocs.io/en/latest/':259 'comput':187,211 'contain':130 'could':156 'custom':218 'data':74,142 'default-iam-results.json':128 'defin':205 'design':239 'doc':254 'docs.aws.amazon.com':118 'docs.aws.amazon.com/iam/latest/apireference/api_getaccountauthorizationdetails.html).':117 'document':258 'ec':192 'ec2':191 'ek':193 'environ':88 'escal':20,52 'especi':207 'exampl':154,171,233 'exchang':265 'exclus':219 'extract':251 'fals':227 'file':143,220 'filter':222 'flag':17,49 'general':244 'get':168 'getaccountauthorizationdetail':116 'getting-start':167 'github.com':93,249 'github.com/salesforce/cloudsplaining':92,248 'greater':200 'iam':3,24,35,56,69,115,123,179 'identifi':178 'img.shields.io':106 'img.shields.io/pypi/pyversions/cloudsplaining)](#)':105 'instal':77,81,96 'json':71,133 'lambda':195 'match':86 'must':109 'need':15,47 'note':170 'opensource.salesforce.com':174 'opensource.salesforce.com/cloudsplaining/)':173 'oper':145 'output':134 'overbroad':23,55 'pars':162 'path':21,53,84 'permiss':7,25,39,57,237 'polici':4,29,36,61,70,126,235 'policy/securityaudit':125 'posit':228 'prerequisit':65 'present':199 'privileg':19,51,112 'privilege-escal':18,50 'product':32,64 'purpos':152 'python':66,103,159 'raw':132 'raw.githubusercontent.com':256 'raw.githubusercontent.com/salesforce/cloudsplaining/head/readme.md':255 'reach':31,63 'reason':231 'report':137,172 'requir':98 'restrictiv':246 'result':149,224 'risk':201 'riski':6,38 'role':180,206,242 'run':114 'salesforce/cloudsplaining':91 'scan':148 'script':160 'servic':188,212 'setup':83 'skill':264 'skill-audit-aws-iam-policies-for-risky-permissions-with-cloudsplaining' 'sourc':247,262 'source-agentskillexchange' 'specifi':216 'start':169 'system':241 'tap':90 'th':163 'topic-agent-skills' 'topic-ai-agents' 'topic-ai-tools' 'topic-awesome-list' 'topic-claude-code' 'topic-codex' 'topic-cursor' 'topic-llm' 'topic-mcp' 'topic-npx-skills' 'topic-openclaw' 'topic-skills-catalog' 'upstream':80,102,253 'usag':165 'use':10,42,78,140 'user':204,234 'user-defin':203 'various':151,230 'version':104 'wherea':240 'write':157","prices":[{"id":"bd321e98-3ea9-4500-bd7c-8fdffd0c3799","listingId":"a7df5969-9103-4c55-bc79-9ab7e881e004","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"agentskillexchange","category":"skills","install_from":"skills.sh"},"createdAt":"2026-05-18T13:15:14.642Z"}],"sources":[{"listingId":"a7df5969-9103-4c55-bc79-9ab7e881e004","source":"github","sourceId":"agentskillexchange/skills/audit-aws-iam-policies-for-risky-permissions-with-cloudsplaining","sourceUrl":"https://github.com/agentskillexchange/skills/tree/main/skills/audit-aws-iam-policies-for-risky-permissions-with-cloudsplaining","isPrimary":false,"firstSeenAt":"2026-05-18T13:15:14.642Z","lastSeenAt":"2026-05-18T19:09:29.766Z"}],"details":{"listingId":"a7df5969-9103-4c55-bc79-9ab7e881e004","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"agentskillexchange","slug":"audit-aws-iam-policies-for-risky-permissions-with-cloudsplaining","github":{"repo":"agentskillexchange/skills","stars":8,"topics":["agent-skills","ai-agents","ai-tools","awesome-list","claude-code","codex","cursor","llm","mcp","npx-skills","openclaw","skills-catalog"],"license":"mit","html_url":"https://github.com/agentskillexchange/skills","pushed_at":"2026-05-18T19:02:17Z","description":"The open catalog of AI agent skills — 2,000+ security-scanned skills for Claude Code, Cursor, Codex, and more.","skill_md_sha":"cacba6691eab7c647b0ab132b6600120dce56c30","skill_md_path":"skills/audit-aws-iam-policies-for-risky-permissions-with-cloudsplaining/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/agentskillexchange/skills/tree/main/skills/audit-aws-iam-policies-for-risky-permissions-with-cloudsplaining"},"layout":"multi","source":"github","category":"skills","frontmatter":{"name":"Audit AWS IAM policies for risky permissions with Cloudsplaining","description":"Use Cloudsplaining when an agent needs to flag privilege-escalation paths and overbroad IAM permissions before an AWS policy change reaches production."},"skills_sh_url":"https://skills.sh/agentskillexchange/skills/audit-aws-iam-policies-for-risky-permissions-with-cloudsplaining"},"updatedAt":"2026-05-18T19:09:29.766Z"}}