ClawHub

Watadot Aws Iam

IAM security patterns by Watadot Studio. Manage users, roles, and policy verification.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 14 · 0 current installs · 0 all-time installs
by@ordiy
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description: IAM management. Declared requirement: aws CLI. No unrelated credentials, binaries, or install steps. The aws CLI is an appropriate and expected dependency for this purpose.
Instruction Scope
SKILL.md contains concrete aws CLI commands for listing users, checking access keys, assuming roles, and fetching policy documents — all within IAM scope. Two minor notes: (1) the 'find unused access keys' example uses a hard-coded date (2025-12-31), which is likely a copy/paste or stale example and can produce incorrect results; (2) the assume-role command returns temporary credentials — the instructions do not say how to handle or store them, so an operator should ensure they are handled securely. Otherwise the instructions do not reference unrelated files, env vars, or external endpoints.
Install Mechanism
Instruction-only skill with no install spec. This is low risk because nothing is downloaded or written by the skill itself.
Credentials
No required environment variables or credentials are declared. The skill relies on the operator's configured AWS credentials (as expected for aws CLI usage). No unrelated secrets are requested.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request permanent presence or modify other skills or system-wide settings.
Assessment
This skill is coherent and appears to do what it says: run aws CLI IAM checks. Before using it: (1) ensure the aws CLI is installed and configured with appropriate, least-privilege credentials (prefer read-only/IAM-read policies for audits); (2) review and adjust the example filters (the access-key check uses a hard-coded 2025-12-31 date — replace with a proper relative date or use aws iam get-access-key-last-used for accuracy); (3) when using sts assume-role, handle temporary credentials securely (don't persist them in logs or public places); (4) run commands in a non-production account or with limited permissions first to confirm behavior; (5) remember that outputs will reflect what the AWS credentials used can access — do not run these commands from an account you don't trust. Overall there are no unexplained env or network requirements and no install-time code, so the risk surface is limited to whatever your configured AWS credentials permit.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk979ph8qv5k0be3gm9mprbz6fh831mv1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis
Any binaws

SKILL.md

AWS IAM Skills

Security-first identity and access management patterns.

🚀 Core Commands

Identity Audit

# List all users with ARN and creation date
aws iam list-users --query "Users[].{User:UserName,Arn:Arn,Date:CreateDate}" --output table

# Find unused access keys (90+ days)
aws iam list-users --query "Users[].UserName" --output text | xargs -I {} aws iam list-access-keys --user-name {} --query "AccessKeyMetadata[?Status==\`Active\` && CreateDate < \`2025-12-31\`]"

Role Orchestration

# Assume a role and get temporary credentials
aws sts assume-role --role-arn <role-arn> --role-session-name "OpenClawSession"

# List policies attached to a specific role
aws iam list-attached-role-policies --role-name <role-name> --query "AttachedPolicies[].PolicyName"

Policy Verification

# Get effective policy document
aws iam get-policy-version --policy-arn <arn> --version-id <id> --query "PolicyVersion.Document"

🧠 Best Practices

  1. Never use Root: Use IAM users or SSO roles for daily operations.
  2. Short-lived Credentials: Prefer sts assume-role over permanent access keys.
  3. MFA Enforcement: Enable Multi-Factor Authentication for all console and sensitive CLI access.
  4. Access Analyzer: Regularly run IAM Access Analyzer to find unintended public or cross-account access.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…