feat: add iam-common-pitfalls skill (#28)

Author: arnewouters

plugins/aws-core/skills/iam-common-pitfalls/SKILL.md

@@ -0,0 +1,99 @@
+---
+name: iam-common-pitfalls
+description: "Verified corrections for IAM behaviors that AI agents frequently get\
+  \ wrong \u2014 policy evaluation edge cases, trust policy gotchas, STS session limits,\
+  \ Organizations quirks, and SAML/MFA specifics. Use alongside documentation when\
+  \ working with IAM roles, policies, STS, or Organizations. Do NOT use for non-IAM\
+  \ authorization like Cognito user-pool policies or app-level RBAC."
+version: 1
+metadata:
+  service: [iam, sts, organizations]
+  task: [configure, secure, audit, debug]
+  persona: [developer, security-engineer, devops]
+  workload: [security]
+---
+
+# AWS IAM — Common Pitfalls
+
+## About This Skill
+
+This skill contains verified corrections for things that AI agents frequently get wrong about IAM. It is not a comprehensive IAM guide — for full IAM guidance, search AWS documentation.
+
+When answering IAM questions, verify specific claims (limits, quotas, exact API names, edge-case behaviors) against official AWS documentation rather than relying on pre-training. Prefer fetching known documentation URLs over broad searches. Trust official documentation over memory when they conflict.
+
+## Verified Edge Cases
+
+**CloudTrail:**
+
+- AcceptHandshake/DeclineHandshake logged in ACTING account ONLY, not management account. Organization trail required for centralization.
+- ConsoleLogin region varies by endpoint/cookies, NOT always us-east-1. `?region=` forces specific region.
+
+**STS:**
+
+- GetSessionToken restrictions: (1) No IAM APIs unless MFA included (2) No STS except AssumeRole and GetCallerIdentity.
+- Cross-account AssumeRole to opt-in region: TARGET account must enable region, not calling account.
+- Role chaining: max 1-hour session.
+
+**Organizations:**
+
+- Suspended/closed accounts CANNOT be removed until permanently closed (~90 days). Remove FIRST, then close.
+- Policy management delegation: use PutResourcePolicy, NOT register-delegated-administrator.
+- AI opt-out policies: management account required by default.
+- Organizations policy types for ListPolicies filter: SERVICE_CONTROL_POLICY, TAG_POLICY, BACKUP_POLICY, AISERVICES_OPT_OUT_POLICY, CHATBOT_POLICY, DECLARATIVE_POLICY_EC2, RESOURCE_CONTROL_POLICY.
+
+**SDK Specifics:**
+
+- Organizations: `DuplicatePolicyAttachmentException` (not PolicyAlreadyAttachedException).
+- Boto3 IAM AccessKey: methods are `activate()`, `deactivate()`, `delete()` — NO `update()`.
+- Instance profiles: waiter + `time.sleep(10)` pattern.
+- Managed policy max versions: 5.
+
+**SAML:**
+
+- Encrypted assertions URL: `https://region-code.signin.aws.amazon.com/saml/acs/IdP-ID`.
+- Private key from IdP uploaded to IAM in .pem format.
+
+**Policy Evaluation:**
+
+- ForAllValues with empty/missing key: evaluates to true (vacuous truth). To avoid that, use a `Null` condition in addition to the `ForAllValues` on **the same context key** to require that key to be present and non-null. For example, when evaluating the `aws:TagKeys` context key:
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Effect": "Allow",
+        "Action": "ec2:RunInstances",
+        "Resource": "*",
+        "Condition": {
+            "ForAllValues:StringEquals": {
+                "aws:TagKeys": ["Alpha", "Beta"]
+            },
+            "Null": {
+                "aws:TagKeys": "false"
+            }
+        }
+    }
+}
+```
+
+- Resource-based policies granting to IAM user ARN bypass permissions boundaries in same account.
+- 8 privilege escalation actions via direct IAM policy manipulation: PutGroupPolicy, PutRolePolicy, PutUserPolicy, CreatePolicy, CreatePolicyVersion, AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy.
+- `iam:PassRole` with `Resource: "*"` + create/update on a compute service (EC2 `RunInstances`, Lambda `CreateFunction`/`UpdateFunctionConfiguration`, ECS `RegisterTaskDefinition`, Glue, SageMaker, CloudFormation, etc.) = privilege escalation to any passable role in the account, including Administrator. Scope `Resource` to specific role ARNs or an IAM path; optionally constrain with `iam:PassedToService` / `iam:AssociatedResourceArn`. See [IAM User Guide — Grant a user permissions to pass a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html).
+
+**MFA:**
+
+- Unassigned virtual MFA devices auto-deleted when adding new ones.
+- MFA resync-only policy NotAction needs exactly: iam:ListMFADevices, iam:ListVirtualMFADevices, iam:ResyncMFADevice.
+
+**SigV4:**
+
+- IncompleteSignatureException includes SHA-256 hash of Authorization header for transit modification diagnosis.
+
+**Service-Specific Roles:**
+
+- Redshift Serverless trust policy: include BOTH `redshift-serverless.amazonaws.com` AND `redshift.amazonaws.com` as service principals (per AWS docs; omitting serverless causes `Not authorized to get credentials of role` on COPY).
+- IAM OIDC providers: thumbprints no longer required for most providers (AWS verifies via trusted CAs since 2022).
+
+**Policy Summary Display:**
+
+- Single statement with multi-service wildcard actions (e.g. `codebuild:*`, `codecommit:*`) + service-specific resource ARNs: each resource appears ONLY under its matching service's summary (CodeBuild ARN under CodeBuild, etc.). A resource whose service prefix matches NO action in the statement is the only case where it appears in all action summaries ("mismatched resource").

skills/services-and-workloads/iam-common-pitfalls/SKILL.md

@@ -0,0 +1,99 @@
+---
+name: iam-common-pitfalls
+description: "Verified corrections for IAM behaviors that AI agents frequently get\
+  \ wrong \u2014 policy evaluation edge cases, trust policy gotchas, STS session limits,\
+  \ Organizations quirks, and SAML/MFA specifics. Use alongside documentation when\
+  \ working with IAM roles, policies, STS, or Organizations. Do NOT use for non-IAM\
+  \ authorization like Cognito user-pool policies or app-level RBAC."
+version: 1
+metadata:
+  service: [iam, sts, organizations]
+  task: [configure, secure, audit, debug]
+  persona: [developer, security-engineer, devops]
+  workload: [security]
+---
+
+# AWS IAM — Common Pitfalls
+
+## About This Skill
+
+This skill contains verified corrections for things that AI agents frequently get wrong about IAM. It is not a comprehensive IAM guide — for full IAM guidance, search AWS documentation.
+
+When answering IAM questions, verify specific claims (limits, quotas, exact API names, edge-case behaviors) against official AWS documentation rather than relying on pre-training. Prefer fetching known documentation URLs over broad searches. Trust official documentation over memory when they conflict.
+
+## Verified Edge Cases
+
+**CloudTrail:**
+
+- AcceptHandshake/DeclineHandshake logged in ACTING account ONLY, not management account. Organization trail required for centralization.
+- ConsoleLogin region varies by endpoint/cookies, NOT always us-east-1. `?region=` forces specific region.
+
+**STS:**
+
+- GetSessionToken restrictions: (1) No IAM APIs unless MFA included (2) No STS except AssumeRole and GetCallerIdentity.
+- Cross-account AssumeRole to opt-in region: TARGET account must enable region, not calling account.
+- Role chaining: max 1-hour session.
+
+**Organizations:**
+
+- Suspended/closed accounts CANNOT be removed until permanently closed (~90 days). Remove FIRST, then close.
+- Policy management delegation: use PutResourcePolicy, NOT register-delegated-administrator.
+- AI opt-out policies: management account required by default.
+- Organizations policy types for ListPolicies filter: SERVICE_CONTROL_POLICY, TAG_POLICY, BACKUP_POLICY, AISERVICES_OPT_OUT_POLICY, CHATBOT_POLICY, DECLARATIVE_POLICY_EC2, RESOURCE_CONTROL_POLICY.
+
+**SDK Specifics:**
+
+- Organizations: `DuplicatePolicyAttachmentException` (not PolicyAlreadyAttachedException).
+- Boto3 IAM AccessKey: methods are `activate()`, `deactivate()`, `delete()` — NO `update()`.
+- Instance profiles: waiter + `time.sleep(10)` pattern.
+- Managed policy max versions: 5.
+
+**SAML:**
+
+- Encrypted assertions URL: `https://region-code.signin.aws.amazon.com/saml/acs/IdP-ID`.
+- Private key from IdP uploaded to IAM in .pem format.
+
+**Policy Evaluation:**
+
+- ForAllValues with empty/missing key: evaluates to true (vacuous truth). To avoid that, use a `Null` condition in addition to the `ForAllValues` on **the same context key** to require that key to be present and non-null. For example, when evaluating the `aws:TagKeys` context key:
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": {
+        "Effect": "Allow",
+        "Action": "ec2:RunInstances",
+        "Resource": "*",
+        "Condition": {
+            "ForAllValues:StringEquals": {
+                "aws:TagKeys": ["Alpha", "Beta"]
+            },
+            "Null": {
+                "aws:TagKeys": "false"
+            }
+        }
+    }
+}
+```
+
+- Resource-based policies granting to IAM user ARN bypass permissions boundaries in same account.
+- 8 privilege escalation actions via direct IAM policy manipulation: PutGroupPolicy, PutRolePolicy, PutUserPolicy, CreatePolicy, CreatePolicyVersion, AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy.
+- `iam:PassRole` with `Resource: "*"` + create/update on a compute service (EC2 `RunInstances`, Lambda `CreateFunction`/`UpdateFunctionConfiguration`, ECS `RegisterTaskDefinition`, Glue, SageMaker, CloudFormation, etc.) = privilege escalation to any passable role in the account, including Administrator. Scope `Resource` to specific role ARNs or an IAM path; optionally constrain with `iam:PassedToService` / `iam:AssociatedResourceArn`. See [IAM User Guide — Grant a user permissions to pass a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html).
+
+**MFA:**
+
+- Unassigned virtual MFA devices auto-deleted when adding new ones.
+- MFA resync-only policy NotAction needs exactly: iam:ListMFADevices, iam:ListVirtualMFADevices, iam:ResyncMFADevice.
+
+**SigV4:**
+
+- IncompleteSignatureException includes SHA-256 hash of Authorization header for transit modification diagnosis.
+
+**Service-Specific Roles:**
+
+- Redshift Serverless trust policy: include BOTH `redshift-serverless.amazonaws.com` AND `redshift.amazonaws.com` as service principals (per AWS docs; omitting serverless causes `Not authorized to get credentials of role` on COPY).
+- IAM OIDC providers: thumbprints no longer required for most providers (AWS verifies via trusted CAs since 2022).
+
+**Policy Summary Display:**
+
+- Single statement with multi-service wildcard actions (e.g. `codebuild:*`, `codecommit:*`) + service-specific resource ARNs: each resource appears ONLY under its matching service's summary (CodeBuild ARN under CodeBuild, etc.). A resource whose service prefix matches NO action in the statement is the only case where it appears in all action summaries ("mismatched resource").