aws-iam-best-practices
IAM policy review, hardening, and least privilege implementation
49
37%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./skills/antigravity-aws-iam-best-practices/SKILL.mdQuality
Discovery
32%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
The description identifies a clear domain (IAM policy) with some relevant actions but lacks a 'Use when...' clause, reducing its effectiveness for skill selection. It would benefit from explicit trigger guidance, platform specificity, and more natural user-facing keywords to improve discoverability and reduce ambiguity.
Suggestions
Add an explicit 'Use when...' clause, e.g., 'Use when the user asks about IAM policies, AWS permissions, role access review, or implementing least privilege.'
Include common user-facing trigger terms and variations such as 'AWS IAM', 'permissions', 'access control', 'security policies', 'role permissions', '.json policy files'.
Expand the concrete actions listed, e.g., 'Audits IAM role permissions, identifies overly permissive policies, generates least-privilege scoped policies, and recommends policy hardening steps.'
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Names the domain (IAM policy) and some actions (review, hardening, least privilege implementation), but doesn't list multiple concrete granular actions like 'audit role permissions, remove unused policies, generate scoped policy documents'. | 2 / 3 |
Completeness | Describes what the skill does but completely lacks a 'Use when...' clause or any explicit trigger guidance for when Claude should select this skill. Per rubric guidelines, a missing 'Use when...' clause caps completeness at 2, and since the 'what' is also only moderately detailed, this scores a 1. | 1 / 3 |
Trigger Term Quality | Includes relevant keywords like 'IAM policy', 'least privilege', and 'hardening', but misses common user variations such as 'AWS IAM', 'permissions', 'access control', 'security policy', 'role permissions', or 'policy audit'. | 2 / 3 |
Distinctiveness Conflict Risk | IAM policy is a reasonably specific domain, but without specifying the platform (AWS, GCP, Azure) or explicit triggers, it could overlap with general security review or cloud configuration skills. | 2 / 3 |
Total | 7 / 12 Passed |
Implementation
42%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
The skill provides genuinely useful, executable code for IAM auditing and hardening, which is its strongest aspect. However, it suffers from significant verbosity by explaining IAM concepts Claude already knows, and it's a monolithic document that should be split into a concise overview with references to detailed sub-files. The workflow could benefit from explicit sequencing and validation checkpoints for the overall IAM review process.
Suggestions
Remove the 'Core Principles', 'When to Use', 'Example Prompts', and 'Best Practices' sections — Claude already knows IAM fundamentals. Keep only the actionable scripts, templates, and checklist.
Split content into separate files: AUDIT_SCRIPTS.md (bash commands), POLICY_TEMPLATES.md (JSON policies), HARDENING_SCRIPT.md (Python), and keep SKILL.md as a concise overview with references.
Add an explicit sequenced workflow for conducting a full IAM review (e.g., 1. Run audit scripts → 2. Review findings → 3. Apply fixes → 4. Validate changes → 5. Generate report) with validation checkpoints.
For the key rotation workflow, add explicit validation steps: deactivate old key → wait/test → confirm applications work → only then delete old key, with rollback instructions if tests fail.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300+ lines. It explains basic IAM concepts Claude already knows (what least privilege means, what MFA is, what defense in depth is), includes a 'When to Use' section that's unnecessary, lists 'Example Prompts' and 'Best Practices' bullet points that are common knowledge, and has a 'Kiro CLI Integration' section that adds little value. The core principles section is entirely redundant for Claude. | 1 / 3 |
Actionability | The skill provides fully executable bash scripts and Python code for IAM auditing, concrete JSON policy templates that are copy-paste ready, and specific AWS CLI commands with proper query syntax. The automated hardening script is complete and runnable. | 3 / 3 |
Workflow Clarity | While individual scripts and checks are clear, there's no overall sequenced workflow for conducting an IAM review. The checklist is helpful but lacks explicit validation steps or feedback loops. For destructive operations like key rotation, the sequence mentions testing but doesn't enforce a validate-then-proceed pattern rigorously. | 2 / 3 |
Progressive Disclosure | This is a monolithic wall of content with everything inline — bash scripts, Python scripts, JSON policy templates, checklists, and best practices all in one file. The policy templates, the Python hardening script, and the detailed bash audit commands should be split into separate referenced files. The Additional Resources links at the bottom are external only. | 1 / 3 |
Total | 7 / 12 Passed |
Validation
90%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 10 / 11 Passed
Validation for skill structure
| Criteria | Description | Result |
|---|---|---|
frontmatter_unknown_keys | Unknown frontmatter key(s) found; consider removing or moving to metadata | Warning |
Total | 10 / 11 Passed | |
- Repository
- boisenoise/skills-collections
- Commit
f1697b6
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.