KiloClawPowered by OpenClaw
Back to Cookbook

AWS IAM Access Denied Policy Debugger

aka “Permission Sleuth

Debug "Access Denied" without guessing which of 47 policies is wrong

Traces the full IAM policy evaluation chain when you hit an Access Denied — identity policies, resource policies, SCPs, permission boundaries — and tells you exactly which policy is blocking and how to fix it.

House RecipeWork2 min
Try in KiloClawFree 7-day trial

INGREDIENTS

🐙GitHub💬Slack

PROMPT

Create a skill called "Permission Sleuth". Help me debug AWS IAM Access Denied errors and optimize IAM policies: Mode 1 — Debug: Given an Access Denied scenario (principal, action, resource), trace the full policy evaluation: 1. List all attached identity policies (inline + managed) 2. Check resource-based policies on the target resource 3. Check SCPs at each level of the AWS Organization 4. Check permission boundaries 5. Check session policies if applicable 6. Identify which policy is causing the deny and suggest the fix Mode 2 — Optimize: Given a role or user: 1. Analyze attached policies for overpermissions 2. If CloudTrail logs are available, compare granted vs. actually-used permissions 3. Generate a least-privilege policy based on actual usage 4. Explain what access would be removed and the risk of each reduction Explain all policies in plain English alongside the JSON.

How It Works

AWS IAM policy evaluation involves up to 6 layers of policies interacting.

Debugging "Access Denied" means checking all of them. This skill automates

the detective work.

What You Get

  • Full policy chain trace for a given principal and action
  • Identification of the denying policy (SCP, permission boundary, resource policy, or identity policy)
  • Least-privilege policy generation from CloudTrail usage data
  • Overpermission analysis for existing roles/users
  • Policy simplification (consolidate overlapping statements)
  • Plain-English explanation of what the policy allows and denies

Setup Steps

  1. Provide the IAM principal (role, user), the action attempted, and the resource
  2. Or paste the Access Denied error and the relevant policies
  3. Review the diagnosis and apply the fix

Tips

  • SCPs at the organization level are the most commonly missed blocker
  • Permission boundaries are another sneaky deny source
  • For least-privilege generation, you need CloudTrail logs of actual usage
  • Ask your Claw to explain any policy in plain English — IAM JSON is hard to read
  • Review service-linked roles — they have hidden permissions
Tags:#aws#iam#security#devops

Related Recipes

Firewall Janitor

Find the 0.0.0.0/0 rule that was "temporary" 3 years ago

Audits AWS security groups and K8s network policies for overly permissive rules, unused rules, and conflicts. Cross-references VPC Flow Logs to identify rules that are never hit and can be safely removed.

Work3 min

Access Auditor

Find the 200 orphaned accounts with admin privileges nobody knew about

Audits user accounts, service accounts, and access keys across your cloud and identity providers. Finds orphaned accounts, unused access keys, over-privileged service accounts, and users who left months ago but still have access.

Work5 min

Scam Shield & Identity Theft Response

A calm checklist when fraud hits

Immediate steps, reporting sequences, and long-term hardening for scams and identity theft. Organized by urgency so you know what to do first.

Personal2 min

Scam Sponsorship Screener

Verify brand offers before you click anything

Screens incoming partnership offers for phishing and scam patterns: suspicious domains, attachments, fake checks, requests to "connect your account," and vague contracts. Outputs a risk rating and safe verification steps.

Personal4 min