Back to Cookbook

Permission Sleuth

Debug "Access Denied" without guessing which of 47 policies is wrong

Traces the full IAM policy evaluation chain when you hit an Access Denied — identity policies, resource policies, SCPs, permission boundaries — and tells you exactly which policy is blocking and how to fix it.

House RecipeWork2 min

INGREDIENTS

🐙GitHub💬Slack

PROMPT

Create a skill called "Permission Sleuth". Help me debug AWS IAM Access Denied errors and optimize IAM policies: Mode 1 — Debug: Given an Access Denied scenario (principal, action, resource), trace the full policy evaluation: 1. List all attached identity policies (inline + managed) 2. Check resource-based policies on the target resource 3. Check SCPs at each level of the AWS Organization 4. Check permission boundaries 5. Check session policies if applicable 6. Identify which policy is causing the deny and suggest the fix Mode 2 — Optimize: Given a role or user: 1. Analyze attached policies for overpermissions 2. If CloudTrail logs are available, compare granted vs. actually-used permissions 3. Generate a least-privilege policy based on actual usage 4. Explain what access would be removed and the risk of each reduction Explain all policies in plain English alongside the JSON.

How It Works

AWS IAM policy evaluation involves up to 6 layers of policies interacting.

Debugging "Access Denied" means checking all of them. This skill automates

the detective work.

What You Get

  • Full policy chain trace for a given principal and action
  • Identification of the denying policy (SCP, permission boundary, resource policy, or identity policy)
  • Least-privilege policy generation from CloudTrail usage data
  • Overpermission analysis for existing roles/users
  • Policy simplification (consolidate overlapping statements)
  • Plain-English explanation of what the policy allows and denies

Setup Steps

  1. Provide the IAM principal (role, user), the action attempted, and the resource
  2. Or paste the Access Denied error and the relevant policies
  3. Review the diagnosis and apply the fix

Tips

  • SCPs at the organization level are the most commonly missed blocker
  • Permission boundaries are another sneaky deny source
  • For least-privilege generation, you need CloudTrail logs of actual usage
  • Ask your Claw to explain any policy in plain English — IAM JSON is hard to read
  • Review service-linked roles — they have hidden permissions
Tags:#aws#iam#security#devops