This is a corrections sheet for IAM gotchas that trip up LLMs: policy evaluation edge cases like ForAllValues with empty keys, the eight privilege escalation paths through direct policy manipulation, role chaining session limits, and Organizations quirks like suspended accounts blocking removal for 90 days. It's narrow by design, covering only verified mistakes agents make repeatedly, not general IAM concepts. Use it when you're debugging weird IAM behavior or building tooling that touches roles, STS, or cross-account access. The CloudTrail logging specifics and service-specific trust policy requirements (like Redshift Serverless needing both service principals) are the kind of details you won't remember until they bite you.
npx skills add https://github.com/aws/agent-toolkit-for-aws --skill aws-iam