IAM Security Reviewer

Review identity and access management using NIST SP 800-63B guidelines with MFA enforcement, password policy, and least privilege validation.

Best use case

IAM Security Reviewer is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Review identity and access management using NIST SP 800-63B guidelines with MFA enforcement, password policy, and least privilege validation.

Teams using IAM Security Reviewer should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/security-iam-reviewer/SKILL.md --create-dirs "https://raw.githubusercontent.com/williamzujkowski/cognitive-toolworks/main/skills/security-iam-reviewer/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/security-iam-reviewer/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How IAM Security Reviewer Compares

Feature / AgentIAM Security ReviewerStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Review identity and access management using NIST SP 800-63B guidelines with MFA enforcement, password policy, and least privilege validation.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

## Purpose & When-To-Use

**Trigger conditions:**
- IAM security audit before production deployment
- NIST SP 800-63B compliance requirement
- Post-incident identity and access review
- Privileged access management (PAM) assessment
- Third-party IAM security questionnaire

**Not for:**
- IAM system implementation (provides assessment only)
- Real-time access monitoring (use SIEM/access analytics tools)
- Cloud-specific IAM (use security-cloud-analyzer for AWS/Azure/GCP IAM)
- Application-level authentication (use security-appsec-validator)

---

## Pre-Checks

**Time normalization:**
- Compute `NOW_ET` using NIST/time.gov semantics (America/New_York, ISO-8601): 2025-10-26T01:33:55-04:00
- Use `NOW_ET` for all citation access dates

**Input validation:**
- `identity_provider` must be non-empty string
- `iam_scope` must be one of: [authentication, authorization, accounts, all]
- `authenticator_level` must be one of: [AAL1, AAL2, AAL3] or omitted

**Source freshness:**
- NIST SP 800-63B Digital Identity Guidelines (accessed 2025-10-26T01:33:55-04:00): https://csrc.nist.gov/publications/detail/sp/800-63b/final
- NIST SP 800-53 Rev 5 IAM Controls (accessed 2025-10-26T01:33:55-04:00): https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

---

## Procedure

### Step 1: Critical IAM Controls Check

**Authentication:**
1. Multi-factor authentication (MFA) enabled for privileged accounts
2. Password policy compliance per NIST SP 800-63B (accessed 2025-10-26T01:33:55-04:00):
   - Minimum 8 characters (12+ for privileged accounts)
   - No complexity requirements (NIST deprecates forced character mixing)
   - Password breach database checking
   - No periodic password rotation (only change on compromise)
3. Session timeout configured (15-30 minutes for privileged access)
4. Secure session cookies (HttpOnly, Secure, SameSite)

**Authorization:**
1. Least privilege principle applied (no overpermissive roles)
2. Role-based access control (RBAC) or attribute-based access control (ABAC)
3. Separation of duties for critical operations
4. Just-in-time (JIT) access provisioning for privileged operations

**Account Management:**
1. Service account key rotation (90-day max age)
2. Inactive account deactivation (30-60 days of inactivity)
3. Privileged account monitoring and logging
4. No shared accounts for individual users

### Step 2: NIST Authenticator Assurance Level (AAL) Compliance

If `authenticator_level` specified, validate:
- **AAL1:** Single-factor authentication acceptable
- **AAL2:** MFA required (something you know + something you have)
- **AAL3:** Hardware-based authenticator required (FIDO2, smart card)

**Token budgets:**
- **T1:** ≤2k tokens (critical IAM controls)
- **T2:** ≤6k tokens (full IAM audit with NIST AAL compliance)
- **T3:** Not applicable for this skill (use security-auditor agent for comprehensive assessments)

---

## Decision Rules

**Ambiguity thresholds:**
- If IAM configuration unavailable → request policy documents or admin access
- If password policy unclear → request authentication system documentation

**Abort conditions:**
- No identity provider specified → cannot proceed
- No IAM policies or user data accessible → limited to documentation review

**Severity classification:**
- Critical: No MFA on admin accounts, shared credentials (CVSS 9.0-10.0)
- High: Overpermissive policies, no key rotation (CVSS 7.0-8.9)
- Medium: Password policy gaps, missing session timeout (CVSS 4.0-6.9)
- Low: Best practice deviations (CVSS 0.1-3.9)

---

## Output Contract

**Required fields:**
```json
{
  "identity_provider": "string",
  "iam_scope": "authentication|authorization|accounts|all",
  "authenticator_level": "AAL1|AAL2|AAL3 or null",
  "timestamp": "ISO-8601 with timezone",
  "findings": [
    {
      "id": "unique identifier",
      "category": "authentication|authorization|account-management",
      "severity": "critical|high|medium|low",
      "cvss_score": 0.0,
      "title": "brief description",
      "description": "detailed finding",
      "nist_reference": "SP 800-63B section X.Y or SP 800-53 AC-2",
      "affected_accounts": ["account names or roles"],
      "remediation": "specific fix steps",
      "remediation_policy": "IAM policy JSON or config snippet"
    }
  ],
  "nist_aal_compliance": {
    "target_level": "AAL1|AAL2|AAL3",
    "current_level": "AAL1|AAL2|AAL3",
    "compliant": true,
    "gaps": ["list of gaps if not compliant"]
  },
  "summary": {
    "total_findings": 0,
    "critical_count": 0,
    "high_count": 0,
    "overall_risk": "critical|high|medium|low"
  }
}
```

---

## Examples

**Example: MFA Enforcement Check**

```yaml
# Input
identity_provider: "corporate-idp"
iam_scope: "authentication"
authenticator_level: "AAL2"

# Output (abbreviated)
{
  "identity_provider": "corporate-idp",
  "findings": [
    {
      "id": "IAM-001",
      "category": "authentication",
      "severity": "critical",
      "cvss_score": 9.1,
      "title": "MFA not enforced for admin role",
      "nist_reference": "SP 800-63B Section 4.2 (AAL2)",
      "remediation": "Enable MFA requirement for all admin accounts"
    }
  ],
  "nist_aal_compliance": {
    "target_level": "AAL2",
    "current_level": "AAL1",
    "compliant": false,
    "gaps": ["MFA not enforced"]
  },
  "summary": {"critical_count": 1, "overall_risk": "critical"}
}
```

---

## Quality Gates

**Token budgets:**
- T1 ≤2k tokens (critical IAM controls)
- T2 ≤6k tokens (full IAM audit with NIST AAL compliance)

**Safety:**
- No credentials or tokens in examples
- No actual account names in public findings

**Auditability:**
- Findings cite NIST SP 800-63B or SP 800-53 controls
- Password policy recommendations align with current NIST guidance

**Determinism:**
- Same IAM state + inputs = consistent findings

---

## Resources

**NIST Standards:**
- NIST SP 800-63B (Digital Identity Guidelines): https://csrc.nist.gov/publications/detail/sp/800-63b/final (accessed 2025-10-26T01:33:55-04:00)
- NIST SP 800-53 Rev 5 (IAM Controls AC family): https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final (accessed 2025-10-26T01:33:55-04:00)

**IAM Best Practices:**
- OWASP Authentication Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html (accessed 2025-10-26T01:33:55-04:00)
- CIS Controls v8 (Access Control): https://www.cisecurity.org/controls (accessed 2025-10-26T01:33:55-04:00)

**Privileged Access:**
- NIST Privileged Account Management: https://csrc.nist.gov/glossary/term/privileged_account (accessed 2025-10-26T01:33:55-04:00)

Related Skills

Software Supply Chain Security Validator

5
from williamzujkowski/cognitive-toolworks

Validate software supply chain security with SBOM generation, dependency scanning, provenance verification, and SLSA attestation.

Operating System Security Hardening Checker

5
from williamzujkowski/cognitive-toolworks

Verify operating system hardening using CIS benchmarks with patch management, kernel hardening, and host-based firewall validation.

Network Security Architecture Validator

5
from williamzujkowski/cognitive-toolworks

Validate network security architecture with firewall rule analysis, segmentation verification, and defense-in-depth assessment.

Cryptographic Security Validator

5
from williamzujkowski/cognitive-toolworks

Validate cryptographic implementations using NIST standards with TLS configuration, cipher suite analysis, and certificate lifecycle checks.

Container Security Checker

5
from williamzujkowski/cognitive-toolworks

Validate container and Kubernetes security using CIS benchmarks with pod security standards, RBAC review, and image vulnerability checks.

Cloud Security Posture Analyzer

5
from williamzujkowski/cognitive-toolworks

Evaluate cloud security posture across AWS, Azure, and GCP with storage exposure checks, IAM policy review, and encryption validation.

Security Assessment Orchestrator

5
from williamzujkowski/cognitive-toolworks

Comprehensive security assessment across application, cloud, container, IAM, network, OS, supply chain, and zero trust using NIST CSF 2.0.

Application Security Validator

5
from williamzujkowski/cognitive-toolworks

Validate application security using OWASP Top 10 2021 and API Security Top 10 guidelines with injection prevention and access control checks.

UX Wireframe Designer

5
from williamzujkowski/cognitive-toolworks

Design user experience wireframes, user flows, and interactive mockups for web and mobile applications using industry-standard notation

TypeScript Tooling Specialist

5
from williamzujkowski/cognitive-toolworks

Generate TypeScript/JavaScript project scaffolding with npm/pnpm/yarn, Jest/Vitest, ESLint/Prettier, and bundling (Vite/Rollup/esbuild).

Python Tooling Specialist

5
from williamzujkowski/cognitive-toolworks

Generate Python project scaffolding with Poetry/pipenv, pytest configuration, type hints (mypy), linting (ruff/black), and packaging (setuptools/flit).

Java Tooling Specialist

5
from williamzujkowski/cognitive-toolworks

Generate Java project scaffolding with Maven/Gradle, JUnit 5, Mockito, Checkstyle/SpotBugs, and packaging (JAR/WAR/native-image).