Audit access control implementations for security vulnerabilities and misconfigurations. Use when reviewing authentication and authorization. Trigger with 'audit access control', 'check permissions', or 'validate authorization'.
Audit access control implementations across codebases, cloud configurations, and
application layers for security vulnerabilities and policy violations. This skill
targets IAM policies, ACLs, RBAC configurations, file permissions, and API
authorization logic to identify privilege escalation paths, overly permissive
grants, and violations of the principle of least privilege.
Prerequisites
Access to the target codebase and configuration files in ${CLAUDE_SKILL_DIR}/
Familiarity with the authorization model in use (RBAC, ABAC, ACL, or IAM)
grep, find, and standard shell utilities available via Bash
For cloud audits: CLI tools such as aws iam, gcloud, or az role installed and authenticated
Reference: ${CLAUDE_SKILL_DIR}/references/README.md for IAM best practices, ACL vulnerability patterns, and NIST/GDPR access control standards
Instructions
Enumerate all access control definitions by scanning for IAM policy files, RBAC configuration, ACL definitions, middleware authorization checks, and .htaccess or equivalent files using Glob and Grep.
Map each role or principal to its granted permissions, building a permission matrix that identifies which subjects access which resources at which privilege level.
Evaluate each permission grant against the principle of least privilege -- flag any wildcard permissions (*), overly broad resource scopes, or administrative access granted to non-admin roles.
Check for separation of duties violations where a single role combines mutually exclusive privileges (e.g., both "create user" and "approve user").
Identify privilege escalation paths by tracing role inheritance chains, looking for roles that can modify their own permissions or assume higher-privileged roles.
Inspect API route handlers and middleware for missing or inconsistent authorization checks -- compare route definitions against their corresponding auth guards.
Verify that default-deny is enforced: confirm that unauthenticated or unauthorized requests are rejected unless explicitly allowed.
Cross-reference findings against compliance requirements (NIST AC-1 through AC-25, GDPR Article 25, SOC 2 CC6.1) and flag gaps.
Classify each finding by severity (critical, high, medium, low) based on exploitability and blast radius.
Generate a remediation plan with specific configuration changes, code patches, or policy updates for each finding.
Output
Permission matrix: Role-to-resource mapping table showing all grants
Findings report: Each finding includes severity, affected resource, description, CWE reference (e.g., CWE-269 Improper Privilege Management, CWE-285 Improper Authorization), and remediation steps
Compliance gap analysis: Checklist of NIST SP 800-53 AC controls and GDPR access control requirements with pass/fail status
Privilege escalation paths: Diagram or list of role chains that enable escalation
Executive summary: Total findings by severity, top risks, and recommended priority actions
Error Handling
Error
Cause
Solution
Permission denied reading config files
Insufficient filesystem access
Run with elevated permissions or request read access to the target directory
IAM CLI command not found
Cloud CLI tools not installed
Install aws-cli, gcloud, or az and authenticate before running cloud audits
Empty role/permission scan results
Incorrect glob patterns for the framework
Adjust search patterns to match the target framework (e.g., @Roles() for NestJS, [Authorize] for .NET)
Timeout scanning large codebases
Too many files in scope
Narrow the scan scope with --exclude patterns for node_modules, vendor, or dist directories
Inconsistent policy format
Mixed IAM policy versions or formats
Normalize policies to a single format before analysis; flag format inconsistencies in the report
Examples
Auditing a Node.js Express API
Scan route definitions in ${CLAUDE_SKILL_DIR}/src/routes/ for missing authorization
middleware. Grep for router.post, router.put, router.delete and verify
each has a corresponding authMiddleware or requireRole() call. Flag any
state-changing endpoint lacking authorization as CWE-862 (Missing Authorization),
severity high.
Reviewing AWS IAM Policies
Parse all JSON policy files in ${CLAUDE_SKILL_DIR}/infra/iam/. Flag policies containing
"Effect": "Allow" with "Resource": "*" or "Action": "*" as CWE-269
(Improper Privilege Management), severity critical. Recommend scoping to specific
ARNs and actions per the principle of least privilege.
RBAC Configuration Audit
Analyze role definitions in ${CLAUDE_SKILL_DIR}/config/roles.yaml. Build a permission
matrix, identify roles with overlapping admin-level privileges, and flag any role
that can both create and approve its own resources as a separation-of-duties
violation (NIST AC-5), severity medium.