auditing-access-controlClaude Skill

Access Control Auditing

Overview

Audit access control implementations across codebases, cloud configurations, and application layers for security vulnerabilities and policy violations. This skill targets IAM policies, ACLs, RBAC configurations, file permissions, and API authorization logic to identify privilege escalation paths, overly permissive grants, and violations of the principle of least privilege.

Prerequisites

• Access to the target codebase and configuration files in ${CLAUDE_SKILL_DIR}/
• Familiarity with the authorization model in use (RBAC, ABAC, ACL, or IAM)
• grep, find, and standard shell utilities available via Bash
• For cloud audits: CLI tools such as aws iam, gcloud, or az role installed and authenticated
• Reference: ${CLAUDE_SKILL_DIR}/references/README.md for IAM best practices, ACL vulnerability patterns, and NIST/GDPR access control standards

Instructions

1. Enumerate all access control definitions by scanning for IAM policy files, RBAC configuration, ACL definitions, middleware authorization checks, and .htaccess or equivalent files using Glob and Grep.
2. Map each role or principal to its granted permissions, building a permission matrix that identifies which subjects access which resources at which privilege level.
3. Evaluate each permission grant against the principle of least privilege -- flag any wildcard permissions (*), overly broad resource scopes, or administrative access granted to non-admin roles.
4. Check for separation of duties violations where a single role combines mutually exclusive privileges (e.g., both "create user" and "approve user").
5. Identify privilege escalation paths by tracing role inheritance chains, looking for roles that can modify their own permissions or assume higher-privileged roles.
6. Inspect API route handlers and middleware for missing or inconsistent authorization checks -- compare route definitions against their corresponding auth guards.
7. Verify that default-deny is enforced: confirm that unauthenticated or unauthorized requests are rejected unless explicitly allowed.
8. Cross-reference findings against compliance requirements (NIST AC-1 through AC-25, GDPR Article 25, SOC 2 CC6.1) and flag gaps.
9. Classify each finding by severity (critical, high, medium, low) based on exploitability and blast radius.
10. Generate a remediation plan with specific configuration changes, code patches, or policy updates for each finding.

Output

• Permission matrix: Role-to-resource mapping table showing all grants
• Findings report: Each finding includes severity, affected resource, description, CWE reference (e.g., CWE-269 Improper Privilege Management, CWE-285 Improper Authorization), and remediation steps
• Compliance gap analysis: Checklist of NIST SP 800-53 AC controls and GDPR access control requirements with pass/fail status
• Privilege escalation paths: Diagram or list of role chains that enable escalation
• Executive summary: Total findings by severity, top risks, and recommended priority actions

Error Handling

Error	Cause	Solution
Permission denied reading config files	Insufficient filesystem access	Run with elevated permissions or request read access to the target directory
IAM CLI command not found	Cloud CLI tools not installed	Install aws-cli, gcloud, or az and authenticate before running cloud audits
Empty role/permission scan results	Incorrect glob patterns for the framework	Adjust search patterns to match the target framework (e.g., @Roles() for NestJS, [Authorize] for .NET)
Timeout scanning large codebases	Too many files in scope	Narrow the scan scope with --exclude patterns for node_modules, vendor, or dist directories
Inconsistent policy format	Mixed IAM policy versions or formats	Normalize policies to a single format before analysis; flag format inconsistencies in the report

Examples

Auditing a Node.js Express API

Scan route definitions in ${CLAUDE_SKILL_DIR}/src/routes/ for missing authorization middleware. Grep for router.post, router.put, router.delete and verify each has a corresponding authMiddleware or requireRole() call. Flag any state-changing endpoint lacking authorization as CWE-862 (Missing Authorization), severity high.

Reviewing AWS IAM Policies

Parse all JSON policy files in ${CLAUDE_SKILL_DIR}/infra/iam/. Flag policies containing "Effect": "Allow" with "Resource": "*" or "Action": "*" as CWE-269 (Improper Privilege Management), severity critical. Recommend scoping to specific ARNs and actions per the principle of least privilege.

RBAC Configuration Audit

Analyze role definitions in ${CLAUDE_SKILL_DIR}/config/roles.yaml. Build a permission matrix, identify roles with overlapping admin-level privileges, and flag any role that can both create and approve its own resources as a separation-of-duties violation (NIST AC-5), severity medium.

Resources

• OWASP Access Control Cheat Sheet
• NIST SP 800-53 AC Controls
• CWE-269: Improper Privilege Management
• CWE-285: Improper Authorization
• CWE-862: Missing Authorization